Softing edgeConnector on AWS IoT Greengrass on the AWS Cloud

Quick Start Reference Deployment

QS

March 2021
Robert Sarkozi, Softing
Tony Bulding, AWS Quick Start team

Visit our GitHub repository for source files and to post feedback, report bugs, or submit feature ideas for this Quick Start.

This Quick Start was created by Softing in collaboration with Amazon Web Services (AWS). Quick Starts are automated reference deployments that use AWS CloudFormation templates to deploy key technologies on AWS, following AWS best practices.

Overview

This Quick Start reference deployment guide provides step-by-step instructions for deploying Softing edgeConnector on AWS IoT Greengrass on the AWS Cloud.

This Quick Start is for customers who want to increase their business value by bringing data from their industrial Internet of Things (IoT) assets to AWS in a structured way.

Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start.

Softing edgeConnector on AWS IoT Greengrass on AWS

The dataFEED edgeConnector product family is a set of modules for connecting to controllers from different vendors. The various Softing edgeConnector modules are packaged as Docker images. Each module contains a web server for configuration, a protocol driver to connect to a programmable logic controller (PLC), and an Open Platform Communications (OPC) Unified Architecture (UA) server for data access.

You can connect to a number of SIMATIC S7-1200 or S7-1500 PLCs, including optimized data blocks. You configure the namespace by browsing the SIMATIC STEP 7 and Totally Integrated Automation Portal (TIA Portal) variables.

The Softing edgeConnector on AWS IoT Greengrass is a containerized SIMATIC S7 connectivity module that adds OPC UA server functionality. After deployment, you can configure southbound and northbound communication through a local user interface or a REST-based interface using real scenarios.

Southbound communication

You can connect up to 20 Siemens S7-300/400 or S7-1200/1500 PLCs, including optimized data blocks for southbound communication. You can configure the namespace by importing the STEP7/TIA projects or browsing to the variables of the PLC.

Northbound communication

The northbound communication runs with standardized OPC UA communication for integrating data into management systems such as enterprise resource planning (ERP), manufacturing executions systems (MES), or supervisory control and data acquisition (SCADA), or for exchanging data with other Docker containers such as Microsoft OPC Publisher for cloud scenarios.

The application supports security standards such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS), X.509 certificates, authentication, and data encryption. The container runs for 72 hours in demonstration mode. You can activate the application via the Buy Your Own License (BYOL) plan from Softing. You must install the Softing floating license server (Windows application) with the BYOL plan.

Softing edgeConnector on AWS IoT Greengrass features and specifications include:

  • Supported controllers: Siemens SIMATIC S7-300/400 and S7-1200/1500 (including optimized block access)

  • Supported protocols: SIMATIC S7, RFC1006, and OPC UA

  • Supported OPC specifications: OPC Unified Architecture Version 1.03

  • OPC UA roles: OPC UA server

  • OPC UA profiles: Data access

  • OPC UA security methods: Aes256Sha256-RsaPss, Aes128SHA256-RsaOaep, Basic256Sha256, Basic256, Basic128Rsa15, None

  • OPC UA authentication: Anonymous, user name and password, certificate

  • Logging diagnostics: Built-in trace and audit logging facilities, configurable and accessible through the web interface, Docker-integrated trace logging

  • Operating systems: Linux (Docker engine) and Windows 10 (Docker Desktop Linux)

  • Supported architectures: amd64

  • Configuration: Through local user interface or REST API

  • Minimum hardware requirements: 250 MB free disk space/2 GB RAM

  • Simulation mode

AWS costs

You are responsible for the cost of the AWS services and any third-party licenses used while running this Quick Start. There is no additional cost for using the Quick Start.

The AWS CloudFormation templates for Quick Starts include configuration parameters that you can customize. Some of the settings, such as the instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

After you deploy the Quick Start, create AWS Cost and Usage Reports to deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. These reports provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information, see What are AWS Cost and Usage Reports?

Software licenses

To deploy this Quick Start, you can use either a 72-hour trial version of Softing edgeConnector or the fully licensed product. No other licenses are required to deploy this Quick Start. For more information about Softing edgeConnector licenses, see http://www.softing.com. If you take advantage of the 72-hour trial period, be sure to restart the application after it expires.

