Beam can be combined with other Soracom services to provide finer control of security.
By default, Soracom Air devices will connect to the Soracom platform using a platform-shared gateway which allows Air devices to access the Internet as well as Soracom services (such as Beam, Funnel, Funk, and Harvest).
Soracom provides an alternative shared gateway called Private Garden, which still allows Air devices to access Soracom services, but will block device access to the Internet.
Setting an Air SIM group to use Private Garden will help ensure that no data is mistakenly sent to an unknown endpoint. As groups using Private Garden can still access Soracom services, you can configure Beam to forward data from your devices to your endpoint.
Using Soracom Beam MQTT and TCP → TCP/TCPS entry points with a public destination requires an Internet route and therefore cannot be used with Private Garden.
Refer to Private Garden for further information.
VPG with Fixed Global IP
Where additional security requires, customers can create VPGs (Virtual Private Gateways) rather than using the platform-shared gateway, which ensures that data is transmitted from their Air devices inside a dedicated network environment, separate from the platform-shared gateway.
Customers can request fixed dedicated global IP addresses for each VPG. By using the fixed global IP option, all external communication (such as HTTP requests) from Air devices attached to a VPG will appear to originate from that VPG's fixed IP address. When combined with Beam, you can then whitelist the IP addresses in order to block access to your endpoint from other unverified origins.
Because the assignment of Air devices to a VPG is done by attaching a group to the VPG, you can easily add or remove Air devices to control access to your Beam endpoint, without requiring any reconfiguration on the backend.
- When requesting the fixed global IP address option, two IP addresses will be assigned to your VPG. Each IP address is assigned from different availability zones in order to provide redundancy. When configuring inbound rules, ensure that both IP addresses are whitelisted.
- Combining Beam with VPG requires a VPG with the Use internet gateway option enabled.
- Fixed Global IP Address option does not apply to Air for Sigfox or Air for LoRaWAN devices.
Refer to Virtual Private Gateway for further information.