Yes, Soracom offers several ways to control how your IoT SIM devices connect to network services and resources. Below are commonly used methods for managing access, ranging from DNS configuration and traffic filtering to private networking and hardware locking.
Setting Custom DNS Servers
Soracom Air allows you to manually specify your choice of DNS servers, giving you control over which servers your device uses when resolving domain names. Unlike setting custom DNS servers directly on the device hardware, you can manage Custom DNS settings remotely from the User Console and update settings for multiple IoT SIM devices in a group simultaneously.
When more granular access restrictions are required (such as using a DNS server that you control on your private network), you can combine the Custom DNS setting with Soracom Canal (see below) so that your IoT SIM devices use your private servers to resolve domain names.
For more information about configuring Custom DNS, please refer to the Developer Docs: Custom DNS section.
Blocking Internet Access
If you need to prevent your devices from accessing the public Internet entirely while still utilizing Soracom services, you can utilize Private Garden.
Private Garden is a Virtual Private Gateway (VPG) configuration that blocks access to the public Internet. Setting a group of IoT SIMs to use Private Garden helps ensure that no data is mistakenly sent to an unknown endpoint. However, it still allows devices to securely communicate with Soracom application services such as Beam, Funnel, Funk, and Harvest. This is ideal for devices that only need to send data to your cloud backend via Soracom services without exposing the device to the open web.
Additionally, Private Garden blocks remote access and device-to-device access, and connecting to other private networks is not supported, providing a strictly isolated environment for your data transmission.
Restricting Destinations (Whitelisting)
If you require internet access but need to restrict exactly which servers your devices can communicate with, you can use the Outbound Filter feature available with the Virtual Private Gateway (VPG).
An Outbound Filter allows you to configure specific IP addresses or domains that devices in the VPG are allowed to send data to. Any traffic attempting to reach a destination not on this whitelist will be blocked.
Whitelisting Device IPs on Your Server
To secure the connection on your server's side (e.g., whitelisting your devices in your firewall), you can assign Fixed Global IP addresses to your VPG.
When enabled, all internet-bound traffic from your VPG will originate from one of two fixed IP addresses. This allows you to easily set up IP-based filtering in your firewall or security policies to accept traffic only from these specific addresses.
Connecting to Your AWS VPC (Virtual Private Cloud)
Soracom Canal is a service that creates a private connection between the Soracom platform and your AWS VPC environment. Canal enables your IoT devices to reach AWS services and resources located inside your VPC without traversing the public Internet.
You can configure Canal settings to limit your IoT devices so they can only communicate with your VPC, effectively forming a closed, secure network.
Connecting to Your On-Premise Network or Other Virtual Network
Soracom Direct and Soracom Door allow you to create a private connection between the Soracom platform and your on-premise network or other cloud/virtual networks.
- Soracom Direct establishes a dedicated physical leased line connection.
- Soracom Door establishes a virtual VPN connection.
Similar to Canal, these services allow your IoT devices to securely reach services and resources located in your datacenter or on non-AWS cloud services.
Device Restrictions and Security
Soracom provides features to ensure your IoT SIM is only used with authorized devices and to prevent unauthorized data usage.
-
IMEI Lock: This feature locks the SIM to the IMEI (International Mobile Equipment Identity) of the first device it connects with. If the SIM is moved to a different device with a different IMEI, network access will be blocked. If a mismatch occurs, the Error Logs will display:
Subscriber {IMSI} is not allowed to create session: Device IMEI {IMEI} does not match configured IMEI {IMEI}. - CHAP Authentication: This allows you to add an extra layer of username and password authentication on top of SIM authentication. Using CHAP authentication can help prevent a Soracom IoT SIM from being removed and used in an unauthorized device, as the new device will be required to provide additional authentication credentials before it can establish a network connection.
Inbound Access and Encryption
In addition to controlling outbound traffic, Soracom provides inherent security features for inbound protection:
- Private IP Addresses: Devices using Soracom IoT SIMs are assigned private IP addresses by default. This prevents potential attackers from directly accessing the device over the public internet.
- Encryption: Communication from a device to a local cellular provider's base station and switching station is encrypted. Furthermore, the connection between the switching station and Soracom is maintained via a closed network, reducing the risk of eavesdropping or unauthorized access.