"separate" the edge in the data ingestion part and the application server part. Both components should be in different network segment
We are very strictly implementing the OSI95 model. Thereby the PLC's will be in Layer 2, C8Y Data ingestion would be in network layer 3 and the UI should be in their "IT/OT DMZ" layer 3.5. IT will be their Layer 4. Users with their browsers are only allowed to connect to the "DMZ" layer 3.5. For data ingestion they are not allowed to skip network layers so that would mean they can't connect all the way down to the PLC's