Professional Documents
Culture Documents
02/2024
PL20231102916651256
Guidelines
This manual contains notes of varying importance that should be read with care; i.e.:
Important:
Highlights key information on handling the product, the product itself or to a particular part of the documentation.
Note: Provides supplementary information regarding handling the product, the product itself or a specific part of
the documentation.
Trademarks
All names identified by ® are registered trademarks of Siemens AG.
The remaining trademarks in this publication may be trademarks whose use by third parties for their own purposes
could violate the rights of the owner.
Disclaimer of Liability
We have reviewed the contents of this publication to ensure consistency with the hardware and software
described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the
information in this publication is reviewed regularly and any necessary corrections are included in subsequent
editions.
Security Information
Siemens provides products and solutions with industrial security functions that support the secure operation of
plants, systems, machines and networks.
In order to protect plants, systems, machines and networks against cyber threats, it is necessary to implement -
and continuously maintain - a holistic, state-of-the-art industrial security concept. Siemens’ products and solutions
constitute one element of such a concept.
Customers are responsible for preventing unauthorized access to their plants, systems, machines and networks.
Such systems, machines and components should only be connected to an enterprise network or the internet if and
to the extent such a connection is necessary and only when appropriate security measures (e.g. firewalls and/or
network segmentation) are in place.
For additional information on industrial security measures that may be implemented, please visit
https://www.siemens.com/industrialsecurity.
Siemens’ products and solutions undergo continuous development to make them more secure. Siemens strongly
recommends that product updates are applied as soon as they are available and that the latest product versions
are used. Use of product versions that are no longer supported, and failure to apply the latest updates may increase
customer’s exposure to cyber threats.
To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed under
https://www.siemens.com/cert.
5 Data Privacy........................................................................................................ 60
6 Industrial Security Disclaimer ........................................................................... 61
Category Installation
Revision PL20231102916651256
State Published
Author Siemens AG
Language en-US
Acronym Description
AZ Availability Zone
DB Database
Gbps Giga-bits-per-second
GTAC Siemens Global Technical Access Center (responsible for support and
providing technical documentation to customers)
HA High Availability
HD Hard Disk
Acronym Description
HW Hardware
IP Internet Protocol
Mbps Mega-bits-per-second
ms Milli-Second
Acronym Description
SW Software
UI User Interface
Opcenter Execution Foundation, Opcenter Execution Discrete and Opcenter Execution Process
2 Introduction
To discover the introduction to MOM Products AWS Best Practice, go through the following topics:
• Opcenter Execution Foundation, Opcenter Execution Discrete and Opcenter Execution Process
• Purpose of the document
• Out of Scope topics
• Multiplant support
• Support of Siemens MOM Products in Cloud Environments
• Overview on the current document
Multiplant support
Support Policies
Disclaimer: the statements in this Bulletin do not change the rights and obligations in the applicable SISW
maintenance agreement.
Overview
3 Architecture
In this section, you can discover the different parts of the architecture hosting Opcenter EX FN-based solutions
deployed on premises vs on AWS Cloud, and their role.
Two example architectures are also described in terms of the required AWS services.
3.1 Overview
The full architecture of a system based on Opcenter EX FN is comprised of the following components:
• An on-premises part, including the layers to be integrated hosted on premises, i.e. typically the external servers
to be integrated like ERP servers, and the components located in each plant, like web clients running UIs,
network devices as printers and scales and control system components, as Programmable Logical Controllers
(PLCs) and CNC (Computerized Numerical Control) machines.
• An AWS Cloud part, hosting the EC2 instances running Opcenter EX FN, EX DS/EX PR and CN MOM, including
ancillary services to enable system functioning and to maximize serviceability.
• Connectivity among the previous two parts, enabled by an Internet Service Provider (ISP).
In this paragraph, you can discover more in detail each of these parts.
On-Premises Part
It is comprised of:
• The ERP system, which is usually installed on premises. The requests coming from Opcenter Connect MOM (the
Opcenter component providing interoperability, installed on the Cloud) are posted by the Internet Gateway
located on the Cloud.
• ERP integration can occur via web service. In this case, the HTTP requests are directly posted to the Load
Balancer /Opcenter EX FN host via CN MOM Server (depending on the architecture).
• The ERP integration can also occur via file exchange. In this case, the inbound messages (from the point
of view of Opcenter Connect MOM) coming from ERP, are stored by the ERP system into an FTP folder,
browsable from the Cloud via the Internet Gateway. This requires the setup of an FTP service, to grant
secure communication. Consider that Opcenter CN MOM does not provide an out of the box FTP adapter,
so a custom implementation is required.
• The Shopfloor Tier: this is the part of the IT architecture that is hosted where the assembly or the production is
carried out, by automated system and operators. Therefore, it is placed on-premises, locally to each plant. The
IT infrastructure of the shopfloor tier depends of the interconnectivity use cases in scope for the project, and
comprises:
• User clients: they are client systems, used by operators locally in the shopfloor in order to operate on
the MOM system using the UIs, that consist of HTML-5 web screens opened on the Internet browser. This
category comprises PCs, laptops, tablets and mobile phones. If needed, local printers can be connected
to the PCs. Also scanners can be connected to these terminals.
• OPC UA Servers: they provide bi-directional communication between Opcenter EX FN and any kind of
automation, like PLCs, CNC machines and DCSs. The Opcenter EX FN component enabling integration
with the OPC UA Servers is named Automation Gateway. One or more OPC UA Servers (depending on the
required scalability degree) must be located on premises in case of automation integration. As a
complement for shopfloor integration, in process industry, SIMATIC BATCH integration can be used. In
this case, a SIMATIC BATCH server must be placed on premises like the OPC UA Servers.
• Shopfloor devices: like scales, network label printers, etc.
• The Office Tier: this represents the part of the IT architecture located in offices and used by supervisors and
managers. Therefore, it is placed on premises, locally to each plant. It is made up by user clients displaying UIs
to connect to Opcenter EX FN and manage/monitor production via the Internet browser. Also in this case, user
clients can be PCs, laptops, tablets and mobile phones, and local printers can be connected to them.
Cloud-Hosted Part
The Routing Gateway is the Cloud service that provides dynamic routing between the Cloud networks and the on-
premises network. The Routing Gateway peers with on-premises VPN gateway or router. Any topology changes
automatically propagate between the Virtual Private Cloud (VPC) network and the on-premises network.
3.3.1 Tiers
This section describes the layers of the architecture deployed on AWS Cloud and their role:
• Access Tier
• Integration Tier
• Application Tier
• Database Tier
• Backup Storage
Cloud-Hosted Part
The Amazon Route 53 (DNS) is the layer responsible for mapping the host names in the URLs invoked by the on-
premise components of the architecture (e.g. the browsers), into the (private) IPs of the corresponding servers in
the AWS Cloud, i.e. the load balancers or the Opcenter servers, depending on the architecture. This allows reaching
the MES solution URL based on server names, and not only based on IP addresses, increasing security levels.
