SORACOM Developers

Getting Started

Using the Private Garden function

Introduction

When Soracom SIMs are ‘Online’, they cannot be reached from the Internet, because they have private IP addresses behind a NAT Gateway. However, by default devices can initiate outbound connections to any Internet address. The Private Garden feature enables you to limit outbound connections from your SIM cards, effectively preventing them from accessing the internet, except for destinations you specify. This increases the security posture of your IOT deployment.

With Private Garden enabled, your devices can only reach Soracom’s Application servcies, specifically Beam, Funnel, and Harvest endpoints. In otherwords, you configure destinations for your data in the Soracom console, and the device cannot make outbound connections to anywhere else.

To use this feature, we use a Soracom managed VPG (Virtual Private Gateway), with no VPG “basic fee”. Please Note that using Private Garden does incure SORACOM Air VPG usage charges ($0.05 per SIM per day).

In this document we will explain how to use Private Garden. The prerequisites for this document are:

The Steps are:

Step 1: Enable Private Garden on a Soracom Air Group

To enable Private Garden on a Soracom Air Group:

  1. Log into the Soracom Console, click on Menu (top right corner), and, the under 'Cellular’ menu section, click on “Groups”.
  2. Click on an existing Group, or click the “+ Add” button to create a new Group.
  3. Once viewing the Group configuration, click to expand the “SORACOM Air for Cellular” configuraiton section, under the 'Basic Settings’ tab.
  4. Scroll down to the “Virtual Private Gateway Settings” section, and click the slider to turn this ON.
  5. Then, in the drop down list, select “Private VPG for Private Garden (PrivateGarden)”
    Private Garden
  6. Click on 'Save’ to apply this configuration to your Soracom Air Group.

Step 2: Add Air SIMs to the Group with Private Garden Enabled

Use the Change Group feature, to add SIMs in the Group with Private Garden from Step 1. You may want to refer to the Getting Started Guide “How to use the user console: Change group of Air SIM” for how to do this using the Console.

Note:
When changing the VPG setting of the Air SIM group, it is necessary to recreate the 3G / LTE session to change the flow of data.

For existing devices, you will need to recreate the session. You can do this on the device, or in Soracom. Be sure that your remote devices have cellular session reconnection capability.

Step 3: Configure Beam, Funnel or Harvest to deliver your data

Once in the Group with Private Garden enabled, your device cannot reach internet addresses directly.
To deliver your data, you instead use one of the following Soracom Services:

Example Beam configuration:

Here is an example configuration using Beam to deliver to a server of our choice called “beamtest.soracom.io”. We configure an http endpoint which our device sends request to. Beam will relay those requests to “beamtest.soracom.io” using HTTPS.

In the Group (from Step 1) configuration , click the [+ ▼] button in the [SORACOM Beam] configuration section.
Select the HTTP entry point from the displayed menu.

Private Garden add beam config

In the configuration dialog, set necessary items as below and click the [Save] button at the end. You can use your own server instead of “beamtest.soracom.io”.

Private Garden beam detail

Now, when your device makes requests to http://beam.soracom.io:8888 the IMSI of Air SIM will be displayed (our beamtest server is running a simple echo application to respond).
beam.soracom.io is a service which then converts your reqeust to https and sends it to the server of your choice. In this example, to beamtest.soracom.io. Beam has many other features you can explore at https://dev.soracom.io/en/start/beam/ .

The following is an example of output when accessed from Raspberry Pi. (It is also possible with a smartphone browser.)

pi@raspberrypi:~$ curl http://beam.soracom.io:8888
Hello SORACOM Beam Client xxxxxxxxxxxxxxx !

Your device can now connect beam.soracom.io, but it cannot make connections to any other internet addresses.

Note

When using the Private Garden function, the VPG option usage fee ($0.05 / SIM/ day) will be charged. This is per SIM per day belonging to the Group with the Private Garden VPG enabled.

If you no longer require the Private Garden feature, please turn off the VPG setting or remove the Air SIMs from the group.

Getting Started

SORACOM Air for Cellular

SORACOM Air for Sigfox

SORACOM Beam

SORACOM Canal/Direct/Door

SORACOM Endorse

SORACOM Funnel

SORACOM Gate

SORACOM Harvest

SORACOM Inventory

SORACOM Junction

SORACOM Krypton

SORACOM Lagoon

Service Detail

Developer Tools

pagetop