You can configure Interfaces in DMZ or any zone which offers better security but make sure PI ports for respective application are open.
Below KB article contains information related to ports and other details.
2 of 2 people found this helpful
It depends on what your overall network architecture looks like, but I consider placing the PI Interface in the control network and placing the PI server in the DMZ so that connections are not being made from the DMZ into the control network. Keep data flowing out from the control network.
This is indeed ideal, especially for protocols and standards that are not very firewall friendly such as OPC DA. I would never recommend setting up an OPC interface across the firewall, as you will need to open a wide range of ports. If there is a PI Connector with relay that can collect the data you wish to collect, you could have the PI Connector in the PCN, the PI Relay in the DMZ and PI in the next zone. Otherwise, I would suggest putting interfaces in the PCN, PI in the DMZ and if necessary set a PI-to-PI interface to push the data one way from your DMZ PI Server --> Business PI Server.