Avassa in ISA-95 Segmented Networks for Industrial IoT

Published on:October 6, 2025

In this blog post, I’ll walk through how to set up the Avassa Edge Platform in a three-layer ISA-95 segmented network using Edge Enforcer proxies. This demo showcases how Avassa can operate even in highly restricted industrial environments.

In this article, we explore how the Avassa Edge Platform enables application orchestration in highly restricted and segmented networks. In many industrial environments, networks are structured in layers where each segment can only communicate with the one directly above it. A typical example is the industrial shop floor: machines operate in an isolated segment, which connects only to a restricted intermediary network, and finally to a DMZ that allows limited outbound traffic. This model is formalized in the ISA-95 hierarchy, widely adopted in manufacturing and other industrial domains.

Webinar: ISA-95 Ready: Multi-Layer Proxying for Edge Deployments Made Easy

Why ISA-95 Network Segmentation Matters in Industrial Environments

Almost all of our industrial (Industrial IoT) customers implement ISA-95 network segmentation—or something very similar.

At the networking layer, the principle is straightforward: no traffic should flow from higher to lower levels. For example, a service in level 3 cannot connect to anything in levels 2, 1, or 0.

Similarly, lower layers can only communicate upward to the next higher level. For instance, layer 2 may connect to services in layer 3, but never directly to layer 4.

Effectively, firewalls enforce this segmentation between layers. While this provides robust security, it also creates challenges when applications need to run across multiple layers.

Since many of our customers run workloads in levels 1–3, we needed a solution. Enter Edge Enforcer proxies.

Overcoming ISA-95 Networking Challenges with Avassa Edge Enforcer Proxies

For this demo, I built a virtual ISA-95 environment using OPNsense firewalls between each layer. Each firewall was configured to only permit traffic to the next higher layer. For example, the firewall between layer 2 and 3 only allows connections from layer 2 to layer 3, blocking everything else.

The diagram below illustrates the network setup, where each Layer X-Y denotes an Avassa site.

Setting Up Avassa in a Segmented Network Demo

Layer 4: Configuring Avassa Proxy Sites for Redundant Connectivity

The sites in layer 4 (layer 4-a and 4-b) have direct internet access and can connect to Control Tower using the standard installation procedure:

curl -s <https://api.sl-test.the-company.avassa.net/install> | sudo sh -s

In Control Tower, I configured these sites to allow proxying from the third layer (192.168.3.0/24) network.

name: layer4-1
...
hosts:
  - host-id: 5b57f9b0-1663-47df-919d-e248076e5087
    proxy:
      act-proxy: true
      network-access:
        default-action: deny
        rules:
          192.168.3.0/24: allow

Layer 3: Installing Edge Enforcer Proxy

In the third layer, I installed the Edge Enforcer using the following command. Here, 172.27.72.199 and 172.27.72.74 are the IP addresses of layer 4-a and layer 4-b:

curl -s --connect-to api.sl-test.the-company.avassa.net::172.27.72.199:5656 <https://api.sl-test.the-company.avassa.net/install> | sudo sh -s -- --proxy 172.27.72.199 --proxy 172.27.72.74

By specifying two proxies, we gain failover in case one of the layer 4 sites becomes unavailable.

In Control Tower, I then configured layer 3 for proxying:

name: layer3-1
...
hosts:
  - host-id: c1547cec-6bd8-4b12-bae6-4a67e6f84dab
    proxy:
      act-proxy: true
      network-access:
        default-action: deny
        rules:
          192.168.2.0/24: allow

Allowing traffic from the second layer (192.168.2.0/24).

Layer 2 Running Avassa Edge Enforcer Without Direct Internet Access

Finally, on the second layer machine, where 192.168.3.10 is the IP address of the third-layer Edge Enforcer:

curl -s --connect-to api.sl-test.the-company.avassa.net::192.168.3.10:5656  <https://api.sl-test.the-company.avassa.net/install> | sudo sh -s -- --proxy 192.168.3.10 -y

NOTE! Since the Layer 2 and Layer 3 machines don’t have Internet access, I took care to install the Edge Enforcer dependencies (Docker and jq) during the machine provisioning phase.

Wrapping Up: Avassa Application Orchestration in Segmented Industrial Networks

With this setup, all “layer sites” now appear in Control Tower as fully connected and functional.

This demonstrates how Avassa can seamlessly operate within ISA-95 segmented networks by leveraging Edge Enforcer proxies—maintaining security segmentation while enabling robust multi-layer application deployment.

For detailed documentation, see: Control Tower proxy | Avassa Docs

Highlighted resources

What is Edge AI? Key Benefits & Why You Should Use It

Smooth Sailing at the Edge: How to Migrate Legacy VMs to Containers with Avassa

Edge Observability – Shifting Left for Proactive Monitoring