As an alternative, the DNS role could played by a dedicated EC2 instance.
For HTTPS communication, the host names that are in use must be part of the certificate (common name and
alternative subject name) which is installed on the server (refer to Opcenter EX FN documentation).
Additional DNS routing can be configured in Amazon Route 53 among EC2 instances in the private network., if
needed.
Cloud-Hosted Part
Cloud-Hosted Part
Cloud-Hosted Part
• Network connectivity between On-premises part and AWS cloud (point 2) is via either AWS Direct connect or
VPN connection. The customer should combine both channels for redundancy and high availability.
• AWS Cloud hosts the Siemens Opcenter MOM products servers in terms of Amazon Elastic Compute Cloud (EC2)
instances. The servers are hosted on the same Availability Zone, since the minimal architecture is used when no
high availability is needed.
Go through the following sections that provide relevant insights.
Network connectivity
To maximize the reliability of the connection to the Opcenter MOM servers hosted on the AWS Cloud:
• A fast and dedicated network connection to the Cloud can be established through AWS Direct Connect (point 2),
providing a dedicated and the shortest path to AWS resources. This ensures that traffic stays within the AWS
global network and avoids touching the public internet. Consequently, this reduces the likelihood of
encountering bottlenecks or unexpected increases in latency. For more information, please refer to AWS Direct
Connect at https://aws.amazon.com/directconnect/
• A backup Virtual Private Network (VPN) path can be established through a redundant AWS Site-to-Site VPN,
which creates a secure connection between On-Premise and AWS resources using IP Security (IPSec) tunnels.
For more information, refer to the AWS Site-to-Site VPN URL: https://aws.amazon.com/vpn/site-to-site-vpn/.
To ensure reliable shopfloor integration, the network connection between on-premise and the AWS Cloud
must be available nearly 100% of the time. This consideration should be included in the definition of the
SLA with the ISP. This is why a redundant connection is required, preventing data loss due to network
disconnection. Another critical factor in the SLA is network latency. High-latency periods could result in a
significant number of shopfloor data value changes that cannot be processed in the MOM layer due to the
absence of an out-of-the-box (OOTB) buffering mechanism. This holds true for all architectures.
AWS Cloud
The AWS Cloud, as represented in the proposed architecture, corresponds to a region in Cloud terminology – a
physical location worldwide where data centers are clustered and interconnected via a low-latency network.
Within the AWS Cloud, there is a set of devices for network traffic routing and an Amazon Virtual Private Cloud
(Amazon VPC) that logically isolates sections of the AWS Cloud. Users can launch AWS resources in a defined virtual
network. Similar to a traditional data center network, the Amazon VPC offers complete control over your network
environment. This includes assigning your private IP address space, creating subnets and route tables, and
configuring stateful firewalls, as described later in this document. Subsequent sections provide guidelines for
setting up the most appropriate configuration.
The entry point to the AWS Cloud is through the AWS Virtual Private Gateway (VPN Gateway), acting as a virtual
router that establishes a path for private traffic between the on-premise part of the architecture and the VPC region.
The VPC is structured with three subnets, a recommended best practice. One subnet (public) hosts the Bastion
Server (details below), while the others (private) host the Opcenter Application Servers and the DB Servers
(Microsoft SQL Server-based), maintained separately to enhance security.
Following the Gateway, Amazon Route 53 (point 5) can be incorporated to map server names used in URLs within
HTTP(s) requests to the IP addresses of the Opcenter EX FN Server or the Opcenter CN MOM, known within the VPC
network. The DNS is placed in the public network to enable resolving IPs traveling over the internet. While this DNS
is optional due to security implications, the decision to use it should align with project requirements. There is a
tradeoff between the convenience of using URLs with machine names and potential security threats, given the
placement of DNS in the public network.
Cloud-Hosted Part
The AWS Application Load Balancer (point 3) serves as a connection point to the Opcenter CN MOM/Opcenter EX FN
servers. This allows for potential modifications in a second phase, incorporating additional Opcenter CN MOM/
Opcenter EX FN servers for horizontal scalability. It is also introduced for security reasons.
In this proposed architecture, Opcenter EX FN, running in Availability Zone 1, is connected to a DB Server, which can
be a Microsoft SQL Server running on an AWS EC2 instance (point 4) or AWS Managed Relational Database Service
(RDS) for SQL.
If required, Opcenter EX FN users can be imported from Windows Active Directory to User Manager Components
(UMC), the Opcenter EX FN user management system. This enables authentication leveraging Windows Active
Directory users, using the passwords defined in Active Directory. A prerequisite for this configuration is that the
Opcenter EX FN/DS hosts, running UMC, must belong to the Windows domain, and Active Directory must be
reachable via LDAP(S).
Three alternative solutions are possible (refer to https://docs.aws.amazon.com/whitepapers/latest/active-
directory-domain-services/directory-services-options-in-aws.html). It is up to the customer IT to choose the most
convenient one, according to customer requirements:
• AD Connector (https://docs.aws.amazon.com/directoryservice/latest/admin-guide/
directory_ad_connector.html):
• This allows you to use your existing on-premise AD servers from the cloud.
• This is a gateway or proxy that redirects requests from applications in the cloud to your on-premises AD
servers.
• It does not cache any information in the cloud and does not need any trust or synchronization of users.
• This is a fully managed AWS service.
• AWS Managed Microsoft Directory Service (https://docs.aws.amazon.com/directoryservice/latest/admin-guide/
directory_microsoft_ad.html):
• This creates a new AD domain and allows you to create trusts with existing on-premise domains.
• This is a fully managed AWS service.
• Active Directory on EC2 instance:
• This consists in running Active Directory on EC2 instances deployed and managed by the Customer.
• The Customer manages AD on the EC2 instances.
• This may be the most flexible option but it is not a managed service, it requires more operational effort
on the Customer side.
The architecture tested for AWS Certification relies on the AWS Managed Microsoft Directory Service.
Depending on the selected solution, an additional set of ports should be opened in addition to the ones listed in the
Interconnectivity use cases in the Overview.
The public network hosts a Bastion Server, a Cloud instance that allows remote connections via Remote Desktop
Protocol (RDP) to other Cloud instances hosted by the private network. This is a typical Cloud concept utilized by
customer IT and, in accordance with customer security policies, by system integrators for remote access to servers
for maintenance and troubleshooting.
AWS Backup (point 6) serves as a comprehensive solution to centralize and automate data protection for EC2
instances and EBS volumes. Backups are stored in secured vaults, providing the capability to restore instances and
databases in the event of a disaster recovery.
Amazon S3 (point 7) is a file storage repository for Opcenter EX FN and Opcenter CN MOM.
Cloud-Hosted Part
The Full Architecture enables the full utilization of load balancing and high availability features provided by
both Opcenter EX FN and the AWS Cloud. It can be achieved by enhancing the complexity of the minimal
architecture through:
• Distributing the load and eliminating single points of failure in terms of EC2 instances.
• Distributing instances across multiple AWS Availability Zones.
• Increasing the robustness of the network.
• Configuring required services for high availability.
To enhance the reliability of the connection with the AWS Cloud, it is typically recommended to leverage two
different ISPs with independent infrastructure, complementing AWS Direct Connect and VPN (point 2).
Amazon Route 53 (point 3) continues to be used to map server names in URLs within HTTP(s) requests to the IP
addresses of Opcenter EX FN Server or Opcenter CN MOM (for ERP interoperability) within the VPC network.
AWS Application Load Balancer (point 4) is crucial for automatically distributing incoming traffic across Opcenter EX
FN hosts (point 5) in one or more Availability Zones within the VPC. It also monitors the health of registered targets
and routes traffic only to healthy targets.
In the AWS Cloud virtual network, Cloud instances and services are organized into three subnets, each grouping EC2
instances belonging to the same Availability Zone.
From Opcenter EX FN's perspective, it is a distributed architecture providing load balancing and high availability.
Servers are distributed among different Availability Zones to fully leverage load balancing and AWS Cloud features.
Alternatively, if needed (e.g., in regions with only two Availability Zones), the third Opcenter EX FN host can be
hosted in Availability Zone 1 or Availability Zone 2.
RabbitMQ (on which the Opcenter EX FN Service Bus is based) needs to be configured in Active/Standby mode.
Connectivity
In case of a failure of any Opcenter EX FN runtime server, the other two will continue working. If the server hosting
the active RabbitMQ fails, it will be moved to one of the other two Opcenter EX FN Servers. In the event of an
unmanaged shutdown of the Opcenter EX FN runtime server where RabbitMQ is active, the messages already taken
in charge by it will be lost.
The three Opcenter EX FN Servers rely on Microsoft SQL Server DB Servers (point 6) configured for high availability
and placed in multiple Availability Zones. Opcenter EX FN Servers utilize the high availability listener. If a DB Server
in one Availability Zone is down, the three Opcenter EX FN Servers can continue working, leveraging the DB server in
another AZ. The tested configuration consists of Microsoft SQL Server Always On Availability Groups with one
primary replica and two secondary replicas. High availability can also be achieved with a total of two Microsoft SQL
Server EC2 instances by configuring a single Always On Availability Groups secondary replica or leveraging Microsoft
SQL Server Always On Failover Cluster Instances (FCI), although the latter is more complex. If only two Microsoft
SQL Server EC2 instances are present, in the absence of the Availability Zone hosting a DB server, at least another
Availability Zone should be running to maintain system functionality.
Additionally, the database server can be alternatively hosted through AWS RDS, configured for high availability.
3.4 Connectivity
The connectivity between on-premises and the AWS Cloud is, of course, vital for the correct functioning of the
system.
This paragraph explores:
• Aspects related to the Internet Service Provider (ISP)
• Connectivity paths between on-premises and the AWS Cloud
Connectivity
Connectivity
Legend:
• (*) Configurable. The list of ports on Cloud side will be described in the document.
• (**) Depending on ERP / middleware
• (***) Latency can introduce errors. Therefore, need for fast communication (reason why serial communication is
local only)
Security Considerations
Network Configuration
Network It represents the time it takes for a • Among Opcenter Servers (including DB server), RTT <= 2
Latency packet of data to be captured, ms, due to the multi-tier nature of the application.
(RTT) transmitted, processed through • Between clients (hosted on-premises) and servers
multiple devices, then received at (hosted on the AWS Cloud), the recommended latency
its destination and decoded, depends on client type:
including the round-trip time • Web clients, hosting UIs on the browser: in this
(RTT) to return to the source. case the recommended latency is < 100 ms.
• OPC UA Servers (relevant only in case of
It is calculated in milliseconds
shopfloor integration):
(ms).
• Network Latency for stability:
Latency must be <= 200 ms. This value
should not be considered as an average
value, but as the max threshold value that
the latency should reach. Note that this
value is based on test results that were
measured connecting to SIMATIC OPC UA
S7-1500. Connection to different OPC
Servers may result in a different maximum
tolerated network latency value.
• Network Latency for performance:
When the shopfloor communication
performance plays an important role, the
recommended latency is <= 14 ms. This
value is an indication based on internal
tests performed by Siemens and from
data collected from Siemens customers.
As a general rule, the higher the
performance required, the greater the
demand for network speed and
reliability.
Network Configuration
Network The volume of information that 30-50 Kbps/User (without document uploads)
Bandwidt can be transmitted over a
General recommendations:
h connection within a measured
amount of time. 1 Gbps (Production Minimum)
10+ Gbps (Production Optimal)
It is calculated in megabits per
second (Mbps) or gigabits per
second (Gbps)
On Premises
For more information about AWS Site-to-Site VPN, please refer here https://aws.amazon.com/vpn/site-to-site-vpn/.
Various VPN types should be implemented based on customer requirements regarding geographical access to the
MOM Solution:
If the MOM solution is available only from the plant, a Site-to-Site VPN Connection between the plant and the AWS
Cloud is necessary and must be appropriately configured.
If the MOM solution is accessible from anywhere on the internet, AWS Client VPN should be set up. Additional
security solutions must be adopted in comparison to the previous option (refer to Security Considerations).
Additionally, to enable some of the relevant use cases (e.g., shopfloor connectivity), the connection between the
on-premise and the AWS Cloud network needs to be server-to-server. This means that both a routing from on-
premise to AWS Cloud network and, vice versa, from AWS Cloud to on-premise network, must be configured.
4.3 On Premises
When installing the on-premises component of the architecture, please refer to the prerequisites for the web clients
described in the Prerequisites for Web Clients of the Opcenter EX FN Installation Guide, where both the HW and SW
prerequisites (i.e., the supported browsers) are listed.
Consider that no Opcenter EX FN product components need to be installed on premises and consequently any
guidelines for the installation and configuration of the on premises components are out of scope of the current
document.
AWS Cloud
4.4.1 Prerequisites
This section lists the prerequisites for setting up the AWS Cloud infrastructure needed to host Opcenter EX FN.
Recommended skills
To fully understand the entire installation process and the terminology used in this guide, it is advisable to
complete the AWS Cloud Practitioner Essentials course as a prerequisite
Region selection
According to the AWS Architecture Blog (https://aws.amazon.com/blogs/architecture/what-to-consider-when-
selecting-a-region-for-your-workloads/), the region must be carefully selected based on the following factors:
1. Compliance - If your workload involves data subject to local regulations, selecting a Region compliant with the
regulation takes precedence over other evaluation factors. This is particularly applicable to workloads bound by
data residency laws, where opting for an AWS Region located in that specific country is mandatory.
2. Latency - A significant factor to consider for user experience is latency. Reduced network latency can have a
substantial impact on enhancing the user experience. Choosing an AWS Region in close proximity to your user
base location can achieve lower network latency, potentially improving communication quality, as network
packets have fewer exchange points to travel through.
3. Cost - AWS services are priced differently from one region to another. Some regions have lower costs than
others, potentially resulting in a cost reduction for the same deployment."
4. Services and features - Newer services and features are gradually deployed to AWS Regions. While all AWS
Regions have the same service level agreement (SLA), larger Regions are typically the first to offer newer
services, features, and software releases. Smaller Regions may not receive these services or features in time for
you to use them to support your workload.
Evaluating all these factors can complicate decision-making. This is where business priorities should influence the
final decision.
Given the low-latency requirement for the MOM system, it is highly recommended to select the region with the
lowest latency to the plant, provided that compliance is fulfilled.
AWS Cloud
To provide appropriate performance, Opcenter EX FN must be run on EC2 instances with adequate HW resources
(e.g., CPU, RAM, disk speed). For this reason, you must adhere at least to the minimum requirements described in
AWS EC2 Instance Types.
Stacks
Dependencies
In Opcenter EX FN, the AWS CloudFormation stacks are split into following scripts:
1. VPC
2. Backup (Optional)
3. Route 53 (Optional)
4. Active Directory (Optional)
5. Compute
6. ALB (Optional)
7. Client VPN (Optional)
Dependencies among the AWS CloudFormation stacks are shown in the following diagram:
AWS Cloud
Creation
The provided AWS CloudFormation must be used as a template for stack creation, following the procedures shown
below:
1. Browse to AWS CloudFormation
2. Choose Create stack.
3. In the Create stack window, in the Prepare template section, select Template is ready.
4. In the Specify template section, select Upload a template file.
Please ensure that the order of the stack creation follows the dependency diagram shown above. If the preceding
dependent stack was not created, the stack creation might fail accordingly.
4.4.3.1 VPC
You can use the VPC stack to create a virtual private cloud in AWS for Opcenter Execution Foundation.
The stack creates the following resources:
• A VPC dedicated to the AWS environment.
• An Internet Gateway.
• A public Route Table.
• 3 Public Subnets.
• 3 Network Address Translation (NAT) Gateways (Optional).
• 3 Private Route Tables.
• 3 Private Subnets.
• 3 Database Subnets.
• A S3 VPC Endpoint.
• A S3 Bucket.
The following table lists the parameters that are needed to fulfil the Create Stack wizard. Some of them are defined
in the VPC stack template.
AWS Cloud
Project Identifier (String) The identifier used in resource names and tags. opcent
er
VPC CIDR Block (Number) The IP range of the VPC in CIDR notation, x.x.x.x/16-28. 10.0.0.
0/16
VPC CIDR Count (Number) The number of CIDRs to generate. Valid range is between 12
1 and 256. For Region deployment, the template would need 12
CIDRs in total.
VPC CIDR Bits (Number) The number of subnet bits for the CIDR. For example, 8
specifying a value "8" for this parameter will create a CIDR with a
mask of "/24".
Creation of NAT Gateway (String) Should the Private Subnet creation come with Internet Y
for Private Subnet access? Please be aware that the creation of NAT Gateway would
incur an hourly charge.
At the end of the VPC stack creation, click the Output tab to retrieve the value of UniqueId. The UniqueId will be
used later in subsequent stack creation.
4.4.3.2 Backup
The AWS Backup is used to centrally manage all backups and to automate the backup process.
The Backup stack creation is optional.
The stack creates the following resources:
• A Backup Vault
• An AWS Role
The following table lists the parameters that are needed to fulfil the Create Stack wizard. Some of them are defined
in the Backup stack template.
AWS Cloud
4.4.3.3 Route 53
The Route 53 stack is a highly available and scalable Domain Name System (DNS) web service. It connects user
requests to internet applications running on AWS or on-premises.
The creation of Route 53 stack is optional. It is used to create Route 53 Private Zone for Opcenter Execution
Foundation.
The stack creates the following resource:
• A Route 53 Private Zone
The following table lists the parameters that are needed to fulfil the Create Stack wizard. Some of them are defined
in the Route 53 stack template.
Domain Name (String) The name for the private hosted zone --
DNS domain.
Project (String) The identifier used in resource names and tags. opce
Identifier nter
AWS Cloud
Unique ID (String) Unique that was generated during VPC stack creation. --
Active Directory (String) The edition of Active Directory to use, either Standard or Enterprise. Stan
Edition dard
Domain Name (String) The fully qualified domain name for the directory. --
Short Name (String) Optional NetBIOS name for the domain. Leave blank to use the default --
which is the first part of the domain name.
Enable SSO? (String) Sets whether the single sign-on will be enabled. This parameter allows N
users in your directory to access specific AWS services from a computer which is
joined to the directory without having to enter their credentials separately.
4.4.3.5 Compute
The creation of the Compute stack is necessary as it generates templates for multiple EC2 instances and their
associated resources that are suitable and compatible with Opcenter Execution Foundation.
The stack creates the following resources:
• A Key Management Service (KMS) Key and an Alias for Session Manager to encrypt sessions
• A EC2 Instance Profile with System Manager and S3 Policies
• Security Group and its Rules for
• Production Server
• Database Server
• Proxy Server
• Application Load Balancer
• Network Interfaces for
• 3 Production Servers (Opcenter Execution Foundation)
• 3 Interoperability Servers (Opcenter Connect MOM)
• 1 IPL Server
• 1 Proxy Server
• A Launch Template for
• 3 Production Servers (Opcenter Execution Foundation)
• 3 Interoperability Servers (Opcenter Connect MOM)
• 1 IPL Server
• 3 Database Servers
• 1 Proxy Server
The following table lists the parameters that are needed to fulfil the Create Stack wizard. Some of them are defined
in the Compute stack template.
AWS Cloud
Project (String) The identifier used in resource names and tags. opcenter
Identifier
Unique ID (String) Unique that was generated during VPC stack creation. --
EC2 Key Name (AWS::EC2::KeyPair::KeyName) Name of an existing Amazon EC2 Key Pair --
to associate with the instances.
Existing Session (String) Optional KMS key to be used to encrypt Session Manager --
Manager Key sessions. The EC2 instances need access to the key. If an existing key is
ARN being used by Session Manager, enter the key's ARN here. Otherwise
leave this blank and a new key will be created.
Enable Rotation (String) Enables automatic rotation of the key material for the new key, if N
of New Session a new key is to be created. By default, automation key rotation is not
Manager Key? enabled. Only applies if the ARN of an existing Session Manager key is
not supplied.
Pending (Number) The number of days before the new key is deleted after it has 7
Window Days been marked for deletion, if a new key is to be created. The value must
for New Session be between 7 and 30. It only applies if the ARN of an existing Session
Manager Key Manager key is not supplied.
Allow Launch (String) Enables automatic join of Active Directory Domain based on the Y
Template to created AWS Directory Service (Please ensure that the AWS Directory
Join Active Service is created beforehand).
Directory
Domain
Automatically?
Production (String) EC2 instance type for the production servers. m5.2xlarge
Server Instance
Type
Production (String) Either specify an AMI ID here, or an AMI Prefix below. This --
Server 1 AMI ID determines the AMI to use to create production server 1. If this is
specified then the Production Server 1 AMI Prefix is ignored. To use the
Production Server 1 AMI Prefix, leave this blank.
AWS Cloud
Production (String) Either specify an AMI Prefix here, or an AMI ID above. This prefix EC2LaunchV2-
Server 1 AMI will only be used if the AMI ID above is left blank. The prefix will be used Windows_Serv
Prefix to identify the latest version of a Windows AMI by looking it up in the er-2019-
Systems Manager Parameter Store. The name of the parameter to English-Full-
lookup will be /aws/service/ami-windows-latest/ followed by this prefix. Base
For example, EC2LaunchV2-Windows_Server-2019-English-Full-Base.
Production (String) Either specify an AMI ID here, or an AMI Prefix below. This --
Server 2 AMI ID determines the AMI to use to create production server 2. If this is
specified then the Production Server 2 AMI Prefix is ignored. To use the
Production Server 2 AMI Prefix leave this blank.
Production (String) Either specify an AMI Prefix here, or an AMI ID above. This prefix EC2LaunchV2-
Server 2 AMI will only be used if the AMI ID above is left blank. The prefix will be used Windows_Serv
Prefix to identify the latest version of a Windows AMI by looking it up in the er-2019-
Systems Manager Parameter Store. The name of the parameter to English-Full-
lookup will be /aws/service/ami-windows-latest/ followed by this prefix. Base
For example, EC2LaunchV2-Windows_Server-2019-English-Full-Base.
Production (String) Either specify an AMI ID here, or an AMI Prefix below. This --
Server 3 AMI ID determines the AMI to use to create production server 3. If this is
specified then the Production Server 3 AMI Prefix is ignored. To use the
Production Server 3 AMI Prefix leave this blank.
Production (String) Either specify an AMI Prefix here, or an AMI ID above. This prefix EC2LaunchV2-
Server 3 AMI will only be used if the AMI ID above is left blank. The prefix will be used Windows_Serv
Prefix to identify the latest version of a Windows AMI by looking it up in the er-2019-
Systems Manager Parameter Store. The name of the parameter to English-Full-
lookup will be /aws/service/ami-windows-latest/ followed by this prefix. Base
For example, EC2LaunchV2-Windows_Server-2019-English-Full-Base.
Production (String) The parameter sets where the hyperthreading will be turned off, Y
Server Limit for the production servers, thus limiting the number of threads per core
Threads Per 1.
Core?
Production (Number) Amount of storage for the production servers in GB. 100
Server Storage
Size
Production (String) ) The EBS volume type for the production servers. See https:// gp2
Server Volume docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-
Type types.html.
AWS Cloud
Production (Number) If gp3, io1 or io2 are being used, for the production servers, it 3000
Server IOPS indicates what the required IOPS will be. Between 3000 and 16000 for
gp3 or between 100 and 64000 for io1 or io2. Only used if the volume
type is gp3, io1 or io2.
Production (Number) If gp3 is being used for the production servers, it indicates 125
Server GP3 what the required throughput will be. Between 125 and 1000 MiB/s. Only
Throughput used if the volume type is gp3.
Interoperability (String) EC2 instance type for the interoperability server. c5.2xlarge
Server Instance
Type
Interoperability (String) Either specify an AMI ID here, or an AMI Prefix below. This --
Server 1 AMI ID determines the AMI to use to create interoperability server 1. If this is
specified, then the Interoperability Server AMI Prefix is ignored. To use
the Interoperability Server AMI Prefix leave this blank.
Interoperability (String) Either specify an AMI Prefix here, or an AMI ID above. This prefix EC2LaunchV2-
Server 1 AMI will only be used if the AMI ID above is left blank. The prefix will be used Windows_Serv
Prefix to identify the latest version of a Windows AMI by searching for it in the er-2019-
Systems Manager Parameter Store. The name of the parameter to search English-Full-
will be /aws/service/ami-windows-latest/ followed by this prefix. For Base
example, EC2LaunchV2-Windows_Server-2019-English-Full-Base.
Interoperability (String) Either specify an AMI ID here, or an AMI Prefix below. This --
Server 2 AMI ID determines the AMI to use to create interoperability server 2. If this is
specified then the Interoperability Server AMI Prefix is ignored. To use
the Interoperability Server AMI Prefix leave this blank.
AWS Cloud
Interoperability (String) Either specify an AMI Prefix here, or an AMI ID above. This prefix EC2LaunchV2-
Server 2 AMI will only be used if the AMI ID above is left blank. The prefix will be used Windows_Serv
Prefix to identify the latest version of a Windows AMI by searching for it n the er-2019-
Systems Manager Parameter Store. The name of the parameter to search English-Full-
for will be /aws/service/ami-windows-latest/ followed by this prefix. For Base
example, EC2LaunchV2-Windows_Server-2019-English-Full-Base.
Interoperability (String) Either specify an AMI ID here, or an AMI Prefix below. This --
Server 3 AMI ID determines the AMI to use to create interoperability server 3. If this is
specified then the Interoperability Server AMI Prefix is ignored. To use
the Interoperability Server AMI Prefix leave this blank.
Interoperability (String) Either specify an AMI Prefix here, or an AMI ID above. This prefix EC2LaunchV2-
Server 3 AMI will only be used if the AMI ID above is left blank. The prefix will be used Windows_Serv
Prefix to identify the latest version of a Windows AMI by searching for it in the er-2019-
Systems Manager Parameter Store. The name of the parameter to search English-Full-
for will be /aws/service/ami-windows-latest/ followed by this prefix. For Base
example, EC2LaunchV2-Windows_Server-2019-English-Full-Base.
Interoperability (String) It indicates whether hyperthreading will be turned off, for the Y
Server Limit interoperability server, thus limiting the number of threads per core to 1.
Threads Per
Core?
Interoperability (Number) Amount of storage for the interoperability server in GB. 100
Server Storage
Size
Interoperability (String) The EBS volume type for the interoperability server. See https:// gp2
Server Volume docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-
Type types.html.
Interoperability (Number) If gp3, io1 or io2 are being used, for the interoperability server, 3000
Server IOPS it indicates what the required IOPS is. Between 3000 and 16000 for gp3
or between 100 and 64000 for io1 or io2. Only used if the volume type is
gp3, io1 or io2.
Interoperability (Number) If gp3 is being used for the interoperability server, it indicates 125
Server GP3 the required throughput. Between 125 and 1000 MiB/s. Only used if the
Throughput volume type is gp3.
