How to Set Up and Use a Super SIM VPN
New Connections Paused
Twilio's IoT business unit was acquired by KORE. While we are in the process of migrating infrastructure from Twilio to KORE, we have paused adding new VPN connections. If you are looking to use Super SIM but a VPN connection is critical to your use case, please conact us.
Super SIM VPN is in Private Beta . Once you determine that a VPN connection is appropriate for your IoT use case, please reach out to your IoT sales specialist or contact KORE to learn more about the process of setting up your VPN connection. You can take a look at Known limitations below.
Super SIM VPN (Virtual Private Network) establishes a secure private network between Twilio and your application data center, and ensures your Super SIM-connected devices use this private network for data communications.
With a regular Internet breakout, the traffic from Super SIM-connected devices will go over the Internet and get routed to your application data center. When a VPN is used, the same traffic is sent over a secure and private tunnel as shown below:
With a VPN, you get these benefits:
A secure channel — The traffic moving between Twilio and your cloud is strongly encrypted.
A private end-to-end network — Your IoT devices will appear as an extension of your private application cloud.
Extended session duration — When an IoT device's traffic goes through a VPN, there are no NAT or Firewall timers to mitigate.
A static private IP address for each device — You can reach the device at a known address from your application cloud.
Do I need a VPN?
Most IoT use cases don't require a VPN, and you shouldn't opt for one if your application won't benefit from it. This is because setting up and maintaining a VPN connection involves increased complexity, and it comes at an additional monthly cost. Please review your use case with your IoT specialist at Twilio to determine if it warrants a VPN connection.
If you do decide that your application needs a Super SIM VPN, this guide will show you how to set it up and use it.
VPN compatibility and requirements
You can use whichever VPN gateway product you prefer, but it must be compliant with the well-established IKE v1 and v2, and IPSec standards. Both hardware-based and software-based VPN gateways are supported.
Your peer IP needs to be static.
Known limitations
When the component of the Twilio Mobile Core responsible for routing traffic over VPNs is deployed, traffic needs to be moved from each of the existing instances of the component to the new instances. Currently, when this handover happens, downlink dataflows (data to the device) will experience packet loss as the old instance is replaced by a new one for up to 60 seconds (typically 10 to 20 seconds). Uplink flows (data sent from the device) will not be affected. However, for any requests made from the device that need to receive a response (e.g. a TCP handshake), the downlink portion will suffer packet loss. Once the new instance has taken over, devices will be able to exchange data over the VPN again without packet loss. Our team is exploring improvements to this infrastructure that will allow us to deploy this component without interruptions; however, we have no current timeline.
Deployments of this component typically will occur during western European business (daytime) hours and will typically be deployed every few weeks but frequency may vary depending on need. When possible, we will release changes together to limit deployments and interruptions.
Set up your VPN connection
The first step is to contact KORE to request access to the VPN Beta Program.
You will receive a VPN setup questionnaire which is used to collect essential setup information, including your VPN gateway details, your encryption domains (private IP subsets used in your data center), and your IKEv1/IKEv2 and IPsec details. The setup questionnaire also provides the information you will need about Twilio's VPN gateway.
The answers you provide via the setup questionnaire are used to provision your VPN on Twilio's VPN gateway. Each customer gets their own VPN connection.
If your application exists within an Amazon Web Services (AWS) Virtual Private Cloud (VPC). You can easily connect your AWS hosted application to a Super SIM VPN via an AWS Site-to-Site VPN. We have a separate guide to help you through this process using the AWS Console.
Once your VPN connection is established on Twilio's VPN gateway, a unique pre-shared key (PSK) is generated and shared with you via Twilio Secure Data Transfer System.
You can then use the PSK, Twilio's VPN gateway details from the setup questionnaire, and your own encryption domains to provision your VPN gateway and initiate a VPN connection. If the gateway provisioning is performed correctly, the VPN connection will come up straight away. If this does not occur, Twilio will help you find and fix any issues.
Twilio will use 100.112.0.0/12 for allocating static private IP addresses for your devices. Please make sure you are not using this range for the subnets in your application cloud behind your VPN gateway. If your IoT device acts like a router and provides connectivity to other devices attached to it, please make sure you don't use 100.112.0.0/12 in that subnet.
Enable VPN for your devices
The following content covers how to use your VPN Connection with Super SIM once it's been configured. You must be logged into Console and have access to the Private Beta to access it. Please reach out to your IoT sales specialist or contact KORE to learn more about Super SIM VPN and how to gain access to the Private Beta.
1. Get your VPN connection SID
Once the VPN connection has been established, you will need to obtain its SID from the Interconnect > Connections page in the Twilio Console:
You'll find Interconnect in Console's Super Network section.
Click on your VPN's name to take you to the VPN details page, and copy the SID:
We recommend taking the opportunity to give your VPN a memorable name at this point.
2. Enable VPN for a Fleet
You enable devices' VPN usage at the Fleet level. We recommend that you create a new Fleet for the devices that will connect via your VPN, and maintain separate Fleets for VPN- and Internet-connected devices. By default, every new Fleet of devices uses Twilio's default Internet breakout, but this can be easily switched to the new VPN.
To set a Fleet's devices to connect via VPN, go to Internet of Things > Super SIM > Fleets in Console, click the Create Fleet button, name and configure the new Fleet, and enter your VPN's Connection SID under the VPN section:
Once you specify a VPN for a Fleet, any SIMs that you subsequently assign to that Fleet will automatically use the VPN connection. If the SIM was already connected via the Internet — for example, if you have just re-assigned it to the VPN-enabled Fleet — then it will use the VPN on its next attach. When you remove the SIM from a VPN-enabled Fleet, it will stop using the VPN at the next attach.
A new attachment can be triggered using the Connectivity Reset option on the SIM's details page in Console.
Use the VPN
Any SIMs you assign to a VPN-enabled Fleet will automatically start using the Fleet's VPN connection. There is nothing more to do. When the VPN is being used, your devices can reach the application servers in your data center and vice versa through the secure VPN connection.
Get a device's IP address
Every SIM in a VPN-enabled Fleet is assigned its own private static IPv4 address. This address is assigned to the Super SIM when it first attaches — it is the actual IP address used by SIM's host device. After the initial assignment, the IP address persists within the SIM, and your device will be assigned the same address provided that it is using the same SIM and that the SIM remains assigned to the VPN-enabled Fleet.
You can initiate sessions — SSH, browser-based HTTPS, ping, etc. — from your data center to the device using the corresponding static IP address.
There are three ways to retrieve a device's static IP address.
1. Console
The IP address assigned to a SIM is listed in Console on the SIM's details page:
2. The IpAddresses subresource API
This will output a JSON object containing an ip_addresses
object:
If the SIM is not assigned to a VPN-enabled Fleet, the value of ip_addresses
will be null
.
For more information on using this API, please see the IpAddresses subsresource documentation.
3. Connection Events Stream
If you are already subscribed to Super SIM Connection Events, you will get the static IP address assigned to your SIM as part of the "Data Session Started" event. There is no need to use either of the previous two methods to obtain the IP address assigned to the SIM.
To learn more about Super SIM Connection Events, please see Get Started with Super SIM Connection Events.
4. Update your devices' APN setting
VPN usage currently requires that devices use either of the APNs super
or us1.super
in place of all other Super SIM APNs. If you are using the Frankfurt breakout (de1.super
) or the Singapore breakout (sg1.super
), please update your devices to use super
or us1.super
in order to access VPNs.
For more details on setting APNs, please see How to Set a Device's APN for Super SIM.
Last updated