Nexus connects to plant systems at the edge, organizes them with an ISA-95-aligned hierarchy, collects and processes data via tags, enriches it with metadata, and serves it through cloud APIs and time-series analytics for dashboards and custom apps.
## Customer Site (Factory Floor)
Typically, the production systems that contains the data you want to collect exists on the the factory floor. It is a secure, non-internet-facing zone that contains the operational data sources we want to read from. It can be:
* **Databases / Historians**
* **Realtime data sources (OPC UA / MQTT / MODBUS / ..)**
* **MES/SCADA systems**
* **FTP/File shares**.
Nexus Edge devices do not need inbound connections from the Internet. They *can* be installed directly on the factory floor, but it requires that the edge devices are able to create an outbound connection to requires is very often a very restricted network, where
### On-site Edge Devices
Since Nexus does **not** run cloud endpoints here and does not require inbound internet access to OT.
### Purpose in the architecture
* Provide the **authoritative data** about equipment, process values, quality results, and events.
* Keep production systems **isolated** from the internet and IT workloads while still enabling data acquisition.
### Connectivity principle
* **No open internet on the factory floor.**\
All northbound communication is routed through an **Industrial DMZ** (on-site Edge zone). OT assets never accept inbound connections from the cloud or enterprise networks.
* **Southbound protocols stay in OT.**\
PLC/fieldbus/SCADA traffic remains local; Nexus Edge connectors in the DMZ read from OT over standard interfaces (e.g., OPC UA/DA, SQL, SMB/FTP) using tightly scoped credentials.
### Typical systems in this zone
* **OPC servers** (gateway from PLCs/SCADA)
* **Databases & historians** (SQL/OSISoft/ADX on-prem)
* **MES/Manufacturing apps** (production orders, genealogy)
* **File servers / FTP drops** (batch reports, machine exports)
* **Other OT applications** (alarm/event systems, lab systems)
### Security & access expectations
* **Network:** OT VLANs/subnets are firewalled; only **allowlisted** connections from the **DMZ** to specific hosts/ports are permitted.
* **Accounts:** Use **read-only**, least-privilege service accounts; prefer certificate-based auth for OPC UA and key-vaulted credentials for databases and shares.
* **Change control:** Any new data access is approved via site change procedures; routes and ports are documented.
* **Resilience:** Source systems remain operational even if the WAN is down; the DMZ buffers data until cloud connectivity returns.
### What is deployed here?
Nothing cloud-facing. The factory floor hosts **your existing OT systems** only. Nexus components that interact with these systems (Edge runtime and data connectors) are deployed **in the on-site DMZ**, not inside OT. This separation preserves OT security while enabling controlled data collection toward the cloud.
### **Cloud Components**
**Nexus Management Portal**\
Design hierarchies, configure connectors/tags, deploy to devices, and monitor health.
**IoT Hub**\
Secure device messaging between edge and cloud (bi-directional for commands/config).
**Nexus REST API**\
Programmatic access for inventories, configs, deployments, and data—used by custom apps/integrations.
**Data Explorer (time-series analytics)**\
Time-series storage and query over operational data. **Hierarchy metadata** (from Areas, Assets, Tags) is synchronized after deployment so every measurement is queryable with context (unit, owner, location, etc.).
**Log Analytics**\
Unified logging and diagnostics from edge modules and cloud services.
### On-site Devices (Edge)
**IoT Edge Linux VM running Nexus Edge**
* Hosts **Data Connectors** for OPC UA, Modbus, MQTT, FileShare/FTP, Historian, Camera/scene, Emulator, and custom connectors (via the Nexus SDK). Connectors are configured on **Area** nodes so connectivity mirrors your plant layout and governance.
* Uses an **ISA-95 aligned hierarchy** of **Areas** and **Assets** to keep data, access and jobs organized exactly where work happens.
* **Tags** on Assets define the actual data points to collect and how to treat them (type, scaling, sampling, calculations, storage/publish).
* Optional **Jobs** at the Area level automate file flows between shop-floor systems, edge modules, and cloud storage.
### Customer Site Systems
**Databases, MES, historians, file shares/FTP**\
Nexus connects to on-prem systems via **Edge Data Connectors** placed where the systems live (per site/line/area). Connectors normalize different protocols into one common Nexus format and keep data local if the internet is down, forwarding buffered data when links return.
### Reporting & Applications
* **Dashboards over time-series** for trends, alarms, OEE inputs, energy, etc., using the contextual metadata you define.
* **Custom applications** built on the REST API + queries.
* **Optional Power BI** to blend operations with business data.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.tricloudnexus.io/platform-architecture/reference-architecture/core-components.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.