Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ DMZ Secure Link

TABLE OF CONTENTS

Welcome to AVEVA DMZ Secure Link

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedJul 15, 2025
  • 2 minute read

This document describes the DMZ Secure Link installation and configuration process. It is intended for administrators who are familiar with the networking concept of the Demilitarized Zone (DMZ) and proxy concepts placement in the overall network architecture.

What is DMZ Secure Link?

DMZ Secure link acts as a proxy server, blocking access to all URLs except for an AVEVA-maintained allowlist containing only the URLs required for AVEVA software to function. When new AVEVA products are released, or existing endpoints are changed, AVEVA keeps the allowlist updated, simplifying the job of maintaining security for AVEVA products running on your network.

DMZ Secure Link is one important part of an overall security architecture for communication.

Key benefits

DMZ Secure Link offers the following key benefits:

  • An allowlist maintained by AVEVA: The advantage of using DMZ Secure Link as compared to a general proxy solution is that AVEVA maintains the allowlist, reducing the administrative burden.

    Note: The allowlist is signed by AVEVA's certificate and will not accept user-defined endpoints. DMZ Secure Link verifies the signature of the list. The list is stored in the cloud and is downloaded regularly by DMZ Secure Link. If the list is tampered with, it is rejected and an error is logged.

  • Network segmentation: Network segmentation is a fundamental strategy for protecting critical network resources. DMZ Secure Link enables communication using AVEVA SaaS solutions in a segmented network architecture without exposing systems to the entire internet.

  • Access control: DMZ Secure Link enables your organization to select the subsets of AVEVA SaaS solutions required at a particular site. This granular control further limits the site’s exposure.

  • Compliance and regulatory requirements: Many industries have stringent compliance and regulatory requirements. DMZ Secure Link supports both NERC CIP and NIST best practice architectures.

  • Corporate proxy support: DMZ Secure Link can work with additional proxy servers to further protect your network infrastructure.

Limitations

DMZ Secure Link has the following limitations that should be considered when designing a secure architecture:

  • Access control is based on Fully Qualified Domain Name (FQDN) name only: DMZ Secure Link limits access to sites based solely on the FQDN. It is unable to apply more granular limits based on the method (GET, PUT, POST, etc.) or path—it is a “transparent proxy”.

  • Access is not account-specific: DMZ Secure Link cannot restrict access to specific AVEVA Connect accounts. For example, granting access to publish data to AVEVA Insight in North America enables publishing to any solution where the user has authorized credentials.

  • Custom HTTPS ports aren't supported: DMZ Secure Link only supports HTTPS connections over the default port of 443.

In This Topic
TitleResults for “How to create a CRG?”Also Available in