AWS Cloud
IPL Server (String) EC2 instance type for the IPL server. m5.large
Instance Type
IPL Server (String) Either specify an AMI ID here, or an AMI Prefix below. This --
Instance AMI ID determines the AMI to use to create the IPL server. If this is specified then
the IPL Server AMI Prefix is ignored. To use the IPL Server AMI Prefix leave
this blank.
IPL Server AMI (String) Either specify an AMI Prefix here, or an AMI ID above. This prefix EC2LaunchV2-
Prefix will only be used if the AMI ID above is left blank. The prefix will be used Windows_Serv
to identify the latest version of a Windows AMI by searching for it in the er-2019-
Systems Manager Parameter Store. The name of the parameter to search English-Full-
for will be /aws/service/ami-windows-latest/ followed by this prefix. For Base
example, EC2LaunchV2-Windows_Server-2019-English-Full-Base.
IPL Server Limit (String) It sets whether the hyperthreading will be turned off, for the IPL Y
Threads Per server, thus limiting the number of threads per core to 1.
Core?
IPL Server (Number) Amount of storage for the IPL server in GB. 100
Storage Size
IPL Server (String) The EBS volume type for the IPL server. See https:// gp2
Volume Type docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-
types.html.
IPL Server IOPS (Number) If gp3, io1 or io2 are being used, for the IPL server, what is the 3000
required IOPS. Between 3000 and 16000 for gp3 or between 100 and
64000 for io1 or io2. Only used if the volume type is gp3, io1 or io2.
IPL Server GP3 (Number) If gp3 is being used for the IPL server, it indicates what the 125
Throughput required throughput is. Between 125 and 1000 MiB/s. Only used if the
volume type is gp3.
AWS Cloud
IPL Server IP (String) Private IP address for the IPL server. 10.0.3.143
Address
Database Server (String) EC2 instance type for the database servers. m5.2xlarge
Instance Type
Database Server (String) Either specify an AMI ID here, or an AMI Prefix below. This --
1 AMI ID determines the AMI to use to create database server 1. If this is specified
then (String) the Database Server AMI Prefix is ignored. To use the
Database Server AMI Prefix leave this blank.
Database Server (String) Either specify an AMI Prefix here, or an AMI ID above. This prefix EC2LaunchV2-
1 AMI Prefix will only be used if the AMI ID above is left blank. The prefix will be used Windows_Serv
to identify the latest version of a Windows AMI by looking it up in the er-2019-
Systems Manager Parameter Store. The name of the parameter to English-Full-
lookup will be /aws/service/ami-windows-latest/ followed by this prefix. Base
For example, EC2LaunchV2-Windows_Server-2019-English-Full-Base.
Database Server (String) Either specify an AMI ID here, or an AMI Prefix below. This --
2 AMI ID determines the AMI to use to create database server 2. If this is specified
then the Database Server AMI Prefix is ignored. To use the Database
Server AMI Prefix leave this blank.
Database Server (String) Either specify an AMI Prefix here, or an AMI ID above. This prefix EC2LaunchV2-
2 AMI Prefix will only be used if the AMI ID above is left blank. The prefix will be used Windows_Serv
to identify the latest version of a Windows AMI by searching for it in the er-2019-
Systems Manager Parameter Store. The name of the parameter to search English-Full-
for will be /aws/service/ami-windows-latest/ followed by this prefix. For Base
example, EC2LaunchV2-Windows_Server-2019-English-Full-Base.
Database Server (String) Either specify an AMI ID here, or an AMI Prefix below. This --
3 AMI ID determines the AMI to use to create database server 3. If this is specified
then the Database Server AMI Prefix is ignored. To use the Database
Server AMI Prefix leave this blank.
Database Server (String) Either specify an AMI Prefix here, or an AMI ID above. This prefix EC2LaunchV2-
3 AMI Prefix will only be used if the AMI ID above is left blank. The prefix will be used Windows_Serv
to identify the latest version of a Windows AMI by looking it up in the er-2019-
Systems Manager Parameter Store. The name of the parameter to English-Full-
lookup will be /aws/service/ami-windows-latest/ followed by this prefix. Base
For example, EC2LaunchV2-Windows_Server-2019-English-Full-Base.
Database Server (Number) Size of the root volume for the database servers in GB. 250
Root Volume
Size
AWS Cloud
Database Server (String) The volume type for the root volume of the database servers. gp2
Root Volume See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-
Type volume-types.html.
Database Server (Number) If gp3, io1 or io2 are being used, for the root volume of the 3000
Root Volume database servers, what is the required IOPS. Between 3000 and 16000 for
IOPS gp3 or between 100 and 64000 for io1 or io2. Only used if the volume
type is gp3, io1 or io2.
Database Serve (Number) If gp3 is being used for the root volume of the database 125
Root Volume servers, what is the required throughput. Between 125 and 1000 MiB/s.
GP3 Throughput Only used if the volume type is gp3.
Database Server (String) The drive letter for the first extra volume of the database servers. D
Extra Volume 1
Letter
Database Server (String) The volume label for the first extra volume of the database Data
Extra Volume 1 servers.
Label
Database Server (Number) Size of the first extra volume of the database servers in GB. 10
Extra Volume 1
Size
Database Server (String) The volume type for the first extra volume of the database gp2
Extra Volume 1 servers. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/
Type ebs-volume-types.html.
Database Server (Number) If gp3, io1 or io2 are being used, for the first extra volume of 3000
Extra Volume 1 the database servers, what is the required IOPS. Between 3000 and
IOPS 16000 for gp3 or between 100 and 64000 for io1 or io2. Only used if the
volume type is gp3, io1 or io2.
12Database (Number) If gp3 is being used for the first extra volume of the database 125
Server Extra servers, what is the required throughput. Between 125 and 1000 MiB/s.
Volume 1 GP3 Only used if the volume type is gp3.
Throughput
Database Server (String) The drive letter for the second extra volume of the database L
Extra Volume 2 servers.
Letter
AWS Cloud
Database Server (String) The volume label for the second extra volume of the database Logs
Extra Volume 2 servers.
Label
Database Server (Number) Size of the second extra volume for the database servers in GB. 10
Extra Volume 2
Size
Database Server (String) The volume type for the second extra volume of the database gp2
Extra Volume 2 servers. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/
Type ebs-volume-types.html.
Database Server (Number) If gp3, io1 or io2 are being used, for the second extra volume of 3000
Extra Volume 2 the database servers, what is the required IOPS. Between 3000 and
IOPS 16000 for gp3 or between 100 and 64000 for io1 or io2. Only used if the
volume type is gp3, io1 or io2.
Database Server (Number) If gp3 is being used for the second extra volume of the 125
Extra Volume 2 database servers, what is the required throughput. Between 125 and
GP3 Throughput 1000 MiB/s. Only used if the volume type is gp3.
Database Server (String) The drive letter for the third extra volume of the database T
Extra Volume 3 servers.
Letter
Database Server (String) The volume label for the third extra volume of the database TempDBs
Extra Volume 3 servers.
