Transferring data from your Operational Technology (OT) network to the Azure cloud can be challenging — especially when dealing with Purdue Model segmentation and unreliable SFTP connections. If you need a secure and high-performance way to move files generated by lab devices from Level 3 (Operations) to Azure, Azure NetApp Files (ANF) can be a robust alternative.
Why Azure NetApp Files for OT Data Transfer?
Azure NetApp Files is a high-performance file storage service that supports NFS and SMB protocols. It’s ideal for industrial or lab environments that generate continuous data and require low-latency file access in the cloud.
Key advantages:
- Secure data transfer over private connectivity (VPN/ExpressRoute)
- Supports NFSv3/v4.1 and SMB (or both in dual-protocol)
- Integration with Active Directory
- High throughput and predictable performance
- Azure-native redundancy and backup options
How the Purdue Model Defines OT Network Levels
In the Purdue model:
- Level 3: Plant control systems or lab networks generating data
- Level 3.5: Demilitarized zone (DMZ) — a security buffer between OT and IT
- Level 4: Business network or IT systems
- Level 5: Cloud and enterprise services
You cannot directly connect Level 3 devices to the cloud.
Instead, you use Level 3.5 (DMZ) as a staging area — where a transfer server or gateway safely pushes data to Azure.
Reference Architecture Overview
Here’s a simplified setup for moving OT data using Azure NetApp Files:
Lab Devices (Level 3)
│
│ (Local network file drop)
▼
Transfer Server / Data Gateway (Level 3.5 DMZ)
│
│ (VPN or ExpressRoute)
▼
Azure Virtual Network
│
▼
Azure NetApp Files (NFS/SMB Volume)
│
▼
Azure VMs / Analytics / Storage ConsumersThis design ensures:
- No direct exposure of devices to the internet
- Controlled data movement through secure tunnels
- Reliable file persistence for analytics and AI workloads in Azure
Step-by-Step Setup Guide
Step 1: Set Up Private Connectivity
You’ll need a private connection between your OT network (or DMZ) and Azure:
- Option 1: ExpressRoute Private Peering
For stable, low-latency enterprise connectivity. - Option 2: Site-to-Site VPN
For smaller or pilot implementations.
Tip: Public internet connections are not supported by Azure NetApp Files.
Step 2: Create an Azure NetApp Files Account
- Go to Azure Portal → Create a resource → Azure NetApp Files
- Provide:
- Resource group
- Region
- Account name
- Once created, delegate a subnet in your Azure Virtual Network to Azure NetApp Files.
Step 3: Configure a Capacity Pool
- Inside your ANF account, create a capacity pool (minimum 4 TiB).
- Choose a performance tier:
- Standard: 16 MiB/s per TiB
- Premium: 64 MiB/s per TiB
- Ultra: 128 MiB/s per TiB
Step 4: Create and Mount a Volume
- Go to your capacity pool → Add Volume.
- Select Protocol:
- NFS (for Linux workloads)
- SMB (for Windows)
- Dual-protocol (if both environments access the same share)
- Set:
- Volume path (e.g.,
/otdata) - Size and tier
- VNet/subnet (delegated one)
- Volume path (e.g.,
- Assign access controls:
- NFS export policy
- SMB AD integration
Step 5: Mount the Volume in the DMZ Transfer Server
From your Level 3.5 transfer host:
- For Linux (NFS):
sudo mkdir /mnt/otdata
sudo mount -t nfs <ANF-IP>:/otdata /mnt/otdata- For Windows (SMB):
net use Z: \\<ANF-IP>\otdata /user:<domain\user> <password>This host acts as a bridge — pulling data from devices on Level 3 and writing it to the ANF share.
Step 6: Consume Files in Azure
Azure VMs, Kubernetes clusters, or analytics services (like Azure Synapse or AI models) can access the same ANF share for processing.
You can integrate ANF directly with:
- Azure Virtual Machines
- Azure VMware Solution (AVS)
- AKS (Kubernetes)
- Azure Machine Learning pipelines
Alternative Approaches (When ANF Is Not Ideal)
If your main goal is reliable transfer instead of mountable file storage, you might prefer these Azure-native solutions:
| Use Case | Recommended Service |
|---|---|
| SFTP with cloud storage | Azure Blob Storage SFTP |
| Sync local file server to cloud | Azure File Sync |
| Automatic upload from OT environment | Azure Data Box Gateway |
ANF is best when your Azure workloads need direct, high-speed file access.
For pure data movement or archiving, Blob or File Sync might be simpler and cheaper.
Security Best Practices
- Keep all ANF access over private endpoints.
- Use firewalls/NSGs to restrict access to specific subnets.
- For SMB: join to on-premises Active Directory (not Azure Entra-only).
- Implement Azure Backup or Snapshots for file protection.
- Never allow OT devices to directly mount cloud shares.
Azure NetApp Files offers a reliable, secure, and scalable solution to move OT-generated files into Azure for analysis or archiving — without relying on fragile SFTP transfers.
By setting up a Level 3.5 transfer host and connecting through VPN or ExpressRoute, you can ensure compliance with Purdue Model boundaries while enabling modern data workflows in the cloud.
Read More:
