BSFG Reference Deployment Topology

Audience: Solution architects, infrastructure engineers, delivery teams. Use: Adapt a concrete multi-plant reference deployment with IDMZ mediation.

Context: Real-World Industrial Architecture

Most industrial enterprises operate multiple plants integrated with corporate IT systems. A typical organization has:

Enterprise IT: ERP, MES, analytics, data lakes, cloud integration, corporate IT governance
Network Boundary: Industrial DMZ (IDMZ) separating IT from OT, firewalls, routing, security controls
Plant OT Networks: Multiple autonomous production facilities with control systems, historians, equipment integration, local IT governance

The challenge: Exchange manufacturing data (work orders, batch records, quality results, alarms) between plants and enterprise systems while preserving:

Network segmentation (no direct IT/OT cross-talk)
Zone autonomy (each zone survives disconnection of others)
Data reliability (no message loss during network partitions)
Operational simplicity (no complex middleware to manage at boundaries)

BSFG is designed for exactly this scenario. This document describes the canonical four-zone deployment serving as the reference architecture for Statements of Work (SOW) and deployment planning.

Zones: Purpose and Characteristics

Zone 1: Enterprise IT

The corporate integration hub.

Aspect	Details
Network	Corporate IT, internet-connected, cloud-capable
Systems	ERP, MES aggregation, analytics, data lake, cloud services
BSFG Node	Yes — enterprise-bsfg
JetStream Domain	Large cluster (3+ nodes HA), high availability, 100+ GB capacity
Object Store	S3 or equivalent, 10+ TB, 10-year retention for audit records
Operations Team	Enterprise platform team, 24x7 support
Autonomy	Limited — enterprise relies on connectivity; plants can isolate themselves

Zone 2: Industrial DMZ (IDMZ)

The mediation layer between IT and OT. Critical rule: no durable middleware in the boundary network itself. In this reference topology, IDMZ is a real zone and therefore may host its own BSFG durability substrate.

Aspect	Details
Network	Isolated, firewalled both sides, no internet
Systems	Firewalls, routers, VPN gateways, TLS terminators (stateless)
BSFG Node	Yes — idmz-bsfg, operated as a compact but durable intermediary zone node
JetStream Domain	Single-node or HA pair, minimal streams, retention per deployment policy
Object Store	Compact zone-local store, retention per deployment policy
Operations Team	Network operations, no application ownership
Autonomy	N/A — IDMZ does not produce or consume facts

Zone 3 & 4: Plant A & Plant B (OT Networks)

Each plant is operationally independent. Plants can isolate from enterprise and IDMZ without impact to local operations.

Aspect	Details
Network	Closed, air-gapped from IT, no internet
Systems	PLCs, MES, historians, batch records, quality systems, equipment
BSFG Node	Yes — plantA-bsfg, plantB-bsfg
JetStream Domain	Single or dual-node, high durability, 5–50 GB capacity
Object Store	NAS or local SSD, 1–5 TB, 3–7 year retention per bucket
Operations Team	Plant engineering and IT, local ownership
Autonomy	Full — plant operates independently during IDMZ or enterprise outages

BSFG Node Placement and Architecture

Each zone runs a BSFG node. In this reference deployment, IDMZ is not a pass-through hop; it is a compact, durable zone with its own BSFG node and local state.

IDMZ BSFG Node

Location: IDMZ network
Hostname: bsfg-idmz.example.com
IP: 10.1.1.10
Certificate CN: idmz-bsfg

Services:
  ├── Connect RPC endpoint (port 9443)
  ├── AppendFact / FetchFacts / ConfirmReceipt / PutObject
  └── Metrics endpoint (restricted to IDMZ operations)

JetStream Domain:
  ├── Streams (facts)
  │   ├── facts.transit (cross-zone transfer)
  │   ├── facts.audit (boundary and mediation audit)
  │   └── facts.control (administrative coordination)
  └── Named consumers
      ├── enterprise-receiver
      ├── plant-a-receiver
      └── plant-b-receiver

Object Store:
  ├── transit-files (short-lived mediated artifacts)
  └── audit-files (operational evidence, per policy)

Enterprise BSFG Node

Location: Enterprise IT network
Hostname: bsfg-ent.example.com
IP: 10.0.1.10
Certificate CN: enterprise-bsfg