Label
Database Server (Number) Size of the third extra volume for the database servers in GB. 10
Extra Volume 3
Size
Database Server (String) The volume type for the third extra volume of the database gp2
Extra Volume 3 servers. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/
Type ebs-volume-types.html.
Database Server (Number) If gp3, io1 or io2 are being used, for the third extra volume of 3000
Extra Volume 3 the database servers, it determines what the required IOPS is. Between
IOPS 3000 and 16000 for gp3 or between 100 and 64000 for io1 or io2. Only
used if the volume type is gp3, io1 or io2.
AWS Cloud
1Database (Number) If gp3 is being used for the third extra volume of the database 125
Server Extra servers, what the required throughput will be. Between 125 and 1000
Volume 3 GP3 MiB/s. Only used if the volume type is gp3.
Throughput
Proxy Server (String) EC2 instance type for the proxy server. m5.large
Instance Type
Proxy Server (String) Either specify an AMI ID here, or an AMI Prefix below. This --
Instance AMI ID determines the AMI to use to create the proxy server. If this is specified
then the Proxy Server AMI Prefix is ignored. To use the Proxy Server AMI
Prefix leave this blank.
Proxy Server (String) Either specify an AMI Prefix here, or an AMI ID above. This prefix EC2LaunchV2-
AMI Prefix will only be used if the AMI ID above is left blank. The prefix will be used Windows_Serv
to identify the latest version of a Windows AMI by looking it up in the er-2019-
Systems Manager Parameter Store. The name of the parameter to English-Full-
lookup will be /aws/service/ami-windows-latest/ followed by this prefix. Base
For example, EC2LaunchV2-Windows_Server-2019-English-Full-Base.
Proxy Server (Number) Amount of storage for the proxy server in GB. 100
Storage Size
Proxy Server (String) The EBS volume type for the proxy server. See https:// gp2
Volume Type docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-
types.html.
Proxy Server (Number) If gp3, io1 or io2 are being used, for the proxy server, what is 3000
IOPS the required IOPS. Between 3000 and 16000 for gp3 or between 100 and
64000 for io1 or io2. Only used if the volume type is gp3, io1 or io2.
Proxy Server (Number) If gp3 is being used for the proxy server, what is the required 125
GP3 Throughput throughput. Between 125 and 1000 MiB/s. Only used if the volume type is
gp3.
Proxy Server IP (String) Private IP address for the proxy server. 10.0.3.144
Address
AWS Cloud
your instance. For more information about Amazon EC2 Key Pair, kindly refer https://docs.aws.amazon.com/
AWSEC2/latest/WindowsGuide/ec2-key-pairs.html.
In the AWS CloudFormation Compute stack, one of the compulsory entry in the stack template was asking about an
Amazon EC2 Key Pair. Key pair creation is compulsory whenever a new EC2 instance is launched regardless
manually or via launch template. This key pair was then used to associate with EC2 instances and needed during
RDP connection.
The EC2 Key Pair can be created by following the AWS documentation on how to create an EC2 Key Pair.
AWS Cloud
Project (String) The identifier used in resource names and tags. opcenter
Identifier
Load Balancer (String) Sets if the load balancer is internal or internet- internet-facing
Scheme facing.
Idle Timeout (Number) The idle timeout in seconds. The valid range is 60
1-4000. Defaults to 60.
Port (Number) The TCP port on which the load balancer will 443
listen to.
AWS Cloud
Load Balancer (String) The protocol used to connect to the load HTTPS
Protocol balancer.
Target Group (String) The protocol used to connect to the target HTTPS
Protocol groups.
Target Group (String) The version of the protocol used to connect to the HTTP1
Protocol Version target groups.
SSL Certificate (String) The ARN of the SSL server certificate to use. --
ARN
SSL Policy (String) Optional. The security policy that defines which --
protocols and ciphers are supported.
Application (String) The ping path that is the destination on the /sit-svc/DefaultPlant/
Default Plant targets for health checks. application/healthcheck
Svc Health
Check Path
AWS Cloud
Application (String) The HTTP code, or range of codes, that the load 200
Default Plant balancer should consider represents a healthy target.
Svc Health
Check Matcher
HTTP Code
Application Svc (String) The ping path that is the destination on the /sit-svc/application/
Health Check targets for health checks. healthcheck
Path
Application Svc (String) The HTTP code or range of codes that the load 200
Health Check balancer should consider represents a healthy target.
Matcher HTTP
Code
Archiving (String) The ping path that is the destination on the /sit-arch/DefaultPlant/
Default Plant targets for health checks. application/healthcheck
Svc Health
Check Path
Archiving (String) The HTTP code or range of codes that the load 200
Default Plant balancer should consider represents a healthy target.
Svc Health
Check Matcher
HTTP Code
AWS Cloud
Archiving Svc (String) The ping path that is the destination on the /sit-arch/application/
Health Check targets for health checks. healthcheck
Path
Archiving Svc (String) The HTTP code or range of codes that the load 200
Health Check balancer should consider represents a healthy target.
Matcher HTTP
Code
Authorization S (String) The ping path that is the destination on the /sit-auth/healthcheck
vc Health Check targets for health checks.
Path
Authorization (String) The HTTP code or range of codes that the load 200
Svc Health balancer should consider represents a healthy target.
Check Matcher
HTTP Code
Doc Svc Health (String) The ping path that is the destination on the /sit-svc/documentation/odata
Check Path targets for health checks.
AWS Cloud
Doc Svc Health (String) The HTTP code or range of codes that the load 200
Check Matcher balancer should consider represents a healthy target.
HTTP Code
Platform Svc (String) The ping path that is the destination on the /sit-svc/administration/
Health Check targets for health checks. healthcheck
Path
Platform Svc (String) The HTTP code or range of codes that the load 200
Health Check balancer should consider represents a healthy target.
Matcher HTTP
Code
UMC Svc Health (String) The ping path that is the destination on the /umc-sso/GetHealthState
Check Path targets for health checks.
UMC Svc Health (String) The HTTP code or range of codes that the load 200
Check Matcher balancer should consider represents a healthy target.
HTTP Code
Ping Path (String) The URL path to be used for a ping test. Leave /pingpingping
blank for no ping test.
AWS Cloud
Stack Name (String) Provides the stack name for Active Directory. --
Project (String) The identifier used in resource names and tags. opcen
Identifier ter
Unique ID (String) Unique identifier that was generated during VPC stack creation. --
AWS Cloud
ClientCidrBlo (String) The IPv4 address range, in CIDR notation, from which to assign client IP 11.0.0.
ck addresses. The address range cannot overlap with the local CIDR of the VPC in which 0/16
the associated subnet is located, or the routes that you add manually. The address
range cannot be changed after the Client VPN endpoint has been created. Client CIDR
range must have a size of at least /22 and must not be greater than /12.
ServerCertific (String) The ARN of the server certificate in Certificate Manager. See the instructions --
ateArn for creating a certificate here, https://docs.aws.amazon.com/vpn/latest/clientvpn-
admin/mutual.html.
