Private & Secure Networks for Azure Digital Twins on NetFoundry Cloud
Azure Digital Twins
A study by Capgemini Research Institute indicates that 60% of organizations across various sectors are currently using digital twins to enhance their operational performance and sustainability efforts. This is further expected to increase by another 36% in the next 5 years. Ensuring data security and securing assets, apps, devices and equipments involved in the digital twins ecosystem is paramount to the success of a digital twins implementation. These projects involve valuable and sensitive information that, if compromised may lead to serious consequences. NetFoundry has been helping organizations establish secure networks for IT, IOT and OT over the internet via our Network As A Service platform, NetFoundry Cloud. In this article, we’ll discuss our solution approach to establish military grade secure networks to Azure Digital Twins that use the power of software defined networking and the zero trust framework.Â
Digital Twins
Virtual replicas of physical assets enable real-time monitoring, predictive maintenance, and process optimization.
Start
Create a free trial account, set up a network with a public router, and configure firewall policies for secure outbound-only access to the NetFoundry network.
Getting Started with NetFoundry Cloud
 What you need to get started:
1. A NetFoundry Cloud account – Go through the steps to create a free trial account if you don’t have one.
2. A network in your account with at least one public router. The articles will guide you through this process.Â
- How to create a network
- Provision a public router ( NetFoundry hosted)
- Firewall policy requirements to provide outbound only access to the NetFoundry network
Creating an Azure Digital Twins Instance
You can follow the steps outlined in the “Set up Azure Digital Twins” section of this document:
Create a new VPC or use an existing VPC to provision your Azure Digital Twins instance.
Setting Up Azure Digital Twins
Follow the detailed steps to set up your Azure Digital Twins instance, using a new or existing VPC for seamless provisioning.
Securing Your ADT Instance
Disable public network access for your ADT instance and explorer to ensure they are only reachable via a secure private connection to Azure.
Connect to the ADT Instance via a Private Endpoint
In the same VPC, provision a Azure private endpoint. The private endpoint is our entry point within Azure to reach the ADT instance. You can follow the instructions outlined in the “Add a private endpoint to existing instance” section of the document:Â
Check that the private endpoint association reflects under the networking section.
Configuring Azure Private Endpoint for ADT
Provision a private endpoint in the same VPC to securely access your ADT instance, following the steps in the documentation and verifying the association under the networking section.
Seamless Zero Trust Connectivity for Azure Digital Twins
Deploy the NetFoundry edge router in the same Azure VNET as your ADT instance for private and secure zero trust access, ensuring it registers and goes online for seamless connectivity.
Spin up a NetFoundry edge router in Azure
The NetFoundry edge router is the gateway to Azure Digital Twins via the private and secure zero trust overlay. Follow the instructions to spin up the NetFoundry edge router in Azure from the Azure marketplace. The router has to be spun up in the same VNET as your ADT instance or have reachability to the ADT instance via VNET peering.
The router should show registered and online once provisioned successfully.Â
Create Your Identity, Service, and Service Policy.
You can access your ADT explorer via a NetFoundry endpoint software on your laptop or an edge router at your office or factory, where the edge router acts as a WAN gateway.
- Create your identity – If you are accessing the ADT explorer from a PC or laptop or mobile
- Create your service for ADT explorer
The service configuration is configured with the “wildcard” domain name using the host name of the ADT
instance.
The host name from Azure for the ADT instance is ADTNetFoundry.api.sea.digitaltwins.azure.net and the service is configured with the wildcard intercept hostname *.ADTNetFoundry.api.sea.digitaltwins.azure.net to reach the ADT explorer URL via the NetFoundry Cloud network.
The identity is that of the customer edge router that was provisioned in Azure VNET fro the marketplace.
Port 443 has been selected since this is a https service.
- Create your service policy to allow your identity (or identities) to access the service ( ADT explorer)
Create a service policy to allow the identities for devices or the router identity deployed in your factory or site to access the ADT service over the highly secure NetFoundry cloud network. Note that you can have a mix of device identities and router identities to allow engineers access the ADT explorer app from a work location or anywhere. You can follow this article on how to create your service policy.
The service policy that allows identities to access the ADT explorer service has been created as shown below:
Protect
Access your ADT explorer seamlessly via a NetFoundry endpoint on your device or an edge router acting as a WAN gateway, with secure service configuration using wildcard intercepts for streamlined connectivity through the NetFoundry Cloud network.
Secure Access and Verification
Ensure your NetFoundry edge client has the correct identity for Azure Digital Twins access, verifying connectivity through the NetFoundry Cloud network while confirming that public internet access to the ADT explorer is blocked.
Access the ADT Explorer App Over the Secure, Private NetFoundry Cloud Network
Check that the NetFoundry edge client running on your device has an identity with access to the Azure Digital twin service.
You should be able to access the service over the NetFoundry Cloud network. You can also verify that you are not able to access the ADT explorer app over the public internet.
On the metrics section in the console, you can verify the service traffic: