Configure the OPC PLC simulator to work with the connector for OPC UA


Azure IoT Operations Preview – enabled by Azure Arc is currently in preview. You shouldn't use this preview software in production environments.

You'll need to deploy a new Azure IoT Operations installation when a generally available release is made available. You won't be able to upgrade a preview installation.

See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

In this article, you learn how to configure and connect the OPC PLC simulator. The simulator simulates an OPC UA server with multiple nodes that generate random data and anomalies. You can configure user defined nodes. The OPC UA simulator lets you test the process of managing OPC UA assets with the operations experience web UI or the Akri services.


A deployed instance of Azure IoT Operations Preview. To deploy Azure IoT Operations for demonstration and exploration purposes, see Quickstart: Run Azure IoT Operations Preview in Github Codespaces with K3s. If you deploy Azure IoT Operations as described, the installation includes the OPC PLC simulator.

Deploy the OPC PLC simulator

This section shows how to deploy the OPC PLC simulator if you didn't include it when you first deployed Azure IoT Operations.

The following step lowers the security level for the OPC PLC so that it accepts connections from the connector for OPC UA or any client without an explicit peer certificate trust operation.


Don't use the following example in production, use it for simulation and test purposes only.

Run the following code to update the connector for OPC UA deployment and apply the new settings:

az k8s-extension update \
    --version 0.3.0-preview \
    --name opc-ua-broker \
    --release-train preview \
    --cluster-name <cluster-name> \
    --resource-group <azure-resource-group> \
    --cluster-type connectedClusters \
    --auto-upgrade-minor-version false \
    --config opcPlcSimulation.deploy=true \
    --config opcPlcSimulation.autoAcceptUntrustedCertificates=true

The OPC PLC simulator runs as a separate pod in the azure-iot-operations namespace. The pod name looks like opcplc-000000-7b6447f99c-mqwdq.

Configure mutual trust between the connector for OPC UA and the OPC PLC

To learn more about mutual trust in OPC UA, see OPC UA certificates infrastructure for the connector for OPC UA.

The application instance certificate of the OPC PLC simulator is a self-signed certificate managed by cert-manager and stored in the aio-opc-ua-opcplc-default-application-cert-000000 Kubernetes secret.

To configure mutual trust between the connector for OPC UA and the OPC PLC simulator:

  1. Get the certificate and push it to Azure Key Vault:

    kubectl -n azure-iot-operations get secret aio-opc-ua-opcplc-default-application-cert-000000 -o jsonpath='{.data.tls\.crt}' | \
    base64 -d | \
    xargs -0 -I {} \
    az keyvault secret set \
        --name "opcplc-crt" \
        --vault-name <your-azure-key-vault-name> \
        --value {} \
        --content-type application/x-pem-file
  2. Add the certificate to the aio-opc-ua-broker-trust-list custom resource in the cluster. Use a Kubernetes client such as kubectl to configure the opcplc.crt secret in the SecretProviderClass object array in the cluster.

    The following example shows a complete SecretProviderClass custom resource that contains the simulator certificate in a PEM encoded file with the .crt extension:

    kind: SecretProviderClass
      name: aio-opc-ua-broker-trust-list
      namespace: azure-iot-operations
      provider: azure
        usePodIdentity: 'false'
        keyvaultName: <your-azure-key-vault-name>
        tenantId: <your-azure-tenant-id>
        objects: |
            - |
              objectName: opcplc-crt
              objectType: secret
              objectAlias: opcplc.crt


    The time it takes to project Azure Key Vault certificates into the cluster depends on the configured polling interval.

The connector for OPC UA trust relationship with the OPC PLC simulator is now established and you can create an AssetEndpointProfile to connect to your OPC PLC simulator.

Optionally configure your AssetEndpointProfile without mutual trust established

Optionally, you can configure an asset endpoint profile without establishing mutual trust between the connector for OPC UA and the OPC PLC simulator. If you understand the risks, you can turn off authentication for testing purposes.


Don't configure for no authentication in production or pre-production environments. Exposing your cluster to the internet without authentication can lead to unauthorized access and even DDOS attacks.

To allow your asset endpoint profile to connect to an OPC PLC server without establishing mutual trust, use the additionalConfiguration setting to modify the AssetEndpointProfile configuration.

Patch the asset endpoint with autoAcceptUntrustedServerCertificates=true:

kubectl patch AssetEndpointProfile $ENDPOINT_NAME \
-n azure-iot-operations \
--type=merge \
-p '{"spec":{"additionalConfiguration":"{\"applicationName\":\"'"$ENDPOINT_NAME"'\",\"security\":{\"autoAcceptUntrustedServerCertificates\":true}}"}}'