IoT enterprise customers typically want a single point of contact and all their global connectivity under one contract. Mobile operators want to keep control over the customer even when the connection must be localized using eSIM.

However, the localization of eSIMs introduces new challenges because the control is handed over to the partner mobile operator. The partner mobile operator will treat the IoT device like any other local device.

In addition, most customers require a unified IoT service with the same policies, security settings, and IP address, no matter what network it connects to.
What if, for instance, customers want some traffic routed back home through secure connections and the rest of the traffic the closest route to the internet protected by firewalls?

This is a challenge in the localization case, where the traffic goes out on the local partner network.

The same challenges exist with the local breakout of the roaming traffic. That is one of the reasons home routing is the prevailing method.

A programmable hyperscale layer of IoT connectivity control, such as Enea Aptilo IoT CCS, will help mobile operators provide a unified IoT connectivity service across all partner networks while maintaining and developing customer relationships.

As discussed in the following sections, a hyperscale IoT connectivity control solution opens new possibilities.

Mobile operators can provide their customers with a global “IoT SD-WAN” and follow them wherever they go worldwide by deploying an Enea Aptilo IoT CCS instance at any AWS point-of-presence.

This will effectively reduce latency and help customers to comply with data protection regulations.

What enterprise customers want for their IoT devices is connectivity that provides the same amount of control and security as if they live on their corporate local area network (LAN). The only problem is that for cellular IoT, they live on the mobile network, and most customers also require this network to be extended globally.

So, the mobile operator must be able to deliver a secure and global software-defined wide area network (SD-WAN) for IoT to each customer, under one contract and with one customer support to turn to.

Enterprises also need this IoT connectivity service to be unified across country borders, with devices keeping the same IP address, policies, and security.

One enterprise VPN may not be sufficient as many customers need to split the IoT traffic from a device into different VPN connections.

For global connectivity, some traffic may need to go out locally. Learn more about policy-based local breakout on the next section and how to use hyperscalers to achieve this.

The service delivery and control must also be the same, whether through roaming or localization of eSIMs. However, when a mobile operator localizes a device, they lose control of the device to the local operator. So, it will be impossible for a mobile operator to offer such a global IoT SD-WAN, with a unified connectivity service, through a standard mobile core.

Since localization is a requirement in many markets for legal and commercial reasons, this is a huge problem. That is, until now! 

Fulfilling the vision of a Unified Global IoT Connectivity

Mobile operators offer Private APNs to their IoT enterprise customers, with the traffic terminated in an Enterprise VPN. This is not to be confused with client VPN. An Enterprise VPN is a connection toward the enterprise network that is always on. A client VPN could well run through the enterprise VPN as well as out to a destination on the Internet. With Enea Aptilo IoT CCS, they can take things one step further by providing a Multitenancy Private APN. Private, because we use Enterprise VPN between us and the enterprise network. Multitenancy, because mobile operators only have to extend one APN to IoT CCS to serve all their customers with a Private APN.

Benefits for both MNOs and IoT customers

Through their customer self-management portals, mobile operators can automate the setup of VPNs and do not have to deal with creating a unique APN for each customer. Our experience with the first IoT CCS deployments shows mobile operators can reduce their VPN onboarding process from many weeks to a few minutes, handled by their customers instead of by expensive operations resources.

Using only one joint APN is also beneficial for mobile operator customers. If the customer needs to change the APN, the IoT device logic may need updating. Updating thousands of devices is a complex operation, especially in remote locations. However, the IoT CCS service reduces the need for these critical updates because one APN can point to multiple VPN connections acting as virtual APNs.

Creating a global IoT SD-WAN

Mobile operators’ Private APN offerings terminate through only one Enterprise VPN connection. With IoT CCS, mobile operators can do away with this limitation. IoT enterprise customers can create as many VPN connections as they need. These VPN connections can also include trusted partner networks. For instance, an automotive manufacturer may want to send data to a manufacturer of batteries, suspensions, etc. The mobile operator’s IoT customer gets a software-defined wide area network (SD-WAN) rather than a Private APN.

IoT devices that are roaming through partner networks or localized are, of course, also included in this SD-WAN. To provide global connectivity with local subscriptions, mobile operators can add international MNO partners or the global connectivity hub functionality offered by, e.g., Ericsson IoT Accelerator, to their instance of the IoT CCS service. Thanks to the policy-based IP assignment and central security and policy control, operators can deliver a unified IoT service across all these cellular networks. Even for eSIMs localized to an international MNO partner, they can maintain this control.

One benefit of using hyperscalers such as AWS is that the IoT connectivity control and breakout can be located wherever the public cloud is available, which in practice means in any region or large country.

This will enable policy-based local breakout for localized devices. Selected IoT traffic, such as firmware upgrades or sensitive analytics, will go through Enterprise VPN tunnels while the rest of the traffic will go the closest route to the internet protected by firewalls.

The Enea Aptilo IoT CCS can be deployed to create a unique and unified global IoT connectivity service with policy-based local break-out. This is something that mobile operators cannot make in any other traditional way for 3G/4G.