Services:
  ├── Connect RPC endpoint (port 9443)
  ├── AppendFact / FetchFacts / ConfirmReceipt / PutObject
  └── Metrics endpoint (internal)

JetStream Domain:
  ├── Streams (facts)
  │   ├── facts.operational (work orders, batches, status)
  │   ├── facts.quality (test results, inspections)
  │   └── facts.audit (compliance, audit logs)
  └── Named consumers
      ├── plant-a-receiver (tracks replication to Plant A)
      └── plant-b-receiver (tracks replication to Plant B)

Object Store:
  ├── batch-files (batch orders, recipes, 10y retention)
  ├── asset-files (CAD, spec sheets, 10y retention)
  ├── document-files (certificates, SOPs, 10y retention)
  └── audit-files (compliance records, 10y retention)

Plant A BSFG Node

Location: Plant A OT network
Hostname: bsfg-planta.local
IP: 10.2.1.10
Certificate CN: plant-a-bsfg

Services:
  ├── Connect RPC endpoint (port 9443)
  ├── AppendFact / FetchFacts / ConfirmReceipt / PutObject
  └── Metrics endpoint (local only)

JetStream Domain:
  ├── Streams (facts)
  │   ├── facts.operational (work orders, equipment status)
  │   ├── facts.quality (test results)
  │   └── facts.alarms (equipment alarms)
  └── Named consumers
      ├── enterprise-receiver (replication to Enterprise)
      └── local-app (plant MES application)

Object Store:
  ├── batch-files (batch records, work orders, 5y retention)
  ├── asset-files (equipment docs, 7y retention)
  ├── alarm-files (alarm logs, 1y retention)
  └── document-files (local docs, 3y retention)

Plant B BSFG Node

Same structure as Plant A, with:

Certificate CN: plant-b-bsfg
Hostname: bsfg-plantb.local
IP: 10.3.1.10
Named consumers: enterprise-receiver, local-app

Data Flow: Facts Between Zones

Enterprise → Plant A (Push Work Orders)

Enterprise produces fact:
  subject: "work_order:WO-2026-0001"
  predicate: "was_assigned_to"
  object_json: {plant: "A", due: "2026-03-15", ...}

Append at Enterprise BSFG:
  AppendFact(...) → offset 1000

Plant A pulls facts:
  FetchFacts(consumer_name="enterprise-receiver", limit=100)
  → receives batch starting at offset 1000

Plant A appends locally:
  AppendFact(...) → local_offset (independent)

Plant A confirms:
  ConfirmReceipt(consumer_name="enterprise-receiver", offset=1000)

Enterprise advances cursor:
  Cursor(enterprise-receiver) = 1000

Plant A → Enterprise (Report Completion)

Plant A produces fact:
  subject: "work_order:WO-2026-0001"
  predicate: "was_completed"
  object_json: {duration_ms: 3600000, status: "PASS", ...}

Append at Plant A BSFG:
  AppendFact(...) → offset 500

Enterprise pulls facts:
  FetchFacts(consumer_name="plant-a-receiver", limit=100)
  → receives batch starting at offset 500

Enterprise appends locally:
  AppendFact(...) → local_offset

Enterprise confirms:
  ConfirmReceipt(consumer_name="plant-a-receiver", offset=500)

Plant A advances cursor:
  Cursor(plant-a-receiver) = 500

Plant A → Plant B (Indirect via Enterprise)

Plant A → Enterprise → Plant B

Never direct Plant A → Plant B.
All cross-plant communication flows through Enterprise.
This preserves network segmentation and simplifies operations.

Network Connectivity and Firewall Rules

Enterprise ↔ IDMZ

Direction: Bidirectional
Protocol: TCP/TLS (HTTP/2)
Port: 9443
Source: Enterprise BSFG (10.0.1.10)
Destination: IDMZ firewall gateway IP

Rules:
  allow tcp from 10.0.1.10 to IDMZ-gateway port 9443
  allow tcp from IDMZ-gateway to 10.0.1.10 port 9443

IDMZ ↔ Plant A

Direction: Bidirectional
Protocol: TCP/TLS (HTTP/2)
Port: 9443
Source: Plant A BSFG (10.2.1.10)
Destination: IDMZ firewall gateway IP

Rules:
  allow tcp from 10.2.1.10 to IDMZ-gateway port 9443
  allow tcp from IDMZ-gateway to 10.2.1.10 port 9443

