SORACOM Developers


SORACOM Gate Usage and Device Access


SORACOM Gate (below, “the gate”) is a service for connecting your devices and network over a LAN, realizing secure connectivity to IoT devices. By creating a server that will act as the gateway in your network (below, “the gate peer”) and establishing a virtual L2 network with SORACOM VPG, you’ll enable secure VPC-to-device connections as well as communication between devices.


This guide details a six-step procedure, from gate set-up to connection confirmation.

The guide assumes the following:

Step 1: Establish SORACOM Canal environment

For this step, please use“Getting Started: SORACOM Canal”and follow the steps in the order listed to connect within a closed network. Step 1 is finished when the VPC and EC2 instance are ultimately established and you are able to connect to the EC2 instance on your VPC from your Air SIM-equipped device with a private IP address.

Step 2: Register EC2 instance to act as gate peer

Using the registerGatePeer API, register the private IP address of the gate peer (the EC2 instance installed to your VPC that acts as the device gateway). After configuration, gate peer-mediated device communication will be enabled through input of the VXLAN settings as described in Step 3.

$ soracom vpg register-gate-peer --outer-ip-address {gate_peer_private_ip} --vpg-id {vpg_id}

Once registration is complete, you’ll receive the gate peer configuration information as an API response. The outerIpAddress is the IP address allocated by the gate peer in the VPC, and the innerIpAddress is the IP address used within the VXLAN.

 "outerIpAddress": "{gate_peer_outerIpAddress}",
 "ownedByCustomer": true,
 "innerIpAddress": "{gate_peer_innerIpAddress}"

Step 3: [AWS settings] Input VXLAN settings into gate peer

Once the gate peer registration is complete, you’ll continue by configuring the VXLAN.

Configuration Using the AWS Management Console

First of all, in the AWS management console set up the gate peer’s EC2 security group to enable communications with the port/protocols that follow.

Next, remove the gate peer source/destination check in the AWS management console. These settings are necessary to allow gate peer-mediated communication from servers outside of the gate peer. For specifics regarding how to configure for these settings, please consult“Disabling source/destination check”in the Amazon VPC user guide.

Checking Gate Peer Information with SORACOM API

Next, you’ll execute SORACOM API. Using the listGatePeers API, check the VPG details, which will be needed during VXLAN configuration.

$ soracom vpg list-gate-peers --vpg-id {vpg_id}

Within the API response, the “’ownedByCustomer’: false” entry indicates the VPG’s IP address. Moreover, the “’owned by customer’: true” entry indicates the gate peer.

For the step that follows, you’ll need the VPG’s “outerIpAddress(,,” so take note of it now.

   "outerIpAddress": "",
   "ownedByCustomer": false,
   "innerIpAddress": ""
   "outerIpAddress": "",
   "ownedByCustomer": false,
   "innerIpAddress": ""
   "outerIpAddress": "{gate_peer_outerIpAddress}",
   "ownedByCustomer": true,
   "innerIpAddress": "{gate_peer_innerIpAddress}"

SSH Connection to Gate Peer and VXLAN Settings Input

Next, you’ll input VXLAN settings into the EC2 instance that will act as the gate peer. Establish a SSH connection with the gate peer and execute the commands in the order that follows with root permissions.

Configure the device routing settings.

# rmmod vxlan
# modprobe vxlan udp_port=4789
# ip link add vxlan0 type vxlan local {gate_peer_outerIpAddress} id 10 dstport 4789 dev eth0
# ifconfig vxlan0 {gate_peer_innerIpAddress}/9 up
# bridge fdb append 00:00:00:00:00:00 dev vxlan0 dst
# bridge fdb append 00:00:00:00:00:00 dev vxlan0 dst

Enable packet forwarding.

# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A POSTROUTING  -o vxlan0 -j MASQUERADE

Step 4: Enable gate

Run the openGate API and activate the gate. With this, your VPC and devices will be connected over the VXLAN, allowing direct VPC-to-device access as well as communication between devices.

$ soracom vpg open-gate --vpg-id {vpg_id}

Once activation is complete, you’ll receive VPG and peer connection details as an API response.

  "operatorId": "OP999999999999",
  "vpgId": "{00000000-0000-0000-0000-000000000000",
  "type": 12,
  "status": "running",
  "useInternetGateway": true,
  "tags": {
    "name": "gate-getting-started"
  "createdTime": 1467007824685,
  "lastModifiedTime": 1467012076035,
  "primaryServiceName": "Canal",
  "vpcPeeringConnections": {
    "pcx-00000000": {
      "id": "pcx-99999999",
      "peerOwnerId": "000000000000",
      "peerVpcId": "vpc-99999999",
      "destinationCidrBlock": "{customer_vpc_cidr}"
  "virtualInterfaces": null,
  "gateOpened": true

Step 5: Confirm possibility of connection from gate peer to device

Once the settings from the previous step are complete, your VPC and devices will be connected by means of the gate. Now, you’ll check to make sure the gate peer can connect to the devices.

Once you’ve connected a device using an Air SIM, try to ping the device or access it using http.

Below is an example showing ping and http access to a Raspberry Pi connected to the network with a USB dongle. Canalization is in place using a private IP address.

[ec2-user]$ ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=816 ms
64 bytes from icmp_seq=2 ttl=64 time=403 ms
64 bytes from icmp_seq=3 ttl=64 time=423 ms
64 bytes from icmp_seq=4 ttl=64 time=422 ms

[ec2-user]$  curl
Hello World!

With the previous, set-up and connection testing for the gate is complete.

When you’re not using the gate, you can disable it with the closeGate API, stopping device access. However, when switching the gate between enabled/disabled states, please note that there will be a few seconds of interrupted communications.

Step 6: Delete unneeded resources

The SORACOM VPG/Canal and the AWS EC2 that acts as your gate peer all have usage costs associated with them. If unneeded, they can be deleted.

VPG Deletion

VPG Deletiondelete the VPG, you’ll first need to delete the VPC peer connection and remove the VPC peer group. Select “VPG” from the “Preferences” tab of the “Closed Network Connections” menu on the user console and remove the VPC peer connection and group.

Peer Connection Deletion and Group Removal

Once the VPC peer connection is deleted and the group removed, click the “Delete This VPG” button on the “Advanced Settings” tab. With this, the VPG will be deleted and the canalization settings for the group will be removed.

VPG Deletion

Gate Peer Deletion

Erase the EC2 instance acting as a gate peer from either the AWS management console or the API. For details, please consultthe Amazon EC2 user guideIf you used“Getting Started: SORACOM Canal”and started the instance using a cloud formation template posted to connect on a closed network, delete the cloud formation stack. You can find the deletion procedure inthe AWS Cloud Formation user guide

Getting Started

SORACOM Air for Cellular

SORACOM Air for Sigfox


SORACOM Canal/Direct/Door





SORACOM Inventory

SORACOM Junction



Service Detail

Developer Tools