Virtual Private Gateway
When Soracom Air for Cellular devices connect to the Soracom platform, core networking services are provided by a platform gateway. The default platform gateway allows Air subscribers to access Soracom services, such as Soracom Beam, Funnel, Funk, and Harvest, as well as connect to Internet resources.
As the default gateway is shared among all Soracom users, certain gateway functionality, such as private networking and device-to-device access, is disabled to ensure device and network security.
Soracom provides a Virtual Private Gateway (VPG) option which allows you to create and manage your own dedicated gateway on the Soracom platform. With a VPG, Air subscribers in your account connect to the Soracom platform using an isolated network environment, separate from all other Soracom gateways. As VPGs provide a dedicated network environment, you can in turn enable custom networking functionality such as device-to-device and remote access, control Internet connectivity, and connect devices directly to your private network, while maintaining network security.
The Virtual Private Gateway is a paid option that is billed according to its active time, regardless of number of attached subscribers or total usage. Please refer to the fee schedule for information on charges associated with VPG.
Typical VPG Usage
As a VPG establishes a dedicated private networking environment on the Soracom platform, you can then connect the VPG to your private network using Soracom Canal, Door, or Direct. By doing so, Air devices attached to your VPG will be able to access resources on your private network, without having to route traffic over the public Internet, or configure firewalls to enable external access. *1
*1 - Soracom Door utilizes an IPsec VPN connection which may be routed over the Internet.
For additional information on private networking, please refer to the VPG Types section below, or to Soracom Canal, Door, and Direct documentation.
As with the default platform gateway, subscribers connected to a VPG can also access application services, such as Soracom Beam, Funnel, Funk, and Harvest, in order to take advantage of the application features within the VPG's isolated network environment. For example, if your VPG is configured with Soracom Canal to establish a connection to your AWS VPC network environment, you can also use Soracom Beam to proxy data directly to an EC2 instance's private IP address or other VPC resource.
Using Soracom Beam MQTT and TCP → TCP/TCPS entry points with a public destination requires an Internet gateway route and therefore cannot be used with Virtual Private Gateways where the Internet gateway is disabled.
Updated Typically, using application services without a VPG incurs separate fees, based on each service's pricing structure. However, as access to application services is built into each VPG and handled internally by the VPG's own resources, the following application service fees no longer apply:
- Soracom Beam *1
- Soracom Funnel *1
- Soracom Funk *1
- Custom DNS
- CHAP Authentication
*1 - The number of requests per second for Beam, Funnel, and Funk is limited by the VPG resource capacity. See the VPG Sizes section below.
In addition, the separate Soracom Air for Cellular VPG Option fee associated with attaching a subscriber to a customer VPG is now included in the VPG active fee.
Each VPG is assigned a subset of IP addresses within
100.64.0.0/10 (RFC 6598: Shared Address Space). These IP addresses are used for inter-network connectivity, such as enabling connectivity between the VPG and your private network, as well as redundancy through AWS Availability Zones. Even if your private network is configured with a commonly-used private IP address range, such as
192.168.0.0/16 (RFC 1918: Private Network range), the VPG IP addresses ensures that no collision will occur.
When creating a VPG, its IP addresses will be allocated automatically and cannot be manually configured, and will remain fixed until the VPG is terminated.
In turn, the VPG acts as a NAT for Air devices, which are by default assigned IP addresses from the
10.128.0.0/9 range. This allows each VPG to support a very large number of Air devices, with each device being uniquely addressable. When the Gate option is enabled for a VPG, you can also manually assign IP addresses to specific devices by mapping an Air device's IMSI to a desired IP address.
When creating a VPG, you can specify a different CIDR block to use when assigning IP addresses to Air devices. This may be useful if the default range of
10.128.0.0/9 may cause collisions with an existing range in your private network. However, this CIDR range cannot be re-configured after the VPG has been created.
In addition, each VPG can also be customized to enable or disable the Internet gateway, allowing you to control whether or not your Air devices should be able to access Internet resources according to your project's application or security requirements.
|Service||Interface||VPG Type C||VPG Type D|
|Soracom Canal||AWS VPC Peering Connection|
|Soracom Door||VPN Connection||—|
|Soracom Direct||Virtual Interface Connection||—|
VPG Type C
Virtual Private Gateways are built on AWS infrastructure, allowing you to connect your Air devices to your AWS VPC private network by using AWS Peering Connections (PCX) with the Soracom Canal service. By leveraging AWS infrastructure, VPG Type C (for use with Soracom Canal) provides high-performance, cost-effective connectivity for applications with an existing AWS VPC, or where migration to an AWS VPC is planned.
VPG Type D
VPG Type D adds support for non-AWS connectivity through virtual interfaces (with Soracom Direct) and VPN connections (with Soracom Door). VPG Type D provides the greatest flexibility for applications where connecting your devices to a non-AWS private network (via VPN) or to your datacenter (via virtual interface) is required. VPG Type D also supports AWS Peering Connections, allowing you to connect your Soracom VPG to multiple cloud resources.
VPG Type D is currently available as a limited preview. Please contact us to request access.
New Beginning 2019-08-01, VPGs are now available in several sizes designed to fit different scales of applications. Each VPG size is designed to support a maximum number of subscribers, as well as capacity for Soracom Beam, Funnel, and Funnk application services.
|VPG Size||Subscriber Capacity||Application Capacity|
|Small||Up to 1,000||Up to 30 requests/sec|
|Medium||Up to 3,000||Up to 90 requests/sec|
|Large||Up to 10,000||Up to 300 requests/sec|
If your application requires additional subscriber or application capacity, please contact us.
In addition to a fully-customizable VPG, Soracom provides additional gateways called Private Garden and Public Gate, which enables common networking functionality not possible with the default shared platform gateway. As these additional gateways are also shared among all Soracom users, there are certain limitations and precautions, however they allow certain use cases without the need of creating and configuring a dedicated VPG.
The Private Garden provides similar network connectivity as the default shared gateway, but with Internet-bound traffic blocked. Air SIM devices that are configured to use the Private Garden gateway are still able to access Soracom services, such as Beam, Funnel, Funk, and Harvest.
When your application utilizes Beam, Funnel, Funk, or Harvest to send or capture data, Private Garden provides an additional layer of security, ensuring that in the event a device is exploited, any attempts to communicate with external servers over the Internet will be blocked.
Although the Private Garden must be selected for use, it is similar to the default shared gateway in that connectivity is shared among all Air SIMs that are attached to the Private Garden, including Air SIMs from other Operators. Similarly, remote access and device-to-device access is blocked, and connecting to other private networks is not supported.
For additional information, refer to the Private Garden documentation.
Some applications may require a device being able to communicate with another device. While Soracom Gate enables implicitly-secure device-to-device communication by using a dedicated VPG, Soracom Gate configuration may be excessive for simple applications such as sending an
OK message from one device to another.
The Public Gate provides similar network connectivity as the default shared gateway, but enables device-to-device communication. Once two or more devices have been configured to use the Public Gate, they can communicate with each other by using their IP addresses.
When using Public Gate, keep in mind that network connectivity is similar to the default shared gateway in that connectivity is shared among all Air SIMs that are attached to the Public Gate, including Air SIMs from other Operators. As a result, devices from other Operators are able to communicate with your devices, much like when a device is connected to a public wifi. Ensure that you change any default passwords (such as operating system users, SSH, and web-based management interfaces), disable or remove unnecessary network services, and use appropriate mechanisms for verifying connections.
In order to ensure device security, we recommend using Public Gate with non-sensitive data, or for application testing only.
For additional information, refer to the Public Gate documentation.