SessionTimeo (Number) The maximum VPN session duration time in hours. 24 hours is the 24
utHours maximum.
SplitTunnelE (String) It sets whether the split-tunnel will be enabled for the client VPN. With a split Y
nabled tunnel, only traffic that needs to will be sent across the client VPN, allowing the client
to continue to connect to other resources. Without split tunnel, all the client's traffic
will be pushed to the VPN, cutting them off from anything else.
TransportPro (String) The transport protocol to be used by the VPN session. Either udp (default) or tcp
tocol tcp.
VpnPort (Number) The port number to be used to connect to the Client VPN endpoint for TCP 443
and UDP traffic. Either 443 (default) or 1194.
AWS Cloud
AWS Application Load Balancer can be created in two different schemes, internet facing or internal, where internet
facing allows public internet access and internal only within in the VPC. For this reason, it is strongly advised that
for internet-facing schemed ALB, strict security group inbound rules must be adhered.
Generally, the ALB IP address type should be IPv4.
Priority The order of the rules, as stated in Configuring the Redirection Rule
Order.
Target Group Routing traffic to which server farm, as stated in "Server farm"
under "Configuring the Redirection Rules""
The table below represents a summary of required listener rules configuration for an Opcenter EX FN-based single-
plant system. Consider that the Target Groups described in the next section are a prerequisite for these Listener
Rules. For the Opcenter CN MOM related configuration, refer to Opcenter CN MOM User Guide.
AWS Cloud
ARR_UMC_SVC_loadBalance2 80 /ipsimatic-logon* OR
/umc*
AWS Cloud
Health Check Path Provides the health check as stated in Configuring the Health
Tests section.
The table below represents a summary of the required Target Group configuration for an Opcenter EX FN-based
single-plant system. For Opcenter CN MOM related configuration, refer to Opcenter CN MOM User Guide.
Target Group Prot Pro Targets Health Checks Path Load Stic Sticki Stick
ocol toc balanci kin ness iness
Port ol ng ess Durat type
ver algorit ion
sio hm
n
ARCHIVING- /sit-arch/DefaultPlant/
DEFAULTPLANT application/
-SVC healthcheck
ARCHIVING-SVC /sit-arch/application/
healthcheck
AUTHORIZATIO /sit-auth/healthcheck
N-SVC
AWS Cloud
Minimum Requirements
Opcenter Execution Foundation Machine
• EC2 Instance Type: m5.2xlarge
• EBS Volume Type: GP2
• EBS Storage Size: up to 160 GB of available space, typical installations require 40/50 GB
AWS Cloud
Production Server Security All All Allows all connections from instances
Group in the same security group.
Proxy Server Security Group TCP 80 Allows port 80 connections from the
proxy server security group.
Proxy Server Security Group TCP 443 Allows port 443 connections from the
proxy server security group.
Proxy Server Security Group TCP 4402 Allows port 4402 connections from
the proxy server security group for CN
MOM.
Database Server Security TCP 445 Allows SMB connection from database
Group security group.
Client VPN Security Group All All Allows all connections from the client
VPN endpoint.
AWS Cloud
Database Server Security All All Allows all connections from the same
Group database server security group.
Proxy Server Security Group TCP 139 Allows connections from instances in
the proxy servers security group on
TCP 139.
Proxy Server Security Group TCP 445 Allows connections from instances in
the proxy servers security group on
TCP 445.
Client VPN Security Group All All Allows all connections from the client
VPN endpoint.
AWS Cloud
Client VPN Security Group All All Allows all connections from the
client VPN endpoint.
Outbound Rules
Production Server TCP 80/443 Allows outgoing traffic to production servers security group.
Security Group
AWS Cloud
• The Cloud instance(s) where Opcenter CN MOM is installed, also including the required Opcenter CN MOM
Channel Adapter Host(s), depending on the project requirements.
• Optionally, the Cloud instances where the SQL Server installations (configured in AlwaysOn for obtaining high
availability) hosting the Opcenter CN MOM repository is installed, unless it is hosted by a dedicated SQL instance
on the Database Tier (see Database Tier).
For the installation and the configuration of Opcenter CN MOM (and its Channel Adapter Host/s) on the dedicated
EC2 instance/s, in order to obtain successful interoperability with ERP, refer to the Opcenter CN MOM User Guide,
related to the relevant product version. Multiple EC2 instances (three is the minimum) must be installed in case load
balancing and high availability of Opcenter CN MOM are needed. Should you decide to leverage Opcenter CN MOM
load balancing and high availability features, refer to Opcenter CN MOM User Guide for configuration details.
For the installation and configuration of Microsoft SQL Server in AlwaysOn on the dedicated instances (no matter if
in the Integration or DB Tier), refer to Database Tier.
The Automation Gateway Channel address (the URL address of the OPC UA server endpoint to be used for
establishing the connection) must be configured with an OPC.TCP connection. HTTP and HTTPS
connections are not supported. For example: opc.tcp://<OPCUAServerName>:48010.
AWS Cloud
Each license is associated with the MAC address of a machine, on which the Opcenter products will run. For this
reason it is advisable to use a fixed MAC address.
AWS Cloud
5 Data Privacy
During the development of MOM Products and Solutions, Siemens DI SW MOM follows the "Data protection by
design" as foreseen in Article 25 of the General Data Protection Regulation (GDPR). This means that data protection
and privacy issues are taken into account, starting from the commencement of product development or solution
engineering.
In general, Siemens implements the following processes: Data Protection by Design approach and Threat and Risk
Analysis (TRA). In particular:
• Data Protection by Design approach is a part of the principles actively adopted by Siemens and integrated in the
secure lifecycle development of products.
• Threat and Risk Analysis (TRA), adopted by Siemens solutions, is a Siemens-wide standardized methodology
that is used for product, solution and service business during the product development, engineering or service
projects. This methodology is intended to support Siemens teams in identifying typical security weaknesses and
vulnerabilities, analyzing any threats that might exploit these weaknesses or vulnerabilities and evaluating any
resulting risks.
Specifically for MOM products and solutions, in all data collection and processing activities that potentially involve
personal data in the intended customer use case, Siemens DI SW MOM considers appropriate technical and/or
organizational measures, with the goal of adequately addressing the data protection principles and safeguarding
individual rights.
Siemens DI SW MOM, as product manufacturer, may be neither in the role of Controller nor Processor in accordance
with the E.U. General Data Protection Regulation Article 4(7) and Article 4(8).
According to the Data Protection and Privacy applicable laws and regulations as the General Data Protection
Regulation ("GDPR") or the California Consumer Privacy Act (CCPA), the customer acts as the Controller and has the
responsibility to comply with, and demonstrate compliance with all the data protection principles as well as the
others requirements in the Regulations for proper handling of personal data, including where you can store it and
who can access it, as well as how you may share it and whether you have obtained consent to do so.
AWS Cloud