IDMZ ↔ Plant B

Direction: Bidirectional
Protocol: TCP/TLS (HTTP/2)
Port: 9443
Source: Plant B BSFG (10.3.1.10)
Destination: IDMZ firewall gateway IP

Rules:
  allow tcp from 10.3.1.10 to IDMZ-gateway port 9443
  allow tcp from IDMZ-gateway to 10.3.1.10 port 9443

Key Constraints

No direct IT/OT traffic: Enterprise BSFG never connects directly to plant networks. All traffic flows through IDMZ firewall.
No direct plant-to-plant: Plant A BSFG never connects to Plant B BSFG. Cross-plant communication flows through Enterprise.
No shared JetStream: Each zone's JetStream domain is isolated. No cross-zone stream replication or mirroring.
No shared object storage: Each zone's artifact storage is local. No S3-style cross-zone buckets.
IDMZ is independently durable: If the IDMZ zone is rebooted or fails, its own BSFG node recovers from local durable state just as Enterprise and Plant nodes do. Cross-zone communication resumes from durable cursors and retained facts.

Identity and Certificate Model

Certificate Hierarchy

Root CA: MyCompany-RootCA (internal, not public)
  └── Intermediate: MyCompany-BSFG-CA
      ├── enterprise-bsfg
      │   CN: enterprise-bsfg
      │   SANs: bsfg-ent.example.com, 10.0.1.10
      │   Issued to: Enterprise platform team
      │
      ├── idmz-bsfg
      │   CN: idmz-bsfg
      │   SANs: bsfg-idmz.example.com, 10.1.1.10
      │   Issued to: IDMZ operations
      │
      ├── plant-a-bsfg
      │   CN: plant-a-bsfg
      │   SANs: bsfg-planta.local, 10.2.1.10
      │   Issued to: Plant A engineering
      │
      └── plant-b-bsfg
          CN: plant-b-bsfg
          SANs: bsfg-plantb.local, 10.3.1.10
          Issued to: Plant B engineering

mTLS Handshake and Verification

When Enterprise BSFG connects to Plant A BSFG:

1. Enterprise initiates TLS handshake
2. Plant A BSFG presents certificate with CN=plant-a-bsfg
3. Enterprise validates:
   - certificate signature (against MyCompany-BSFG-CA)
   - not expired
   - CN matches expected plant identity
4. Plant A validates Enterprise's certificate similarly
5. Bidirectional authentication established
6. All RPC calls encrypted over this tunnel

Certificate Validity and Rotation

Validity period: 1 year (renewable annually)
Renewal schedule: 30 days before expiry
Rotation procedure: Install new cert, reload BSFG node, test connectivity
Emergency rotation: For compromised keys, immediate reissue and deployment

Operational Responsibilities

Enterprise Platform Team

Responsible for the Enterprise BSFG node and Enterprise zone connectivity:

Deploy and operate enterprise-bsfg BSFG node
Manage JetStream cluster (3-node HA setup)
Manage artifact storage (S3 or equivalent)
Issue and rotate mTLS certificates for enterprise-bsfg
Monitor replication lag to plants (SLA: < 5 minutes)
Maintain 24x7 uptime SLA
Escalate to IDMZ team for network issues

IDMZ Operations Team

Responsible for network mediation between zones:

Manage IDMZ firewall rules (allow/deny by BSFG node certificate CN)
Monitor firewall logs for anomalies
Ensure no durable infrastructure (no Kafka, no databases, no file servers)
Route traffic between Enterprise and Plant networks
Maintain network uptime SLA (99.5% target)
Escalate to Enterprise or Plant teams for application issues

Plant A Engineering Team

Responsible for the Plant A BSFG node and plant autonomy:

Deploy and operate plant-a-bsfg BSFG node
Manage JetStream domain (single or dual-node)
Manage local artifact storage (NAS or local SSD)
Issue and rotate mTLS certificates for plant-a-bsfg
Configure producers (MES, equipment) to emit facts
Configure consumers (local apps) to process facts
Monitor local buffer fill and consumer backlog
Preserve plant autonomy: isolate from enterprise/IDMZ without impact to local operations

Plant B Engineering Team

Same responsibilities as Plant A, adapted for Plant B's specifics.

