Hologram vs Aeris: how do private networking options (private APN/VPN) compare for security reviews?
IoT Connectivity Platforms

Hologram vs Aeris: how do private networking options (private APN/VPN) compare for security reviews?

8 min read

Most security teams evaluating cellular IoT vendors narrow in on one core question: how does this provider keep device traffic off the public internet and under my control? For Hologram and Aeris, that answer hinges on their private networking options—private APNs, VPNs, and how they integrate with your existing security review process.

Quick Answer: Both Hologram and Aeris offer private networking via private APNs and VPNs, but they differ in how deeply this is integrated into a software-defined, multi-carrier IoT stack. Hologram leans on a Software-Defined Network (SDN), strong segmentation, and API-first fleet management to give security teams granular control and observability across 190+ countries and 550+ carriers—without exposing device traffic to the public internet or juggling multiple carrier portals.

Why This Matters

If you’re connecting medical devices, payment terminals, industrial controls, or anything that can trigger a regulatory audit, “just use LTE” isn’t a security strategy. Your reviewers will ask:

  • How is device traffic segmented from the public internet?
  • Who can initiate connections—devices only, or any host on the internet?
  • How do you enforce least privilege, logging, and incident response across carriers and countries?

Private APNs and VPNs are how you answer those questions. The right approach lets you:

  • Prove data never traverses the public internet unencrypted.
  • Centralize access control and monitoring in your existing network stack.
  • Survive carrier outages or changes without redoing all your security approvals.

Key Benefits:

  • Tighter attack surface: Private APNs and VPNs keep device traffic inside controlled, authenticated paths instead of open internet routes.
  • Audit-ready architecture: Clear segmentation, logs, and policy controls map cleanly to frameworks like HIPAA, PCI, and GDPR.
  • Operational resilience: Private networking that works across 550+ carriers, with redundancy and failover, reduces downtime-driven security exceptions.

Core Concepts & Key Points

ConceptDefinitionWhy it's important
Private APNA dedicated cellular network identifier that routes SIM traffic through a logically isolated network path instead of the public internet.Lets you restrict where device traffic can go, apply custom routing, and integrate directly into your private network or cloud VPC.
VPN for IoTAn encrypted tunnel (IPsec, SSL, etc.) between the IoT connectivity provider’s core network and your data center or cloud environment.Ensures end-to-end encryption and single controlled ingress/egress point for all device traffic—critical for regulated workloads.
Software-Defined Network (SDN)A programmable network fabric that uses segmentation, policy, and centralized control to manage traffic across many carriers and regions.Gives security teams consistent controls—firewalls, authentication, segmentation—regardless of carrier, SIM type, or geography.

How It Works (Step-by-Step)

From a security review perspective, here’s how Hologram’s private networking model typically comes together and how it contrasts with a more traditional Aeris-style deployment.

  1. Define the trust boundary

    With Hologram, you start by deciding what “private” means for your fleet:

    • Should devices be able to reach the open internet at all?
    • Do you want all traffic forced into a specific cloud VPC or on-prem network?
    • Are there separate environments (e.g., QA vs production, EU vs US) that need isolation?

    Hologram’s SDN and private networking options (private APN + VPN) let you define these trust boundaries once and apply them across all 190+ countries and 550+ carriers your devices may roam onto.

  2. Establish a private APN and routing

    A private APN on Hologram:

    • Provides a unique APN value that your devices use instead of a generic/public APN.
    • Routes traffic through Hologram’s Software-Defined Network, not directly out to the public internet.
    • Uses network segmentation and authenticated traffic control so only your SIMs can use that APN.

    With Aeris (or any traditional IoT carrier), a private APN often maps closely to a single core or region—still helpful, but you may have to align multiple private APNs as you span carriers or geographies. That’s where Hologram’s SDN model stands out: the private APN is one logical control plane layered on top of a multi-carrier, multi-core footprint.

  3. Terminate into your private network via VPN

    Next, you create an encrypted tunnel from Hologram’s core network to your environment:

    • Site-to-site IPsec VPN into your on-prem DC or firewall.
    • VPN or private interconnect into your cloud VPC (AWS, Azure, GCP).
    • Multiple tunnels if you segment by region or environment (e.g., EU-only processing).

    Hologram’s approach aligns with compliance frameworks:

    • End-to-end encryption ensures Hologram has zero access to customer or device payload data.
    • Network segmentation and authenticated traffic control enforce least privilege at the network level.
    • Hologram’s operations comply with standards like HIPAA, PCI, GDPR, and GSMA SAS—language your security reviewers expect.

    Aeris also supports VPN-based private connectivity, but typically with more carrier- and region-specific design work. Security teams often have to map each APN or region separately in their threat models.

