When connecting devices over cellular, it’s important to think about the way they will interact with Cloud computing environments. There are many ways to secure data exchange, but unfortunately many of these solutions generate high bandwidth consumption which can quickly add up to high connectivity bills. These solutions also often support only one-way communication and do not allow getting back on the device itself.
Some of the solutions that we’ve created at Soracom are called Canal, Gate and Door:
- Canal enables our users to put in place AWS VPC peering, basically assigning their own preferred private subnet to each Soracom Air SIM card. This ensures that data flows only to specific cloud infrastructure private network, giving full control of what connectivity the device can use via firewall controls
SORACOM Canal: High-Level Architecture
- Gate has been designed to allow bi-directional communication with the devices. When enabled, Gate creates a router which allows your cloud system to connect back to devices’ private IP addresses
SORACOM Gate: High-Level Architecture
- Door supports use cases where the Cloud or data center workloads are running outside of AWS. It is effectively identical to Canal and Gate but using IPSec based VPN
SORACOM Door: High-Level Architecture
Soracom has also created the notion of groups, which means that these functionalities can be assigned on a per-SIM group level, allowing for multiple private networks on a single, centralized account.
These solutions not only add security to device communication but also allow for data-efficient connectivity. This is done by using non-encrypted protocols such as UDP, TCP and HTTP. Since the cellular link is already encrypted all the way to cloud systems, security is kept intact while making sure the cellular link is only used to transmit useful data. With this architecture, we’ve seen many use-cases saving up to 80% of their devices bandwidth consumption.
An architecture I am particularly fond of is to use the SIM card as a unique device identifier in combination with Canal and Gate. Leveraging Soracom management APIs, I was able to create direct AWS cloud system-to-device interactions (more details on that setup in a future blog).
Since each IMSI translates into a private IP that is addressable from EC2 instances, backend systems and/or operation teams can securely connect back directly to the device. This enables both advanced use cases and also ease of administration and troubleshooting when needed.
In coming months we’ll be running Hands-On workshops across Europe and the US. Follow us on your prefered social networks for location information and more IoT tutorials!