Virtual Private Gateway
When Soracom Air for Cellular devices connect to the Soracom platform, core networking services are provided by a platform gateway. The default platform gateway allows Air subscribers to access Soracom services, such as Soracom Beam, Funnel, Funk, and Harvest, as well as connect to the Internet.
As the default gateway is shared among all Soracom users, certain gateway functionality, such as private networking and device-to-device access, is disabled to ensure device and network security.
Soracom provides a Virtual Private Gateway (VPG) option which allows you to create and manage your own dedicated gateway on the Soracom platform. With a VPG, Air subscribers in your account connect to the Soracom platform using an isolated network environment, separate from other Soracom gateways.
Since a VPG creates a dedicated network environment for your SIMs, you can in turn enable custom networking functionality such as device-to-device and remote access, control Internet access, connect devices directly to your private network, and perform packet management and inspection all within a closed secure network.
As a VPG establishes a dedicated networking environment on the Soracom platform, you can connect the VPG to your private network using Soracom Canal, Door, or Direct. Once connected, Air devices attached to your VPG will be able to access resources in your private network, without routing traffic over the public Internet or configure firewalls to enable external access. *1
*1 - Soracom Door utilizes an IPsec VPN connection which may be routed over the Internet.
You can also enable Gate, which will allow Air devices attached to the same VPG to communicate with each other as if they were on the same LAN, no matter which country they are located in or what network they are connected to. When combined with Canal, Direct, or Door, this also allows devices in your private network to remotely access your Air devices.
Since Air devices can communicate directly with servers in a private networking environment, you can also disable a VPG's Internet Gateway, effectively preventing any traffic from an Air device ever reaching the Internet.
Traffic Routing Control
A VPG also lets you create custom traffic rules to control what network services your Air devices can reach. The Outbound Filter option lets you configure rules that
allow your devices to connect to whitelisted servers, as well as rules that
deny access to others.
The Fixed Global IP option lets you similarly control what traffic is allowed into your network. When enabled, your VPG will be assigned two dedicated static public IP addresses. You can then whitelist these IP addresses on your firewall in order to allow your Air devices to access your servers, while blocking access from other Internet-connected devices.
With a VPG, you also get access to advanced packet management tools. Soracom Peek allows you to effortlessly capture packets that transit the VPG. This gives you the ability to inspect the network behavior of your Air devices, before any traffic is routed over the Internet, in order to troubleshoot device communication problems, test your networking architecture, identify the source of high data usage, or to improve security.
You can also use Soracom Junction to enable advanced packet handling, such as inspecting packets to perform traffic analysis, mirroring packets to observe realtime network behavior, or redirecting packets to apply your own traffic shaping rules.
As with the default platform gateway, devices connected to a VPG can also access Soracom application services, such as Beam, Funnel, Funk, and Harvest, in order to take advantage of each application features while within the VPG's isolated network environment. For example, if your VPG is configured with Soracom Canal to establish a connection to your AWS VPC network environment, you can also use Soracom Beam to proxy data directly to an EC2 instance's private IP address or other VPC resources.
Using Soracom Beam MQTT and TCP → TCP/TCPS entry points with a public destination requires an Internet gateway route and therefore cannot be used with VPGs where the Internet Gateway option is disabled.
Normally, Soracom application services incur separate fees based on each service's pricing structure. However, as access to application services is built into each VPG and handled internally by the VPG's own resources, you use the following application services with a VPG without any additional cost:
- Soracom Beam
- Soracom Funnel
- Soracom Funk
- Custom DNS
- CHAP Authentication
A VPG Type determines what options or services are available. The Type-F VPG provides the full set of networking, traffic control, and packet management features. For applications where the private networking capabilities are not required, the Type-E VPG provides most VPG features at a significantly reduced fee.
The Type-G VPG provides all feartures that Type-F VPGs provide with the additional ability to support over 100,000 concurrent SIM sessions.
Type-C VPGs have been deprecated as the newer Type-F and Type-G VPGs provide improved functionality at the same cost. Support for creating Type-C VPGs will be provided until July 2021 for customers that have specific requirements.
Type-D VPGs have been discontinued as the newer Type-F and Type-G VPGs provide the same functionality at a reduced cost.
|VPG Type-C||VPG Type-E||VPG Type-F||VPG Type-G|
|VPG Options||Internet Gateway *1|
|Fixed Global IP|
|Soracom Canal||AWS VPC Peering|
|AWS Transit Gateway|
|Soracom Direct||Virtual Interface|
|Soracom Door||VPN Connection|
|Soracom Gate||Device to Device Access|
|Remote Device Access|
*1 - When creating a Type-C, Type-F, or Type-G VPG, the Internet Gateway can be disabled.