Architecture

Deploying this Quick Start for a new virtual private cloud (VPC) builds the following Softing edgeConnector on AWS IoT Greengrass environment in the AWS Cloud.

Architecture
Figure 1. Quick Start architecture for Softing edgeConnector on AWS IoT Greengrass on AWS

As shown in the architecture diagram, the Quick Start sets up the following:

  • A highly available architecture that spans two Availability Zones.

  • A virtual private cloud (VPC) configured with two public subnets, according to AWS best practices, to provide you with your own virtual network on AWS.

  • An instance of Softing edgeConnector in PLC simulation mode to provide a local, web-based administration user interface and an S7-1200/1500 protocol simulator and data generator.

  • A Classic Load Balancer to route data traffic to Softing edgeConnector on AWS IoT Greengrass over HTTP.

  • In the public subnets:

    • Managed network address translation (NAT) gateways to allow outbound internet access for resources.

    • An Amazon Elastic Compute Cloud (Amazon EC2) instance in an Auto Scaling group to help ensure continuous availability.

  • An Elastic Container Service (Amazon ECS) cluster with a task definition to deploy the edgeConnector Docker container to the Amazon EC2 instance.

  • AWS Identity and Access Management (IAM) configurations that include groups, roles, and instance profiles as well as customizable IAM policies.

  • AWS IoT SiteWise to start the data flow from Softing edgeConnector on AWS IoT Greengrass to AWS IoT Core and AWS IoT SiteWise, including asset models, assets (which are hardcoded in the CloudFormation template for demo purposes), AWS IoT SiteWise gateway configuration to access the OPC UA server in Softing edgeConnector, asset measurement mappings to the UA tags on the server, and the AWS IoT SiteWise portal, project, and dashboard for visualizing data.

  • AWS IoT SiteWise Connector for connecting to the edge device.

  • AWS IoT Greengrass and AWS IoT Core, both used for consuming data.

  • A Lambda function for automating deployment tasks.

Planning the deployment

Specialized knowledge

This deployment requires a moderate level of familiarity with AWS services. If you’re new to AWS, see Getting Started Resource Center and AWS Training and Certification. These sites provide materials for learning how to design, deploy, and operate your infrastructure and applications on the AWS Cloud.

This Quick Start assumes that you are familiar with Amazon EC2, Amazon ECS, AWS IoT Core, AWS IoT SiteWise, AWS IoT Greengrass, and AWS CloudFormation, as well as PLCs and the OPC UA standard.

AWS account

If you don’t already have an AWS account, create one at https://aws.amazon.com by following the on-screen instructions. Part of the sign-up process involves receiving a phone call and entering a PIN using the phone keypad.

Your AWS account is automatically signed up for all AWS services. You are charged only for the services you use.

Technical requirements

Before you launch the Quick Start, review the following information and ensure that your account is properly configured. Otherwise, deployment might fail.

Resource quotas

If necessary, request service quota increases for the following resources. You might request quota increases to avoid exceeding the default limits for any resources that are shared across multiple deployments. The Service Quotas console displays your usage and quotas for some aspects of some services. For more information, see What is Service Quotas? and AWS service quotas.

Resource This deployment uses

VPCs

1

AZs

2

Public subnets

2

NAT gateways

2

Amazon EC2 Security Groups

2

IAM roles

4

AWS Lambda functions

2

Amazon EC2 instances

1

Elastic Load Balancer (Classic)

1

Auto Scaling group

1

AWS IoT Greengrass cores

1

AWS IoT Greengrass connectors (AWS IoT SiteWise)

1

AWS IoT SiteWise monitors

1

Amazon ECS cluster

1

Amazon ECS task definition

1

Supported Regions

  • eu-central-1 (Frankfurt)

  • eu-west-1 (Ireland)

  • us-east-1 (N. Virginia)

  • us-west-2 (Oregon)

Certain Regions are available on an opt-in basis. For more information, see Managing AWS Regions.

EC2 key pairs

Make sure that at least one Amazon EC2 key pair exists in your AWS account in the Region where you plan to deploy the Quick Start. Make note of the key pair name. You need it during deployment. To create a key pair, see Amazon EC2 key pairs and Linux instances.

For testing or proof-of-concept purposes, we recommend creating a new key pair instead of using one that’s already being used by a production instance.

IAM permissions

Before launching the Quick Start, you must sign in to the AWS Management Console with IAM permissions for the resources that the templates deploy. The AdministratorAccess managed policy within IAM provides sufficient permissions, although your organization may choose to use a custom policy with more restrictions. For more information, see AWS managed policies for job functions.

Prepare for the deployment

Prerequisites

Prepare the following components before deploying the Quick Start:

  • An AWS account: Permissions are required to use the services provided with this Quick Start, including AWS IoT Core and AWS IoT Greengrass, which are both prerequisites for AWS IoT SiteWise.

  • AWS Single Sign-On: The destination AWS account requires SSO capabilities to visualize data sent to AWS IoT SiteWise through its monitoring capabilities (portals and dashboards). SSO is also required for non-AWS users and accounts to visualize data. Note that the CloudFormation template does not configure SSO. Failure to configure SSO can result in deployment failure.

  • AWS IoT Greengrass service role: The service role is required for AWS IoT SiteWise and AWS IoT Greengrass to retrieve the Softing edgeConnector UA endpoint’s user name and password, which is stored in AWS Secrets Manager.

The AWS IoT Greengrass service role also requires the standard access policy (AWSGreengrassResourceAccessRolePolicy) with permissions to use secrets. If a service role is already configured for your account, but without the access policy, a new role will be created with the access policy, replacing the existing one. If you have not yet configured a service role, a new one will be created and set for the account.

  • A supported Region: A supported Region is required due to the limited availability of AWS IoT SiteWise.

Deployment configurations

Use this Quick Start to deploy Softing edgeConnector in a virtual configuration.

Fully virtual deployment

The virtual deployment is intended for demonstration, training, and evaluation of the product’s capabilities. An Amazon EC2 instance is launched to simulate edge gateway hardware, but in all other respects, the experience mirrors that of the real physical deployment. This deployment mode relies on simulated tag values generated by the software. No physical PLCs or sensors are connected.

The goal of the Quick Start is to provide a way for you to try out and evaluate both the Softing edgeConnector software and the associated AWS services.

Data flow

The edge software component contains and runs a Siemens S7 1200/1500 protocol simulator and passes data into AWS IoT SiteWise or other services via AWS IoT Greengrass, which also runs on the edge device (Amazon EC2 instance) and through AWS IoT Core.

Deployment options

This Quick Start provides one deployment option:

Deploy Softing edgeConnector on AWS IoT Greengrass into a new VPC (end-to-end deployment). This option builds a new VPC environment consisting of an Amazon EC2 instance, subnets, NAT gateways, security groups, and other infrastructure components, an Amazon ECS cluster and task definition for deploying the Docker image in which Softing edgeConnector on AWS IoT Greengrass runs.

Deployment steps

Sign in to your AWS account

  1. Sign in to your AWS account at https://aws.amazon.com with an IAM user role that has the necessary permissions. For details, see Planning the deployment earlier in this guide.

  2. Make sure that your AWS account is configured correctly, as discussed in the Technical requirements section.

Launch the Quick Start

You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There are no additional costs for using this Quick Start. For full details, see the pricing pages for each AWS service used by this Quick Start. Prices are subject to change.

The deployment takes about 5-10 minutes. If an error occurs, the deployment ends and the stack is rolled back. You must delete it yourself so that the resources created before the error occurred are deleted. If you encounter deletion errors, try to delete the stack again, or delete the individual elements manually.

After all the necessary resources are created and running, the next step is to go to the AWS IoT SiteWise Monitor page to view the data transfer in a dashboard in the AWS IoT SiteWise portal.

  1. Sign in to your AWS account, and launch the AWS CloudFormation template.

Deploy Softing edgeConnector on AWS IoT Greengrass on AWS

View template

  1. Check the AWS Region that’s displayed in the upper-right corner of the navigation bar, and change it if necessary. This Region is where the network infrastructure for Softing edgeConnector is built. The template is launched in the eu-central-1 Region by default.

  1. On the Create stack page, keep the default setting for the template URL, and then choose Next.

  2. On the Specify stack details page, change the stack name if needed. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary. For details on each parameter, see the Parameter reference section of this guide. When you finish reviewing and customizing the parameters, choose Next.

  3. On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you’re finished, choose Next.

  4. On the Review page, review and confirm the template settings. Under Capabilities, select the two check boxes to acknowledge that the template creates IAM resources and might require the ability to automatically expand macros.

  5. Choose Create stack to deploy the stack.

  6. Monitor the status of the stack. When the status is CREATE_COMPLETE, the Softing edgeConnector deployment is ready.

  7. Use the values displayed in the Outputs tab for the stack, as shown in Figure 2, to view the created resources.

cfn_outputs
Figure 2. Softing edgeConnector outputs after successful deployment

Post-deployment steps

In CloudFormation

After the stack is created, see the following outputs:

  • SiteWiseAsset: The name of the asset created for receiving the UA tag data from the Softing edgeConnector UA endpoint.

  • UAEndpoint: The URL to the internal UA server in the edgeConnector to which any UA client can connect, using the necessary authentication credentials.

  • edgeConnectorSiemens: The URL to the local administration/configuration interface of Softing edgeConnector.

  • Postdeployment: Link to the deployment guide for post-deployment information.

In Softing edgeConnector

If the simulated connection that is preconfigured with Softing edgeConnector fails, do the following steps to verify or recreate a connection.
  1. Open the edgeConnectorSiemens URL in a new browser tab and enter your login credentials (admin, admin).

edgeConnectorLogin
  1. On the Connectivity page, choose PLC > Siemens S7 1200/1500 to see the preconfigured simulated connection.

edgeConnectorConnectivity
  1. In the Connection Settings tab, the default value of the Connection Name field is S7-Sim, but you can provide a new name, if needed. Keep the default values in the other fields.

edgeConnectorNewConnection
  1. In the Advanced Settings tab, select the Simulation check box at the bottom. Then return to the Connection Settings tab and choose Save.

edgeConnectorSimulation

You are now configured with a simulated connection, which AWS IoT SiteWise will start polling in a few seconds.

edgeConnectorSimulatedConnection

You can check whether the connection to the simulator is successful by going to the Address Spaces section and browsing the server.

edgeConnectorAddressSpace
For more information about the simulator in Softing edgeConnector, see the Simulation Mode section in the Softing documentation.

You can access the Softing edgeConnector deployed in the stack from any machine with a typical UA client application, since it’s publicly available.

  1. Finally, remove unwanted access to the server by navigating to the Connectivity > OPC UA > *OPC UA Server Application Settings > OPC UA Server Endpoint Settings page, and deleting the Anonymous user. Now, only UA clients with administrative credentials and AWS IoT SiteWise can access the server.

edgeConnectorAnonymousDisabled
To access the UA server in Softing edgeConnector, all UA clients authenticate with a user name and password.

In the AWS IoT SiteWise portal

  1. Add the asset created for the current stack to the project by choosing Add asset to project.

addAssetToProject
This step ensures that the data shows on the AWS IoT SiteWise portal dashboard.
  1. If the asset measurements aren’t displayed in the dashboard, and an error message displays at the top of the window, you can perform a temporary workaround.

dashboardProblem

To work around the issue:

  1. Navigate to the AWS IoT SiteWise dashboard.

  2. Choose the Edit button in the upper right corner, and remove the current measurements.

  3. Add the measurements listed on the right side of the window by dragging and arranging them as desired.

  4. Save your changes.

Now, you can view the telemetry data from the simulator on the dashboard.

dashboard

Other useful information

  • All users assigned to the AWS IoT SiteWise portal must be unassigned before deleting the stack.

  • The unique stack name is used for prefixing most of the stack resources created by the template, which allows you to create more stacks from the same template without requiring any changes. Check AWS limits for different accounts and Regions used. For example, a maximum of five VPCs are allowed per account.

  • The stack creates only the minimum necessary resources to remain as cost-effective as possible. For example, it creates only one Amazon EC2 instance, even though the deployment sets up two Availability Zones.

  • Since the stack is used for demo purposes, load balancing and Auto Scaling group definitions are used only when the Amazon EC2 instance fails or an Availability Zone becomes unavailable.

  • If you stop/terminate the Amazon EC2 instance, the IP address of a newly created instance will be different. However, the load balancer will still be able to access the new Amazon EC2 instance after it has completed its bootstrapping process. This may take a few minutes (3-5 minutes), so try reloading the page several times to see when the new instance presents the login window again.