  4. Apply segmentation, firewalls, and policies

    Once the tunnel is up, you treat IoT traffic like any other high-trust segment:

    • Lock down inbound access so no external host can “dial into” devices unless explicitly allowed.
    • Use your firewalls to constrain device egress destinations (e.g., specific message brokers, APIs).
    • Implement IDS/IPS or logging on the VPN termination point for continuous monitoring.

    Hologram’s SDN does additional heavy lifting:

    • Network segmentation keeps your fleet isolated from other customers by design.
    • Authenticated traffic control ensures only your SIMs can generate traffic on your private path.
    • End-to-end encryption means the provider cannot inspect payloads even though they manage connectivity.

  5. Monitor and automate via Dashboard & API

    Where Hologram differs most in day-two operations is observability and automation:

    • Dashboard: Single pane of glass for SIM state, data usage, locations, and connectivity health.
    • APIs: You can integrate SIM lifecycle actions (activate, hibernate, revoke) into your own systems and workflows.
    • Reporting: Detailed usage and connection metadata help trace incidents without logging into multiple carrier portals.

    This matters for security reviews because:

    • You can demonstrate real-time visibility into every SIM, globally.
    • You can show automated controls (e.g., auto-disabling a SIM on suspicious activity).
    • You avoid the “it’s the carrier, not us” black box that often frustrates auditors.

    Aeris provides management tools as well, but Hologram’s focus on a single, shared pane of glass across 550+ carrier relationships reduces the operational complexity your security team has to model.

Common Mistakes to Avoid

  • Treating private APN as a checkbox instead of an architecture:
    Don’t stop at “vendor supports private APNs.” For your security review, document how that APN is routed, which cores and carriers it spans, and how traffic reaches your infrastructure. With Hologram, explicitly call out the SDN, segmentation, and VPN termination points.

  • Ignoring failover paths in your threat model:
    If failover changes where traffic originates (e.g., different mobile core, different country), your reviewers will want to know. Hologram’s Outage Protection SIMs use a 2nd mobile core for automatic fallback while preserving your private networking controls—make sure your design covers this. With more traditional setups, you may need separate security approvals for each core or carrier.

Real-World Example

In one of my previous roles, we ran a fleet of security camera gateways across retail locations in multiple countries. The first connectivity vendor we used gave us a private APN but no real abstraction layer—every time we expanded into a new region, we had to:

  • Spin up another APN variant.
  • Establish a new VPN tunnel.
  • Re-run internal security reviews because the traffic path changed.

During a major carrier core outage, we lost connectivity and had no fallback. Worse, our security documentation assumed a single fixed path, so emergency workarounds (including temporarily routing some traffic over the public internet) created audit headaches.

The migration to a Hologram-style architecture looked different:

  • We deployed Hologram SIMs with a private APN mapped into a VPN terminating in our cloud VPC.
  • Hologram’s SDN gave us consistent segmentation and firewalling, regardless of which of the 550+ carrier networks a device was actually on.
  • When we introduced Outage Protection SIMs, we gained dual-core redundancy without redesigning our security architecture—the private networking and VPN stayed the same logical control plane.

In a security review, that meant:

  • One documented trust model we could reuse across regions.
  • Clear language about encryption, segmentation, and authenticated access.
  • A defensible story about how we’d maintain both availability and confidentiality during outages.

Pro Tip: When you evaluate Hologram vs Aeris, ask each provider to draw the exact traffic path for a device in three scenarios: normal operation, roaming to another carrier, and during a mobile core outage. Then ask how your private APN/VPN, firewalls, and logs behave in each case. Favor the design that changes as little as possible while still providing failover.

Summary

For security reviews, the difference between Hologram and Aeris on private networking isn’t just “who offers a private APN or VPN”—it’s how those tools fit into a global, multi-carrier architecture and how much complexity your team has to own.

  • Hologram offers private APN and VPN options on top of a Software-Defined Network with segmentation, firewalls, authenticated traffic control, and end-to-end encryption—backed by compliance with HIPAA, PCI, GDPR, and GSMA SAS. You get consistent controls across 190+ countries and 550+ carriers plus dual-core failover options (Outage Protection) without redoing your security design.

  • Aeris provides private APN/VPN as well, but typically with a more carrier- or region-bound model, which can turn into multiple traffic patterns that your security team has to document, review, and monitor separately.

If your devices handle regulated data, impact safety, or absolutely cannot go offline, gravitate toward a private networking approach that treats connectivity like software: redundant by design, observable in a single pane of glass, and controllable via API.

Next Step

Get Started

Back to IoT Connectivity Platforms

Keep Reading

More from IoT Connectivity Platforms

How do I set up Hologram private networking or VPN for secure device telemetry?

Read more

How do I automate SIM lifecycle actions with the Hologram REST API (activate/suspend, usage reporting, alerts)?

Read more

Who do I contact at Hologram for enterprise pricing (data pools, custom network configs, zero fees for inactive SIMs)?

Read more