OptoBlog

New Ignition module for groov EPIC

Posted by Janice Colmer on May 30, 2025 7:58:31 AM

Hear from Pat Smith—guest blogger from OptoPartner Avadine—as he unveils an Ignition module designed to help you remotely configure and integrate groov products with Inductive Automation's Ignition platform.

Why is this new module a big deal, and what does it mean for you?

This advanced Ignition module gives you the ability to remotely configure and integrate with Opto 22 groov products directly from Ignition—from Port Redirect configuration and VPN control to the full suite of groov Manage APIs.

What's more? Avadine is offering this module for free on the Ignition Exchange!

Read on as Pat Smith from Avadine explains what led them to create this module and the problems it solves for you.

Why?

We wanted to configure temporary Port Redirect rules from Ignition to remotely allow developers to access unsecured PLCs protected by Opto 22’s groov EPICWhile we were at it, why not expose ALL of the Opto 22 groov APIs as system functions in Ignition, so that numerous groov devices can be managed and orchestrated centrally from Ignition?

Wait. What are you talking about?

One of the best ways to secure legacy PLCs, controllers, and other devices is to obscure the device from the network and block all incoming traffic. With Opto 22's groov products, you can do just that! By physically putting an Opto 22 groov EPIC (or groov RIO, in the near future) in front of legacy unprotected devices, they can be protected from bad actors. 

With groov EPIC's dual NIC design and built-in firewall, you can connect the legacy PLC to EPIC’s eth0 (the default LAN/trusted network configuration). 

Then, connect to a public untrusted network (IT LAN, internet, etc.) with EPIC's eth1 (LAN/untrusted network configuration). 

The result is that the legacy PLC is obscured from the outside world, because eth0 and eth1 are physically separated and firewalled.

But how do trusted/SCADA systems connect to the legacy device if the EPIC’s network segmentation and firewall block it? I'm glad you asked!

Port Redirect

Port redirection, also known as port forwarding, allows remote computers or mobile devices on one network segment to connect to a specific computer or service within a private LAN through a specific port. Usually, it pokes a “pinhole” in your firewall through which packets of information can pass. This port forwarding technique is unsecure and not recommended, especially when the remote computer is on a public LAN like the Internet.

However, using port redirects over a VPN is secure and provides a conduit between the two network segments that can be very useful. For example, if you anticipate having to update a PLC’s program on a private network from your PC at a remote site, you can place a groov EPIC on the PLC’s trusted network and use the EPIC’s built-in VPN interface to port redirect over a configured conduit, securely accessing your PLC to make the change.

portredirect


That sounds awesome! But what does it have to do with Ignition?

You can configure Port Redirect rules directly in EPIC’s groov Manage under Network settings. The rules configured in groov Manage are persistent, allowing specific traffic over specific ports to traverse the internal firewall between two network interfaces on the EPIC until changed or deleted.

AvadineBlog2
AvadineBlo3

But what if you want to dynamically add new Port Redirect rules from a central location, like some kind of application that can monitor and control devices? Something like IGNITION!?! 

And what if the Port Redirect rules issued from Ignition could be configured with an interval so they would automatically turn off after the time expired? And what if you could monitor and orchestrate configuration changes to all of your Opto 22 groov devices centrally from Ignition?

With the Opto 22 Integration module, now you can!

Use Case: A legacy/unsecurable PLC is protected by a groov EPIC and, therefore, cannot be remotely connected from engineering workstations for development or logic changes. A SCADA admin logs into the Ignition Perspective application and temporarily creates a Port Redirect rule for an engineering laptop's IP address to connect to the legacy PLC over a specific Allen-Bradley TCP Port. The rule is configured to stay open for only one hour. After one hour expires, the rule is disabled, and the engineer is no longer able to access the legacy PLC.

INTEGRATION MODULE

Woah! But are other groov REST API calls available as well?

You heard right. All Opto 22 groov Manage REST API calls are available in this module as system.Opto 22.* functions. Documentation for Opto 22's Swagger can be found here on developer.opto22.com.

AvadineBlog4


Module Information

Effective Date: 2025-05-08
Author: Avadine
Audience: System Integrators and Developers
Application: Ignition by Inductive Automation (v8.1+)
Module: Opto 22 Integration Module (Download here!)
Cost: FREE!

1. Prerequisites

  • Ignition Gateway version 8.1 or later
  • Access to the Ignition Gateway Web Interface
  • Opto 22 Integration Module .modl file
  • API Key from a groov EPIC device with API access
  • IP address or hostname of the target groov EPIC device

2. Installation Procedure

  1. Log into the Ignition Gateway Web Interface.
  2. Navigate to the Config tab.
  3. Under the System category, click Modules.
  4. Select Install or Upgrade a Module.
  5. Upload the .modl file from your local system.
  6. Accept the self-signed certificate and End User License Agreement (EULA).

AvadineBlog5

AvadineBlog6

3. Basic Module Configuration

  1. On the Config tab, navigate to Opto 22 Groov → General.
  2. Enable the API Configuration toggle.
  3. Enter the Hostname or IP address of the groov EPIC device (e.g., 10.10.10.100 or test.groov.epic).
  4. Enter the API Key associated with an API-enabled user on the EPIC device.

AvadineBlog7

4. VPN Configuration (Optional)

  1. On the Config tab, navigate to Opto 22 Groov → Network.
  2. Configure the VPN settings:
  • Toggle the VPN on or off.
  • Modify advanced timeout and network settings as required

AvadineBlog8

5. Port Redirect Rules - Directly from the Gateway Homepage!

  1. Navigate to Opto 22 Groov → Port Redirect Rules under the Config tab.
  2. Use the table to:
  • Modify existing rules, or
  • Create new Port Redirect Rules by selecting "Create new Port Redirect Rule"
  1. Configure the required parameters for the new rule.
  2. To defer syncing the rule to the EPIC device:
  • Disable the rule during creation.
  • The rule will remain configured and can be activated later by enabling it

AvadineBlog9-1

AvadineBlog10

 

INTEGRATION MODULE


Additional Info

  • Download the Opto 22 Integration Module HERE (in case you missed the download above).
  • More documentation coming soon.
  • Check out our Avadine website for more information about the services we offer.
  • More Ignition Exchange resources and modules are coming soon.
  • The third-party module showcase is pending approval.

 

Pat Smith
OT/Solutions Architect & Automation Software Developer
Avadine

PatSmith_Avadine

 

More questions? You can also reach out to the Opto 22 engineering team. Talk to an Engineer or start a live OptoChat.

Topics: groov EPIC, Ignition, OptoPartner

Written by Janice Colmer

Janice has worked at Opto 22 for nearly 20 years and is part of the marketing team that strives to share new and relevant content with the automation industry. She enjoys books, camping, country music, and spending time with family and friends.
Find me on:

    Subscribe to Email Updates

    Recent Posts

    Posts by Topic

    see all