  • See the UserData section of the EC2LaunchTemplate resource in the workload.template.yaml file for additional actions that the template takes when bootstrapping the Amazon EC2 instance.

  • AWS IoT SiteWise gateways are not deleted automatically. They require manual deletion.

  • Multiple AWS IoT SiteWise gateway configurations don’t interfere with each other.

  • If an Amazon EC2 instance fails and another one is created by the Auto Scaling group, the original AWS IoT SiteWise gateway resource is lost, which means that the CloudFormation template can’t delete it when the stack is deleted. To solve this issue, the Amazon EC2 UserData script creates the resource, but it must be deleted manually.

FAQ

Q. I encountered a CREATE_FAILED error when I launched the Quick Start.

A. If AWS CloudFormation fails to create the stack, relaunch the template with Rollback on failure set to No. This setting is under Advanced in the AWS CloudFormation console on the Configure stack options page. With this setting, the stack’s state is retained and the instance is left running, so you can troubleshoot the issue.

When you set Rollback on failure to Disabled, you continue to incur AWS charges for this stack. Delete the stack when you finish troubleshooting.

For additional information, see Troubleshooting AWS CloudFormation on the AWS website.

Q. I encountered a size limitation error when I deployed the AWS CloudFormation templates.

A. Launch the Quick Start templates from the links in this guide or from another S3 bucket. If you deploy the templates from a local copy on your computer or from a location other than an S3 bucket, you might encounter template size limitations. For more information, see AWS CloudFormation quotas.

Troubleshooting

Contact Softing at http://www.softing.com.

Parameter reference

Unless you are customizing the Quick Start templates for your own deployment projects, we recommend that you keep the default settings for the parameters labeled Quick Start S3 bucket name, Quick Start S3 bucket Region, and Quick Start S3 key prefix. Changing these parameter settings automatically updates code references to point to a new Quick Start location. For more information, see the AWS Quick Start Contributor’s Guide.

Parameters for launching into a new VPC

Table 1. AWS IoT SiteWise configuration
Parameter label (name) Default value Description

AWS IoT SiteWise Monitor and dashboard for telemetry visualization (SiteWiseMonitorCreation)

Yes

Choose 'No' to skip creation of AWS IoT SiteWise monitor/dashboard setup. In this case, telemetry data is shown only in the Asset Measurements section.

Table 2. VPC network configuration
Parameter label (name) Default value Description

Availability Zones (AvailabilityZones)

Requires input

List of Availability Zones to use for the subnets in the VPC.

Table 3. AWS Quick Start configuration
Parameter label (name) Default value Description

Quick Start S3 bucket name (QSS3BucketName)

aws-quickstart

Name of the S3 bucket for your copy of the Quick Start assets. Keep the default name unless you are customizing the template. Changing the name updates code references to point to a new Quick Start location. This name can include numbers, lowercase letters, uppercase letters, and hyphens, but do not start or end with a hyphen (-). See https://aws-quickstart.github.io/option1.html.

Quick Start S3 bucket Region (QSS3BucketRegion)

eu-central-1

AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. Keep the default Region unless you are customizing the template. Changing this Region updates code references to point to a new Quick Start location. When using your own bucket, specify the Region. See https://aws-quickstart.github.io/option1.html.

Quick Start S3 key prefix (QSS3KeyPrefix)

quickstart-softing-edgeconnector-siemens/

S3 key prefix that is used to simulate a directory for your copy of the Quick Start assets. Keep the default prefix unless you are customizing the template. Changing this prefix updates code references to point to a new Quick Start location. This prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). End with a forward slash. See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html and https://aws-quickstart.github.io/option1.html.

Send us feedback

To post feedback, submit feature ideas, or report bugs, use the Issues section of the GitHub repository for this Quick Start. To submit code, see the Quick Start Contributor’s Guide.

Quick Start reference deployments

GitHub repository

Visit our GitHub repository to download the templates and scripts for this Quick Start, to post your comments, and to share your customizations with others.


Notices

This document is provided for informational purposes only. It represents AWS’s current product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS’s products or services, each of which is provided “as is” without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at http://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either expressed or implied. See the License for specific language governing permissions and limitations.