Connected factory preconfigured solution walkthrough

The IoT Suite Connected factory preconfigured solution is an implementation of an end-to-end industrial solution that:

  • Connects to both simulated industrial devices running OPC UA servers in simulated factory production lines, and real OPC UA server devices. For more information about OPC UA, see the Connected factory FAQ.
  • Shows operational KPIs and OEE of those devices and production lines.
  • Demonstrates how a cloud-based application could be used to interact with OPC UA server systems.
  • Enables you to connect your own OPC UA server devices.
  • Enables you to browse and modify the OPC UA server data.
  • Integrates with the Azure Time Series Insights (TSI) service to provide customized views of the data from your OPC UA servers.

You can use the solution as a starting point for your own implementation and customize it to meet your own specific business requirements.

This article walks you through some of the key elements of the Connected factory solution to enable you to understand how it works. The article also describes how data flows through the solution. This knowledge helps you to:

  • Troubleshoot issues in the solution.
  • Plan how to customize to the solution to meet your own specific requirements.
  • Design your own IoT solution that uses Azure services.

For more information, see the Connected factory FAQ.

Logical architecture

The following diagram outlines the logical components of the preconfigured solution:

Connected factory logical architecture

Communication patterns

The solution uses the OPC UA Pub/Sub specification to send OPC UA telemetry data to IoT Hub in JSON format. The solution uses the OPC Publisher IoT Edge module for this purpose.

The solution also has an OPC UA client integrated into a web application that can establish connections with on-premises OPC UA servers. The client uses a reverse-proxy and receives help from IoT Hub to make the connection without requiring open ports in the on-premises firewall. This communication pattern is called service-assisted communication. The solution uses the OPC Proxy IoT Edge module for this purpose.


The simulated stations and the simulated manufacturing execution systems (MES) make up a factory production line. The simulated devices and the OPC Publisher Module are based on the OPC UA .NET Standard published by the OPC Foundation.

The OPC Proxy and OPC Publisher are implemented as modules based on Azure IoT Edge. Each simulated production line has a designated gateway attached.

All simulation components run in Docker containers hosted in an Azure Linux VM. The simulation is configured to run eight simulated production lines by default.

Simulated production line

A production line manufactures parts. It is composed of different stations: an assembly station, a test station, and a packaging station.

The simulation runs and updates the data that is exposed through the OPC UA nodes. All simulated production line stations are orchestrated by the MES through OPC UA.

Simulated manufacturing execution system

The MES monitors each station in the production line through OPC UA to detect station status changes. It calls OPC UA methods to control the stations and passes a product from one station to the next until it is complete.

Gateway OPC publisher module

OPC Publisher Module connects to the station OPC UA servers and subscribes to the OPC nodes to be published. The module converts the node data into JSON format, encrypts it, and sends it to IoT Hub as OPC UA Pub/Sub messages.

The OPC Publisher module only requires an outbound https port (443) and can work with existing enterprise infrastructure.

Gateway OPC proxy module

The Gateway OPC UA Proxy Module tunnels binary OPC UA command and control messages and only requires an outbound https port (443). It can work with existing enterprise infrastructure, including Web Proxies.

It uses IoT Hub Device methods to transfer packetized TCP/IP data at the application layer and thus ensures endpoint trust, data encryption, and integrity using SSL/TLS.

The OPC UA binary protocol relayed through the proxy itself uses UA authentication and encryption.

Azure Time Series Insights

The Gateway OPC Publisher Module subscribes to OPC UA server nodes to detect change in the data values. If a data change is detected in one of the nodes, this module then sends messages to Azure IoT Hub.

IoT Hub provides an event source to Azure TSI. TSI stores data for 30 days based on timestamps attached to the messages. This data includes:

  • OPC UA ApplicationUri
  • OPC UA NodeId
  • Value of the node
  • Source timestamp
  • OPC UA DisplayName

Currently, TSI does not allow customers to customize how long they wish to keep the data for.

TSI queries against node data using a SearchSpan (Time.From, Time.To) and aggregates by OPC UA ApplicationUri or OPC UA NodeId or OPC UA DisplayName.

To retrieve the data for the OEE and KPI gauges, and the time series charts, data is aggregated by count of events, Sum, Avg, Min, and Max.

The time series are built using a different process. OEE and KPIs are calculated from station base data and bubbled up for the topology (production lines, factories, enterprise) in the application.

Additionally, time series for OEE and KPI topology is calculated in the app, whenever a displayed timespan is ready. For example, the day view is updated every full hour.

The time series view of node data comes directly from TSI using an aggregation for timespan.

IoT Hub

The IoT hub receives data sent from the OPC Publisher Module into the cloud and makes it available to the Azure TSI service.

The IoT Hub in the solution also:

  • Maintains an identity registry that stores the IDs for all OPC Publisher Module and all OPC Proxy Modules.
  • Is used as transport channel for bidirectional communication of the OPC Proxy Module.

Azure Storage

The solution uses Azure blob storage as disk storage for the VM and to store deployment data.

Web app

The web app deployed as part of the preconfigured solution comprises of an integrated OPC UA client, alerts processing and telemetry visualization.

Telemetry data flow

Telemetry data flow

Flow steps

  1. OPC Publisher reads the required OPC UA X509 certificates and IoT Hub security credentials from the local certificate store.

    • If necessary, OPC Publisher creates and stores any missing certificates or credentials in the certificate store.
  2. OPC Publisher registers itself with IoT Hub.

    • Uses the configured protocol. Can use any IoT Hub client SDK supported protocol. The default is MQTT.
    • Protocol communication is secured by TLS.
  3. OPC Publisher reads configuration file.

  4. OPC Publisher creates an OPC Session with each configured OPC UA Server.

    • Uses TCP connection.
    • OPC Publisher and OPC UA Server authenticate each other using X509 certificates.
    • All further OPC UA traffic is encrypted by the configured OPC UA encryption mechanism.
    • OPC Publisher creates, in the OPC Session for each configured publishing interval, an OPC Subscription.
    • Creates OPC Monitored items for the OPC Nodes to publish in the OPC Subscription.
  5. If a monitored OPC Node value changes, OPC UA Server sends updates to OPC Publisher.

  6. OPC Publisher transcodes the new value.

    • Batches multiple changes if batching is enabled.
    • Creates an IoT Hub message.
  7. OPC Publisher sends a message to IoT Hub.

    • Use the configured protocol.
    • Communication is secured by TLS.
  8. Time Series Insights (TSI) reads the messages from IoT Hub.

    • Uses AMQP over TCP/TLS.
    • This step is internal to the datacenter.
  9. Data at rest in TSI.

  10. Connected factory WebApp in Azure AppService queries required data from TSI.

    • Uses TCP/TLS secured communication.
    • This step is internal to the datacenter.
  11. Web browser connects to the Connected factory WebApp.

    • Renders the Connected factory dashboard.
    • Connects over HTTPS.
    • Access to the Connected factory App requires authentication of the user via Azure Active Directory.
    • Any WebApi calls into Connected factory app are secured by Anti-Forgery-Tokens.
  12. On data updates, the Connected factory WebApp sends updated data to the web browser.

    • Uses the SignalR protocol.
    • Secured by TCP/TLS.

Browsing data flow

Browsing data flow

Flow steps

  1. OPC Proxy (server component) starts up.

    • Reads the shared access keys from a local store.
    • If necessary, stores missing access keys in the store.
  2. OPC Proxy (server component) registers itself with IoT Hub.

    • Reads all it's known devices from IoT Hub.
    • Uses MQTT over TLS over Socket or Secure Websocket.
  3. Web browser connects to the Connected factory WebApp and renders the Connected factory dashboard.

    • Uses HTTPS.
    • A user selects an OPC UA server to connect to.
  4. Connected factory WebApp establishes an OPC UA Session to the selected OPC UA server.

    • Uses OPC UA stack.
  5. OPC Proxy transport receives a request from the OPC UA stack to establish a TCP socket connection to OPC UA server.

    • It just retrieves the TCP payload and uses it unchanged.
    • This step is internal to the Connected factory WebApp.
  6. OPC Proxy (client component) looks up OPC Proxy (server component) device in the IoT Hub device registry. Then calls a device method of the OPC Proxy (server component) device in IoT Hub.

    • Uses HTTPS over TCP/TLS to look up OPC Proxy.
    • Uses using HTTPS over TCP/TLS to establish a TCP socket connection to the OPC UA server.
    • This step is internal to the datacenter.
  7. IoT Hub calls a device method in the OPC Proxy (server component) device.

    • Uses an established MQTT over TLS over Socket or Secure Websocket connection to establish a TCP socket connection to the OPC UA server.
  8. OPC Proxy (server component) sends the TCP payload on to the shopfloor network.

  9. The OPC UA server processes the payload and sends back the response.

  10. The response is received by the socket of the OPC Proxy (server component).

    • OPC Proxy sends the data as return value of the device method to IoT Hub and the OPC Proxy (client component).
    • This data is delivered to the OPC UA stack in the Connected factory app.
  11. Connected factory WebApp returns OPC Browser UX enriched with the OPC UA-specific information it received from the OPC UA server to the Web Browser to render it.

    • While browsing through the OPC address-space and applying functions to nodes in the OPC address-space, the OPC Browser UX client part uses AJAX calls over HTTPS secured with Anti-Forgery Tokens to get data from the Connected factory WebApp.
    • If necessary, the client uses the communication explained in steps 4 through to 10 to exchange information with the OPC UA server.


The OPC Proxy (server component) and OPC Proxy (client) component complete steps #4 through #10 for all TCP traffic related to the OPC UA communication.


For the OPC UA server and the OPC UA stack within the Connected factory WebApp, the OPC Proxy communication is transparent and all OPC UA security features for authentication and encryption apply.

Next steps

You can continue getting started with IoT Suite by reading the following articles: