What is an APN?
APN stands for “access point name.” Created to provide a connection point between a cellular network and the Internet, an APN can also help separate cellular traffic from other general purpose networks.
Think of the APN as the SSID of a cellular network. Just as you can have multiple SSIDs on the same router or wifi access point, you can have several APNs on the same cellular tower, each with its own security settings and controls.
On a single IoT device, you can set one or more APNs—and you must be connected to one in order to get any network resources, receive an IP address, or pass data over the network. You also have the option of connecting to multiple APNs at once with a single device.
Network administrators can see the data that a device sends over an APN, and can apply rules on how to treat that traffic on the network. For example, a particular APN might have certain settings regarding firewalls, M2M data routing, or which gateway is used to link to the internet. The path your data travels will depend on which APN you’re connected to and how it’s configured on the network side.
Ultimately, the APN serves as a doorway between your device and the wider network (either a private network or the internet)—a doorway with particular settings or security instructions attached to it.
What’s the Difference Between a Private APN and a Public APN?
An APN can come in two basic flavors: public and private. Many mobile network operators (MNOs) offer users a public APN that comes with a basic set of configurations for connecting to the internet. It provides for typical tasks that users do on the network, and many customers often share the same APN. The public APN might include some security features such as firewalling access from outside internet devices, which prevents one device from talking to another if it’s not recognized in the network. But ultimately, the public APN gives you a simple, vanilla configuration that gets you access to the network—but it doesn’t let you customize settings and security features you might need for an IoT deployment.
On the other hand, a private APN allows you to drill down and customize network settings. With it, you can build a network that’s tailored to your needs. In the past, you’d have to roll out extensive infrastructure to achieve a truly private APN, but today, attaining the same level of network personalization is becoming simpler. If you’re on an APN backed by a software-defined network (SDN), you can essentially build your own virtual mobile network without the added expense of creating physical infrastructure.
Do I Need a Private APN for My IoT Deployment?
Depending on your use case, you might not need a private APN for your IoT deployment. But because a private APN (or another option that can offer the same functions) gives you the power to implement your own firewall rules and security settings instead of using defaults, it offers many useful tools. For example, if you’re launching a product and want to reduce your attack surface, a private APN can help protect your devices by keeping them off the public internet.
Some other advantages of choosing a private APN include the ability to customize your IP address space, restrict inbound access to devices behind a firewall with a virtual private network (VPN), and route traffic through a VPN tunnel. You can also use a private APN for outbound firewalling, if you need to restrict the destinations your devices can connect to, or to create a second layer of data encryption.
Wait, What is a VPN?
A virtual private network (VPN) extends a private network across a public network, allowing you to share data across the public network as if you’re connected to a private network. In essence, it’s a tunnel that allows one private network to connect to another via the public internet—while maintaining the security and privacy of both private networks. To achieve that, the VPN encrypts and authenticates all traffic traveling through the tunnel.
Companies that establish a private APN often get a VPN link to connect their private APN with the company’s own private network, whether it’s on premise or in the cloud. If you use a VPN to connect your company’s private networks, you can draw a big circle around those networks and call that your wide-area network (WAN). Mobile devices on the WAN are still isolated from other mobile devices on other APNs. Even though the VPN tunnel might traverse the public internet or another public network, it’s still maintaining privacy, giving you the same benefits as an internal private network.
What Are the Alternatives to a Traditional Private APN?
Private APNs offer enhanced configurability, device security, and data privacy. But they can be expensive and slow to establish, often requiring the build-out of additional network infrastructure that you might not be planning to create or maintain. The good news is, thanks to recent innovations around software-defined networks (SDNs), there are other options that can deliver the same privacy and WAN capabilities without needing to support a private APN. Let’s take a look at a few of those alternatives.
- Shared Private APN
In one sense, a shared private APN is similar to a public APN because you don’t need to spin off additional APNs—but it’s backed by a customizable and secure SDN. It’s a network that allows you to create additional virtual segments and apply different policies and settings as needed. Choosing a shared private APN can decrease your time to market, upfront costs and self-service access—rather than having network engineers build a network for you, you can manage your own WAN and do a lot of your own customizations. If you know what your end goal is and how to make those adjustments, it’s an advantage to be able to have access and configure it yourself. And since this option is software-defined (rather than configured on physical infrastructure), your network can evolve along with your business. Spacebridge allows you to bridge your private network with the Hologram SDN, enabling secure point-to-point access. It acts like a virtual APN, giving you full inbound access to your devices and enabling greater agility and security.
- API for Cloud-to-Device Messaging
Some use cases require a persistent or session-based connection, and for that they need a VPN tunnel or a solution like Spacebridge that allows for constant connections to be tunneled into the network. But what about use cases where devices are not constantly connected? For example, if you want to unlock a gate or open a garage door or send a command to a device to perform an action, you don’t need a persistent network connection. To accommodate these IoT use cases, Hologram also offers an API for sending short commands. Traditionally, a VPN or similar solutions would require you to have a private network or build a virtual one to set up this virtual networking infrastructure—but Hologram’s cloud-to-device messaging function doesn’t require you to maintain any of these tunnels. All you need is a device ID and a message, and it will be delivered to the device. Depending on your application, this option can reduce costs and enable scalability.
- Application-Layer Solutions
In some cases, application-layer solutions will make fine alternatives to establishing a private APN. For example, the MQTT protocol is an alternative to cloud-device messaging—and you don’t need to set up anything to use it if your device already has it or a similar burst protocol configured. Another workaround is the device-based VPN or WAN solution, where the device connects to your network over a VPN or similar protocol. Implementing security at the application layer is always a best practice, but be sure to weigh the pros and cons of each addition. Application-layer solutions tend to add complexity, making it more difficult to push a new solution down to the endpoints (because the devices may not support it).
What Are the Trade-Offs?
If you’re deliberating between building a traditional private APN and choosing an alternative, there aren’t many trade-offs these days. If your provider only offers a private APN option, that may be the only path available to you—but if you’re working with Hologram or another provider that supports software-defined network solutions, you have simpler, faster, less costly options that offer all the same benefits of a private APN without the need to construct your own network.