How an IoT Gateway Connects to Siemens S7-1200/1500 PLCs

Connecting a modern Siemens S7-1200 or S7-1500 PLC to the cloud seems complex, but it boils down to two key steps: 1) Correctly configuring the PLC in TIA Portal, and 2) Using a capable IoT Gateway to read the data. This guide provides a practical walkthrough for enabling PUT/GET access and disabling "optimized blocks" in your PLC, then shows how an industrial IoT gateway like a Robustel EG5120 easily reads Data Blocks (DBs) for secure PLC data collection and translation to MQTT.

Siemens S7-1200 and S7-1500 PLCs are the powerful, modern heart of countless automation systems. But for many engineers, they can feel like a "walled garden." The S7 protocol isn't as open as Modbus, and getting data out of them and up to the cloud seems intimidating.

I've seen teams struggle with this, trying complex custom code or expensive SCADA licenses. The truth is, it's remarkably simple if you use the right tool. That tool is a modern industrial IoT gateway.

An IoT Gateway is designed for this exact task. It acts as the secure, intelligent "translator" that speaks the PLC's S7 communication language on one side, and the cloud's MQTT/HTTP language on the other. This guide isn't theoretical; it's the practical, step-by-step process our engineers use every day.

Unlike Modbus, where you just poll a standard register address, Siemens PLCs (especially the S7-1200/1500) use a more complex, optimized, and secure system. You can't just "ping" a memory address and get a value. You must:

1. Get the PLC's permission to communicate.
2. Know the exact data structure (Data Block, or "DB") you want to read.
3. Access that data in a way the PLC allows.

This is where a dedicated IoT Gateway with a native S7 driver becomes essential. It handles all this complexity for you.

This is the most critical step, and it's the one everyone gets wrong. Before your IoT Gateway can read anything, you must configure the Siemens S7-1200 or S7-1500 in TIA Portal.

You only need to do two things:

Modern S7 PLCs use "optimized" data blocks by default. This is great for the PLC's internal speed, but it's terrible for PLC data collection because it means the data isn't stored in a simple, fixed memory address. Your IoT Gateway won't know where to find it.

You must turn this off for the DBs you want to read.

• In your TIA Portal project tree, find the Data Block (e.g., "DB_DATA") you want to read.
• Right-click and go to "Properties."
• In the "Attributes" tab, uncheck the box that says "Optimized block access."
• This forces the PLC to assign fixed, addressable memory locations (like DB10,W2 or DB10,D4) that the IoT Gateway can poll.

By default, the S7-1200/1500 blocks all external communication as a security feature. You must manually permit your IoT Gateway to connect.

• In TIA Portal, find your PLC in the project tree and open "Properties."
• Go to "Protection & Security" -> "Connection mechanisms."
• Check the box that says "Permit access with PUT/GET communication from remote partner."

That's it. Download the hardware configuration to your PLC. You've now unlocked the door and organized the data so your IoT Gateway can easily read it.

Now that the PLC is ready, setting up the IoT Gateway is incredibly fast. We'll use a Robustel IoT Gateway (like the EG5120) with our Edge2Cloud Pro software as the example, but the principles apply to any high-quality industrial IoT gateway.

This IoT Gateway acts as the S7 Client, initiating the connection.

1. Connect: Physically connect the IoT Gateway's Ethernet port to the same network as the PLC's PROFINET port.
2. Add Device: In the gateway's web interface, add a new device.

• Device Name:My-S7-1500
• Protocol:Siemens S7 (S7-1200/1500)
• IP Address: The IP address of your PLC (e.g., 192.168.1.10)

3. Define Tags: Tell the IoT Gatewaywhat data to read from the DB you prepared.

• Tag Name:Motor_Speed
• Address:DB10,REAL4 (Read a 32-bit REAL value starting at byte 4 in Data Block 10)
• Tag Name:Cycle_Count
• Address:DB10,INT2 (Read a 16-bit Integer starting at byte 2 in Data Block 10)
• Tag Name:Machine_Status
• Address:DB10,X0.1 (Read the 2nd Bit [X0.1] of the first byte in Data Block 10)

4. Configure Northbound: Tell the IoT Gateway where to send this clean data (e.g., Modbus to MQTT... oops, I mean S7 to MQTT).

• Protocol:MQTT
• Topic:factory/line1/s7

5. Run: Click save.

Your IoT Gateway is now actively polling the Siemens S7-1500, reading those specific data points, and publishing them as clean JSON data to your cloud platform. This entire IoT Gateway configuration takes about 5 minutes.

This IoT Gateway solution does more than just data collection. It unlocks two critical business values:

1. Massive TCO Reduction (Secure PLC Remote Access) This is the killer app. A cellular IoT Gateway with a platform like Add One Product: RCMS creates a secure VPN tunnel. This means your engineers can open TIA Portal on their laptop from anywhere in the world, connect to the IoT Gateway, and securely access the PLC to troubleshoot, patch, or update its logic—as if they were plugged in on the factory floor. This eliminates 90% of your service travel, saving you a fortune.
2. Ironclad Security (The IoT Gateway as Firewall)NEVER connect a PLC directly to the internet. It's a massive security risk. The industrial IoT gateway acts as a robust firewall. It isolates your entire machine network (OT) from the enterprise network (IT). It only allows the data you defined (outbound MQTT) to leave. It blocks all other traffic, protecting your S7-1200 from viruses, ransomware, and unauthorized access.

Stop seeing your Siemens S7-1200 or S7-1500 as a locked box. It's a goldmine of data. And the IoT Gateway is the secure, intelligent key that unlocks it.

The IoT Gateway vs PLC debate isn't a conflict; it's a partnership. The PLC runs the machine with perfect reliability. The IoT Gateway extracts its data, protects it, and sends it to the cloud. By making two simple changes in TIA Portal and using a modern industrial IoT gateway, you can bridge the OT/IT divide in minutes, enabling everything from PLC data collection to full remote maintenance.