Healthcare — Connected medical devices
Restrict each device to your EHR and management plane. Supports your HIPAA destination-control requirements, with no endpoint agent on the device.
VPG Feature
Traffic Filtering
Set the destinations each device is allowed to reach and enforced in the network, not on the device. No software or separate appliance to buy.
Control exactly where your devices can send data.
Secure devices that can't secure themselves
Most IoT hardware can't run a firewall. Traffic Filtering enforces your rules in the network, so the device doesn't have to.
Write rules for domains, not IP addresses
Point a rule at api.example.com. We keep the underlying IPs current as cloud providers change them. Your allowlist stops breaking.
Prove what your devices can reach
Rules are defined by API and saved per VPG. Show an auditor the exact policy, for the exact device group, at any point in time.
Move enforcement off the device
The network decides what gets through, not the device
Sensors, trackers, and meters can’t run firewall agents. With Traffic Filtering, every connection is checked at the Virtual Private Gateway (VPG) — the private gateway your device traffic already passes through. The policy travels with the SIM, so a device only needs to do one thing: connect.
Stop maintaining IP allowlists
Rules that don’t rot when cloud IPs change
Cloud endpoints rotate their IP addresses constantly. A static CIDR allowlist for AWS IoT or Azure needs constant upkeep — and breaks the moment someone forgets. Write your rules against domain names instead. Soracom resolves them and keeps the IP rules current for you.
Manage policy across your whole fleet
Programmable, auditable, and built for scale
Define rules by API or bulk-edit them with CSV — no clicking through a UI one device at a time.
Where Traffic Filtering matters most
Energy — Grid & utility monitoring
Lock RTUs and sensors to their SCADA endpoint. Any unexpected connection is blocked and visible.
Logistics — Fleet telematics
Hold multi-vendor in-cab units to approved TMS, ELD, and OTA servers — even when you don’t control the firmware.
Manufacturing — Smart factory / OT
Define allowed destinations per production zone. Zero-trust segmentation without redesigning the network.
Property tech — Smart buildings
Isolate tenant and building systems with per-VPG policy. Multi-tenant IoT without physical separation.
Retail / payments — Connected POS terminals
Restrict each terminal to your payment processor and nothing else. Supports your PCI-DSS scoping, with no security agent on the device.
EV charging — Public charging networks
Hold each charger to its management backend and payment endpoint — even across operators and physically exposed sites.
Smart cities — Connected cameras & sensors
Lock cameras and environmental sensors to your video management system. A compromised camera can’t pivot to the rest of the network.
Add network-level control to your IoT connectivity.
Talk to our team about turning on Traffic Filtering for your VPG.
Do my devices need to run any security software?
No. Rules are enforced at the VPG, so it doesn't matter what the device can or can't run.
How is this different from Outbound Filter?
Outbound Filter gives you basic allow/deny rules. Traffic Filtering adds domain-name rules, API and CSV management, and an auditable per-VPG policy — and it's evaluated first. They work together; adding Traffic Filtering doesn't disrupt your existing Outbound Filter rules.
What happens when my cloud provider changes IP addresses?
Write a domain rule instead of an IP rule. Soracom resolves the domain and keeps the underlying IPs current.
Can I block one specific domain while allowing others?
Domain rules are allow-only today. To deny a destination, combine a domain allowlist with an IP deny-all rule.
Which VPG types support Traffic Filtering?
Type-F, Type-G, and Type-F2.
Is it included in my VPG plan?
It requires a separate contract. Contact the team for pricing.
Can I manage rules in bulk?
Yes — by API or CSV bulk edit. (CLI support isn't available yet; use the API or User Console for now.)
Is there a limit on how many rules I can set?
Up to 500 static rules per type. Dynamic rules generated from domain resolution don't count toward that limit.