When switching (migrating) from VPG Type-F to VPG Type-G, it is necessary to change settings and disconnect sessions for all SIMs. Because this may be difficult for some customers, we recommend using VPG Type-G from the beginning if the number of online sessions is expected to exceed 100,000 in the future.
|Type-E||Up to 1,000|
|Type-C||Up to 10,000|
|Type-F||Up to 100,000|
The Internet Gateway provides routing from the VPG to public Internet infrastructure. When creating a Type-C, Type-F, or Type-G VPG, you can opt to disable the Internet Gateway in order to create a fully enclosed private network. In turn, you can use Soracom Canal, Direct, or Door to connect the VPG network environment to your own private network, in order to allow your Air devices to access your servers.
The Internet Gateway setting cannot be modified after a VPG has been created. If you decide later to change the Internet Gateway behavior, you must create a new VPG.
The Internet Gateway is enabled by default for Type-E VPGs and cannot be modified. However, you can control what servers Air devices can access using the Outbound Filter option.
When creating a Type-E, Type-F, or Type-G VPG in the Global coverage region, you can now also select its Rendezvous Point. The Rendezvous Point determines where the VPG network infrastructure is geographically located.
Rendezvous Points are so named as connections from Air devices attached to the VPG will be routed to this region. In effect, all cellular connections will first rendezvous at this location before continuing onward to your private network or to the public Internet, regardless of which countries the devices are located in or what networks they are connected to, in order to control latency or route sensitive data according to your application requirements.
Rendezvous Point cannot be configured for the following VPGs:
- Type-C VPGs in the Global coverage region - The Rendezvous Point will be set to Frankfurt (Germany) and cannot be modified.
- All VPGs in the Japan coverage region - The Rendezvous Point will be set to Tokyo (Japan) and cannot be modified.
For additional information, refer to the Rendezvous Points documentation.
Each VPG acts as a NAT and assigns IP addresses to your Air devices according to a Device Subnet CIDR block. By default, a VPG will use the
10.128.0.0/9 IP address range, which is able to support a very large number of Air devices, with each Air device being uniquely addressable.
You can also specify a different Device Subnet CIDR block to use for your Air devices. This may be useful if the default range of may cause collisions with an existing range in your private network.
In general, you can specify any CIDR block to use for your Air devices. However there are certain ranges that cannot be specified as they would conflict with the underlying VPG network infrastructure:
- Global Coverage - You cannot specify any Device Subnet ranges that conflict with
- Japan Coverage - You cannot specify any Device Subnet ranges that conflict with
The Device Subnet range cannot be changed after a VPG has been created.
When a VPG is created, it will be assigned a set of private IP addresses within
100.64.0.0/10 (RFC 6598: Shared Address Space). These IP addresses are used for inter-network connectivity, such as enabling connectivity between the VPG and your private network, configuring Gate for remote access, as well as to establish redundancy through AWS Availability Zones.
These IP addresses are only for the underlying network infrastructure, and are separate from the external IP address where traffic from your Air devices will originate.
In most cases, these IP addresses are not needed for VPG usage. However, when configuring Soracom Gate, you will need to refer to these IP addresses in order to perform Gate Peer configuration so that traffic from your private network can be correctly routed to the VPG.
In addition to a fully-customizable VPG, Soracom provides additional gateways called Private Garden and Public Gate, which enables common networking functionality not possible with the default shared platform gateway. As these additional gateways are also shared among all Soracom users, there are certain limitations and precautions, however they allow certain use cases without the need of creating and configuring a dedicated VPG.
The Private Garden provides similar network connectivity as the default shared gateway, but with Internet-bound traffic blocked. Air SIM devices that are configured to use the Private Garden gateway are still able to access Soracom services, such as Beam, Funnel, Funk, and Harvest.
When your application utilizes Beam, Funnel, Funk, or Harvest to send or capture data, Private Garden provides an additional layer of security, ensuring that in the event a device is exploited, any attempts to communicate with external servers over the Internet will be blocked.
Although the Private Garden must be selected for use, it is similar to the default shared gateway in that connectivity is shared among all Air SIMs that are attached to the Private Garden, including Air SIMs from other Operators. Similarly, remote access and device-to-device access is blocked, and connecting to other private networks is not supported.
For additional information, refer to the Private Garden documentation.
Some applications may require a device being able to communicate with another device. While Soracom Gate enables implicitly-secure device-to-device communication by using a dedicated VPG, Soracom Gate configuration may be excessive for simple applications such as sending an
OK message from one device to another.
The Public Gate provides similar network connectivity as the default shared gateway, but enables device-to-device communication. Once two or more devices have been configured to use the Public Gate, they can communicate with each other by using their IP addresses.
When using Public Gate, keep in mind that network connectivity is similar to the default shared gateway in that connectivity is shared among all Air SIMs that are attached to the Public Gate, including Air SIMs from other Operators. As a result, devices from other Operators are able to communicate with your devices, much like when a device is connected to a public wifi. Ensure that you change any default passwords (such as operating system users, SSH, and web-based management interfaces), disable or remove unnecessary network services, and use appropriate mechanisms for verifying connections.
In order to ensure device security, we recommend using Public Gate with non-sensitive data, or for application testing only.
For additional information, refer to the Public Gate documentation.