On the edge on OPC UA setup, the edge is directly connected to the OPC UA server by means of its OPC UA client interface, as shown in the following diagram:

This setup uses the security model provided by the OPC UA that is firewall-friendly. It needs a firewall to filter and secure the HTTPS/TCP traffic due to the requests coming from the edge device placed outside of the network where the OPC UA server is linked. The deployment of another firewall between the edge and the network linked to the internet creates a DMZ for the edge deployment, as shown in the following diagram:

The OPC UA has been designed for devices with very different computational capabilities. According to the OPC UA standards, a device cannot fully implement all the features of the OPC UA standards. The implementation level of OPC UA is delegated by the vendor. This setup requires a risk analysis to understand whether and how much the implementation of the OPC UA security model provided by its vendor fits the security requirements of the specific scenario. Eventually, an additional DPI firewall could be deployed between the OPC UA server and the control network to further segregate the OPC UA server.