What you’d build without Virtual Private Gateway
|
Deploy carrier-managed private APNs
Build your own IPsec concentrators and network edge
Expose devices to the public internet |
Networking Service
Soracom Virtual Private Gateway
A dedicated private gateway for secure device communication, isolating IoT traffic from the public internet.
Software-Defined Private APN for IoT
Soracom Virtual Private Gateway (VPG) creates an isolated network environment where your IoT devices communicate privately with your cloud or data center. Instead of relying on public internet paths, VPG enables private routing, custom IP address management, and enterprise-grade security controls—all built on Soracom’s cloud-native mobile core.
Isolate and control your IoT traffic at scale
VPG extends your private network to your IoT devices by routing traffic through an isolated, virtualized gateway inside Soracom’s cloud-native core. You can assign private IP ranges, enforce firewall rules, and deliver traffic to AWS VPCs, on-prem systems, or secure tunnels without exposing devices to the public internet. VPG supports both NAT and NAT-less configurations, integrates seamlessly with IPSec VPN and VPC peering, and treats each SIM as part of your private infrastructure—no private APN or physical network equipment required.
Why use Soracom VPG for your project?
Protect device traffic
Keep data off the public internet and route it securely into your private environment.
Simplify networking
Replace complex private APNs and carrier hardware with a cloud-native private gateway.
Integrate with your cloud
Connect devices directly to VPCs, datacenters, or secure tunnels with flexible routing.
How it works
Private network environment for your devices
Each VPG provides an isolated network environment, complete with dedicated routing, firewall rules, and private IP address ranges. Devices assigned to a VPG operate as if they’re on your internal network—secured and unexposed—while still leveraging the flexibility of Soracom’s cellular core.
Multiple connectivity options to your cloud
VPG supports IPsec VPN, AWS VPC Peering, AWS Transit Gateway, and private fiber connections. Whether you’re using AWS, Azure, GCP, or an on-prem data center, VPG routes device traffic without touching the public internet.
NAT or NAT-less routing for maximum control
Choose NAT routing for simplicity, or NAT-less routing when you want full bidirectional communication and consistent IP address identity per device. This gives you granular control over access policies, logging, and backend visibility.
Key takeways for those that use Soracom VPG
Strengthen security
Keep all device traffic private and isolate fleets in their own controlled environment.
Reduce network overhead
Remove the cost and complexity of private APNs and hardware-based VPN appliances.
Streamline cloud integration
Deliver device traffic directly into your cloud infrastructure with consistent, predictable routing.
Architecture and implementation
Virtual Private Gateway is built directly into Soracom’s cloud-native mobile core, allowing you to define private IP ranges, route traffic to cloud environments, and isolate subsets of your fleet. VPG supports NAT and NAT-less routing, multiple secure transport methods, and scales automatically across regions. Devices join the VPG when assigned at the SIM group level, inheriting its routing, security, and monitoring configuration.
Step 1
Create a Virtual Private Gateway and configure your private network settings
Open the Soracom User Console and create a new Virtual Private Gateway (VPG) or select an existing one.
Choose the VPG type and configure options such as private IP ranges, routing behavior, firewall rules, and cloud connectivity settings.
The VPG acts as your private network anchor within Soracom, providing isolated routing for devices without exposing them to the public Internet.
Setup instructions are available in the Virtual Private Gateway documentation.
Step 2
Attach your device SIM group to the VPG to route traffic privately
Navigate to the SIM group that contains the devices you want to place inside the private network and attach it to the VPG you created.
Once attached, all data traffic from devices in this group is routed through the VPG rather than through Soracom’s default public breakout.
This enables private connectivity patterns, including NAT-less routing, controlled egress, and secure integration with other Soracom services like Gate, Canal, or Direct.
Group attachment steps are detailed in the VPG group assignment guide.
Step 3
Connect your cloud or on-premises environment to the VPG
Complete your private network by connecting the VPG to your cloud VPC or on-premises environment using options such as VPC Peering, IPsec VPN, or Direct for physical network extensions.
This connection allows your backend systems to communicate with devices using private IPs, without public exposure and without requiring a static IP on the device side.
Once connected, you can access devices, route data, or build end-to-end private architectures securely through the VPG.
Connectivity options are described in the VPG connectivity guide.
What you’d build without Virtual Private Gateway
|
Deploy carrier-managed private APNs
Build your own IPsec concentrators and network edge
Expose devices to the public internet |
Secure your fleet with a Virtual Private Gateway
Create a free Soracom Operator ID and start building private, cloud-ready network environments for your IoT devices—all without carrier hardware or private APNs.
Articles about Soracom VPG
Frequently Asked Questions
What is Virtual Private Gateway?
A VPG is a private, isolated network environment that routes IoT device traffic securely to your cloud or datacenter without using the public internet.
Can I assign private IP addresses to devices?
Yes. VPG lets you define your own private IP ranges and choose NAT or NAT-less routing.
Can VPG support bidirectional communication?
Yes—using NAT-less routing, backend systems can initiate direct connections to devices through the VPG.
How do I connect my backend systems to the VPG?
You can use Soracom Door (IPSec VPN), Canal (AWS VPC Peering), or Direct (AWS Transit Gateway).
Do I need a private APN to use VPG?
No. VPG replaces the need for carrier-managed private APNs and works entirely through Soracom’s cloud-native mobile core.
Which cloud providers does VPG support?
VPG connects to AWS (via VPC Peering or Transit Gateway), Azure, GCP, and on-prem environments using IPSec VPN or private links.
Does VPG scale automatically?
Yes. VPG is built on Soracom’s distributed cellular core and scales horizontally without hardware.
Can non-cellular devices join a VPG?
Yes—devices using Soracom Arc can join the same VPG and share the same private routing.