Overview

Soracom Arc is a secure link service that allows compatible devices to connect directly to the Soracom platform using any standard Internet connection, such as Wi-Fi, ethernet, or satellite.

While the device connectivity provided by Soracom Air for Cellular and Soracom Air for Sigfox is managed and secured directly by Soracom, unmanaged networks like Wi-Fi and ethernet traditionally pose many integration challenges, as it is often difficult or even impossible to guarantee consistent security from one unmanaged network environment to another.

Arc provides a mechanism that allows a device to establish an end-to-end secure connection directly with Soracom, providing a similar level of security provided by Soracom Air, no matter the type or configuration of the underlying network connection. In turn, devices that use Arc to connect to Soracom are able to securely access Soracom platform services such as Beam, Funnel, Funk, and Harvest, just as if they were connected using a Soracom Air cellular connection.

Because Arc can be combined with any standard Internet connection, this extends the flexibility of Soracom platform services to support mixed-mode IoT systems that use a combination of connectivity technologies, and allows IoT developers the ability to seamlessly transition between them without building separate architectures for each network connection type. For example:

High data volume - Arc enables a mobile device to continue using a Soracom Air cellular connection for its primary connectivity, and to switch to Wi-Fi whenever available in order to quickly offload large amounts of data while avoiding high cellular data usage fees.
Cellular backup - Arc enables a mobile or fixed device to use its Wi-Fi, ethernet, or other Internet connection for its primary cloud connectivity, and to maintain a separate Soracom Air cellular connection as a backup without the need to manage each connection separately.
Mixed fleets - Arc enables different types of devices, such as cellular-only and Wi-Fi-only, to connect to and share the same cloud environment, without the need to build separate architectures for each device type.
Private networking - Arc enables a device to utilize the same private networking services provided by Soracom Air, such as Virtual Private Gateways, while using a standard Internet connection.

In addition, Arc provides a simple way to test many of Soracom's platform services directly from any Internet-connected computer without the need to purchase a Soracom IoT SIM or cellular device, while keeping the ability to add or switch to Soracom Air cellular connectivity at a later stage without affecting the application architecture.

Architecture

Arc uses WireGuard®, a lightweight open-source VPN implementation that employs the latest encryption technologies, in order to create a secure connection between a device and the Soracom platform.

While the secure connection between a device and Soracom is functionally a standard WireGuard VPN connection, Arc manages the connection as though it were a cellular connection. This is accomplished by generating a Virtual SIM and associating it to a WireGuard connection. In this way, when a device establishes a connection to Soracom using Arc, it will appear as though the device is connecting to Soracom using a cellular connection, even though the device is using a standard Internet connection.

Arc architecture

Once a device has established a secure connection to Soracom using Arc, it can access most of the same features and services available for Soracom Air for Cellular devices. By default, only connections to Soracom platform services (such as Beam, Funnel, Funk, and Harvest) will utilize Arc's secure connection, while all other Internet traffic will continue to use the device's existing Internet connection without going through Soracom.

Because the Arc connection is treated as though it originates from a cellular connection, there is no need to implement separate Soracom platform service configurations for Soracom Arc devices from Soracom Air devices. Since a Virtual SIM will be associated with the device, the device can use the same platform service configurations, just as if it were using a standard Air for Cellular SIM.

Virtual SIMs

Arc provides two options for creating Virtual SIMs:

Standalone Virtual SIM - A dedicated Virtual SIM which is not associated with any Air for Cellular SIMs in your account.
Subscription Container Virtual SIM - A Virtual SIM that is associated with an Air for Cellular SIM in your account.

Virtual SIM

Standalone Virtual SIM

A Standalone Virtual SIM allows a device to connect to Soracom without the need for using an actual IoT SIM or configuring a cellular network interface.

When creating a Standalone Virtual SIM, both a SIM ID and an IMSI will be generated for the Virtual SIM, equivalent to the SIM ID and IMSI of a standard Air for Cellular SIM.

The SIM ID and IMSI of the Virtual SIM will then be used to uniquely identify the device when it establishes a WireGuard connection with Soracom and accesses Soracom platform services.

Subscription Container Virtual SIM

A Virtual SIM that is added to an Air for Cellular SIM as a Subscription Container will allow a device to connect to Soracom using either a cellular connection (with Soracom Air for Cellular) or non-cellular connection (such as Wi-Fi or ethernet), while being recognized as the same logical device in either case.

When creating a Subscription Container Virtual SIM, only an IMSI will be generated for the Virtual SIM. This IMSI will then be attached to a selected IoT SIM as an additional IMSI, which has its own SIM ID and IMSI.

Unlike a planP1, planX1, planX2, planX3, plan-US-max, or plan-US-NA subscription container, no data is added to the IoT SIM itself when adding a Virtual SIM. Instead, the Virtual SIM is associated with your IoT SIM within the Soracom platform.

Because the Virtual SIM's IMSI will be associated with an IoT SIM, when a device using the IoT SIM establishes a WireGuard connection with Soracom, Arc will automatically map the Virtual SIM IMSI to the IoT SIM IMSI. As a result, even though the device is connected to Soracom using a non-cellular connection, it will still be identified as the IoT SIM. In turn, when the device accesses Soracom platform services such as Beam, Funnel, Funk, and Harvest, the connections will continue to appear as coming from the same IoT SIM.

Adding a Virtual SIM as a Subscription Container to an existing Air for Cellular SIM is supported for the following SIMs:

Global Coverage	Japan Coverage
plan01s plan01s - LDV plan-NA1 plan-US planX3 planX3-EU	plan-D plan-DU plan-K plan-K2 plan-KM1

Features

Arc enables devices to securely connect to Soracom using any Internet-connected network interface, such as Wi-Fi and ethernet.
When using Arc to connect to Soracom, a Virtual SIM is used to identify the device making the connection.
Because a device connected to Soracom using Arc will be identified by its Virtual SIM, it can access most Soracom platform services even though it is not using a cellular connection.
A Virtual SIM can be used by itself to enable devices to connect to Soracom without a cellular connection, or together with a Soracom Air for Cellular SIM to enable mixed-mode connectivity use cases.
Arc can be used with any device that supports WireGuard.
In addition to standard WireGuard configuration, Soracom provides a command line tool called Soratun that simplifies the Virtual SIM creation and WireGuard connection process.

Connection Process

Connecting to Soracom using Arc involves the following steps:

Arc Connection Process

Create a Virtual SIM (Standalone or as a Subscription Container) - Creating a Virtual SIM can be done through the User Console, or using the Soracom API or CLI. Once a Virtual SIM has been created, Arc will generate a WireGuard configuration.

In addition to creating a Virtual SIM from the User Console, API, or CLI, Soracom also provides a command line tool called soratun that allows a device to create its own Virtual SIM (a process called bootstrapping). For more information, refer to the Soratun documentation.
Configure WireGuard on the device - Copy or enter the WireGuard configuration details to your device. If using the Soratun tool to bootstrap your device, the configuration is stored on the device automatically.
Activate WireGuard on the device - Finally, activate WireGuard on your device. The WireGuard client will automatically connect to the Arc server endpoint and negotiate the connection. Once connected, your device will be able to access Soracom platform services directly.

Requirements

To connect your device using Arc, you will need to install a WireGuard® client on your device. This will allow your device to connect to Soracom as a WireGuard client. WireGuard client implementations are currently available for many platforms, such as:

Linux, using a native kernel implementation or using the Soratun tool provided by Soracom
macOS and Windows, using official WireGuard desktop clients
iOS and Android, using official WireGuard mobile clients

Refer to the WireGuard installation documentation to check if a WireGuard implementation is available for your device's platform, and for installation instructions.

When using the Soratun tool, a WireGuard client is built in to the tool, so there is no need to install WireGuard separately.

In addition, your device must have an Internet connection (not provided by Soracom).

Limitations

Before using Arc, please be aware of the following limitations:

Only one Virtual SIM can be added to a Soracom IoT SIM.
A Virtual SIM's Subscriber Status can only be Active or Terminated. Virtual SIMs cannot be changed to Inactive, Standby, or Suspended status.
- When terminating a Subscription Container Virtual SIM, the Virtual SIM will remain attached to the IoT SIM for a certain period of time, and will be automatically removed afterwards. Once the Subscription Container Virtual SIM has been removed, you can add a new Subscription Container Virtual SIM if needed.
A Virtual SIM's Speed Class cannot be changed.
When a Virtual SIM is created, it will be assigned a 15-digit IMSI beginning with 99999. The IMSI cannot be modified.
Although an Arc connection is treated like an Air for Cellular connection, the following Air for Cellular features cannot be used with Arc:
- Local Info Report
- SMS & USSD
- IMEI Lock
- CHAP Authentication
- Krypton features that utilize SIM authentication (when using a Standalone Virtual SIM)
- Peek SIM packet capture
While Event Handler can be used with a Virtual SIM, the following Event Handler rules are not compatible:
- Sim status attribute and Subscriber status attribute - Virtual SIMs cannot be changed to Inactive, Standby, or Suspended status.
- Sim speed class attribute and Subscriber speed class attribute - Speed Class does not apply to Virtual SIMs.
- Sim subscription status - Adding a Virtual SIM to an IoT SIM as a Subscription Container does not modify the IoT SIM itself.
- Sim IMEI mismatched and Subscriber IMEI mismatched - IMEI Lock does not apply to Virtual SIMs.
Virtual Private Gateway connectivity for devices using Arc is only available for Type-E and Type-F VPGs.
When a Virtual SIM is not attached to a Virtual Private Gateway, network connectivity will be established using the following Rendezvous points:
- Virtual SIM in Global Coverage - The Arc connection will be established in Frankfurt, regardless of the location of the device. This is different than IoT SIMs, where the cellular connection may be established in other Rendezvous Points depending on the location of the device.
- Virtual SIM in Japan Coverage - The Arc connection will be established in Tokyo.
When enabling or disabling Virtual Private Gateway connectivity, a Virtual SIM's session must be reset. See Session Status for more information.
Arc servers may periodically become unavailable for maintenance. When this occurs, the WireGuard connection may be interrupted for approximately 15 seconds until the WireGuard client performs another handshake.
Virtual SIMs cannot be transferred to other operators.