Topology Diagram

┌──────────────────────────────────────────────────────────────┐
│                    ENTERPRISE IT                            │
│  ERP, MES Aggregation, Analytics, Cloud                    │
│                                                              │
│  ┌────────────────────────────┐                            │
│  │   BSFG Node: enterprise-bsfg │                            │
│  │   IP: 10.0.1.10              │                            │
│  │   Cert: CN=enterprise-bsfg   │                            │
│  │                              │                            │
│  │   JetStream (HA 3-node)      │                            │
│  │   facts.operational          │                            │
│  │   facts.quality              │                            │
│  │   facts.audit                │                            │
│  │                              │                            │
│  │   S3 / Object Storage        │                            │
│  │   (10+ TB, 10y retention)    │                            │
│  └────────────────────────────┘                            │
└──────────────────────────────────────────────────────────────┘
          │
          │ mTLS RPC (port 9443)
          │
┌─────────▼─────────────────────────────────────────────────────┐
│                      IDMZ                                     │
│  Firewalls, Routing, VPN (no durable middleware)             │
│                                                              │
│  ┌─────────────────────────────┐                            │
│  │  IDMZ Firewall Gateway      │                            │
│  │  Routes traffic 3 directions│                            │
│  │  No data retention          │                            │
│  │  TLS termination optional   │                            │
│  └─────────────────────────────┘                            │
└──────────┬──────────────────────────────┬────────────────────┘
           │                              │
           │ mTLS RPC                     │ mTLS RPC
           │                              │
    ┌──────▼─────────┐           ┌────────▼──────────┐
    │   PLANT A OT   │           │   PLANT B OT      │
    │                │           │                   │
    │ ┌────────────┐ │           │ ┌──────────────┐  │
    │ │ BSFG Node  │ │           │ │  BSFG Node   │  │
    │ │ plantA-bsfg│ │           │ │ plantB-bsfg  │  │
    │ │ IP: 10.2.1.│ │           │ │ IP: 10.3.1.1 │  │
    │ │ 10         │ │           │ │ 0            │  │
    │ ├────────────┤ │           │ ├──────────────┤  │
    │ │ JetStream  │ │           │ │ JetStream    │  │
    │ │ (1–2 nodes)│ │           │ │ (1–2 nodes)  │  │
    │ ├────────────┤ │           │ ├──────────────┤  │
    │ │ NAS / SSD  │ │           │ │ NAS / SSD    │  │
    │ │ 1–5 TB     │ │           │ │ 1–5 TB       │  │
    │ └────────────┘ │           │ └──────────────┘  │
    │                │           │                   │
    │ MES, PLC       │           │ MES, PLC          │
    │ Historians     │           │ Historians        │
    └────────────────┘           └───────────────────┘

Deployment Checklist

☐ Create enterprise CA and issue BSFG node certificates
☐ Provision Enterprise zone (ERP, analytics integration)
☐ Deploy Enterprise BSFG node (HA JetStream, S3 storage)
☐ Configure IDMZ firewalls (allow BSFG mTLS RPC only)
☐ Verify no durable infrastructure in IDMZ
☐ Provision Plant A OT network
☐ Deploy Plant A BSFG node (JetStream, NAS storage)
☐ Issue mTLS certificate for plant-a-bsfg
☐ Configure Plant A producers (MES, equipment) to emit facts
☐ Provision Plant B OT network
☐ Deploy Plant B BSFG node (JetStream, NAS storage)
☐ Issue mTLS certificate for plant-b-bsfg
☐ Configure Plant B producers (MES, equipment) to emit facts
☐ Test connectivity: Enterprise ↔ IDMZ ↔ Plant A
☐ Test connectivity: Enterprise ↔ IDMZ ↔ Plant B
☐ Test replication: Enterprise → Plant A (work order flow)
☐ Test replication: Plant A → Enterprise (completion report)
☐ Test replication: Enterprise → Plant B
☐ Test replication: Plant B → Enterprise
☐ Test autonomy: Isolate Plant A from IDMZ, verify local operation
☐ Test autonomy: Isolate Plant B from IDMZ, verify local operation
☐ Set up monitoring (replication lag, buffer fill, cert expiry)
☐ Document operational procedures (failover, certificate rotation, troubleshooting)
☐ Train operations teams (Enterprise, IDMZ, Plant A, Plant B)
☐ Go-live readiness review