How do I set up Hologram private networking or VPN for secure device telemetry?
IoT Connectivity Platforms

How do I set up Hologram private networking or VPN for secure device telemetry?

10 min read

Most regulated or business-critical telemetry projects hit the same wall: the public internet is noisy, unpredictable, and hard to secure at scale. Private networking and VPNs with Hologram give you a way to move device data over cellular without exposing it to the open internet—while still keeping deployment, debugging, and scaling manageable.

Quick Answer: You set up Hologram private networking or VPN by defining a private IP space for your SIMs, establishing a secure tunnel (typically IPsec or WireGuard) between Hologram’s Software-Defined Network and your cloud or data center, and routing your device traffic through that tunnel instead of the public internet. From there, you use the Hologram Dashboard and APIs to enforce which devices can talk to which endpoints, monitor traffic, and automate lifecycle changes as your fleet grows.

Why This Matters

If your devices are sending telemetry for healthcare, payments, industrial controls, or security systems, “just put it on the internet over LTE” is not enough. You need to ensure only approved endpoints can talk to your devices, your data is encrypted in transit, and a single misconfiguration doesn’t expose an entire fleet.

Hologram’s Software-Defined Network (SDN) combines network segmentation, firewalls, and authenticated traffic control with a private networking or VPN overlay. That gives you:

Key Benefits:

  • Stronger security posture: Keep devices off the public internet, enforce allowlists, and meet compliance requirements like HIPAA, PCI, and GDPR using end-to-end encryption.
  • Operational control: Route telemetry into your VPC/VNet or on-prem network, control IP ranges, and observe traffic through a single pane of glass.
  • Scalable automation: Use the Hologram Dashboard and APIs to provision, test, and update VPN/private network settings as you add devices across 190+ countries and 550+ carriers.

Core Concepts & Key Points

ConceptDefinitionWhy it's important
Private networkingAssigning SIMs to a private IP space and routing their traffic through Hologram’s SDN directly to your environment instead of the public internet.Reduces attack surface, simplifies firewalling, and keeps telemetry flows predictable and auditable.
VPN tunnel (IPsec / WireGuard)An encrypted connection between Hologram’s network and your cloud VPC/VNet or data center, often site-to-site.Ensures telemetry is encrypted end-to-end and never traverses the internet in the clear, supporting HIPAA/PCI-style compliance.
Traffic control & segmentationUsing Hologram firewalls, ACLs, tags, and routing policies to control what each device or group can access.Prevents lateral movement, enforces least privilege, and lets you treat connectivity as software—configurable per fleet, per product, or per region.

How It Works (Step-by-Step)

At a high level, Hologram private networking or VPN for secure device telemetry works like this:

  1. Your devices connect with Hologram SIMs (Hyper SIMs or Outage Protection SIMs) using cellular networks across 190+ countries.
  2. Hologram’s Software-Defined Network terminates those sessions on isolated, segmented infrastructure—no direct exposure to the public internet.
  3. An encrypted tunnel (e.g., IPsec or WireGuard) connects Hologram’s SDN to your VPC/VNet or on-prem network.
  4. Your devices are assigned private addresses; telemetry flows through the tunnel into your environment, where your services consume it.
  5. You use the Hologram Dashboard and APIs to monitor, adjust rules, and scale.

Here’s the practical workflow I recommend, based on running fleets in production.

1. Define Your Connectivity & Security Requirements

Before you touch any config, get crisp on what you’re protecting and from whom.

Questions to answer:

  • Compliance: Do you need HIPAA, PCI, or GDPR alignment for your telemetry?
  • Topology: Are you landing telemetry into a cloud VPC (AWS, Azure, GCP), an on-prem data center, or a hybrid?
  • Directionality: Do you only push telemetry upstream, or do you need to initiate connections into devices for remote maintenance?
  • Addressing: Do you want static or predictable IPs for devices, or is tag-based grouping enough?
  • Redundancy: Do you need active-active VPN tunnels, or is active-standby acceptable?

Map these requirements to your architecture:

  • Healthcare / remote patient monitoring: Strict control, full audit trails, no inbound exposure from public internet.
  • Retail / payments-adjacent devices: PCI-friendly segmentation, explicit outbound-only rules, strict logging.
  • Industrial / energy / factories: Ability to tunnel into devices for diagnostics, while insulating them from generic internet traffic.

2. Set Up Your Cloud or Data Center Edge

You need a termination point for the VPN/private networking on your side.

Typical patterns:

  • Cloud-based:
    • AWS: AWS Site-to-Site VPN / AWS Transit Gateway + routing tables.
    • Azure: Azure VPN Gateway into a dedicated VNet.
    • GCP: Cloud VPN (Classic or HA) into a private VPC.
  • On-prem:
    • Physical or virtual firewall/router (e.g., Fortinet, Palo Alto, Cisco, pfSense, VyOS) with IPsec or WireGuard support.

Best practices:

  • Reserve a dedicated subnet for Hologram device traffic in your environment (e.g., 10.50.0.0/16).
  • Prepare firewall policies that only allow traffic from this subnet to specific services/ports (e.g., MQTT broker, HTTPS APIs, VPN concentrators).
  • If you’re multi-region, decide whether you’ll:
    • Have one global entry point and distribute telemetry internally, or
    • Terminate regionally and keep traffic local for data residency or latency-sensitive workloads.

3. Work with Hologram to Configure Private Networking / VPN

Today, private networking and VPN setup with Hologram typically involves coordination with their team, especially for:

  • Designing the IP addressing scheme for your SIM fleet.
  • Configuring site-to-site IPsec or equivalent tunnel parameters.
  • Setting up network segmentation and firewall policies in Hologram’s SDN.

The general configuration steps:

  1. Share your requirements

    • Your desired private IP CIDR(s) for devices.
    • Your VPN termination endpoint (public IP or cloud gateway) and supported protocols (IPsec, IKEv2, etc.).
    • Any special routing constraints (e.g., which prefixes should be reachable over the tunnel).

  2. Establish the tunnel
    Hologram and your team configure:

    • Phase 1 (IKE) settings: encryption algorithm, hash, DH group, lifetime.
    • Phase 2 (IPsec) settings: encryption, PFS, SA lifetimes.
    • Routing: static routes or BGP to advertise device subnets.

  3. Test with a small device set

    • Create a test group of SIMs in the Hologram Dashboard.
    • Confirm that traffic from these SIMs:
      • Receives IPs from your agreed private range.
      • Reaches your services only via the tunnel.
      • Is blocked when you disable the tunnel or enforce tighter firewall rules (to validate segmentation).

4. Configure Device Networking & Security Patterns

On the device side, you usually don’t run a full VPN client; the VPN lives between Hologram and your network. Your devices just see IP connectivity.

Key steps:

  • Use Hologram APN as documented for your SIM profiles.
  • Ensure devices:
    • Encrypt application traffic end-to-end (TLS for MQTT/HTTPS, DTLS if using UDP).
    • Pin certificates or use mutual TLS where possible for stronger identity.
    • Handle reconnections gracefully when cellular changes or there’s a tunnel failover.

Common architectures:

  • Outbound-only telemetry:
    Devices publish MQTT/HTTPS to an endpoint that’s only reachable inside your VPC, over the tunnel. No inbound ports exposed.
  • Controlled remote access:
    A management service in your VPC initiates sessions to devices through the private network (e.g., SSH via bastion, tunneled RPC). Access is gated by strict authentication and network ACLs.

5. Segment, Monitor, and Automate Using the Hologram Dashboard & APIs

This is where “connectivity as software” really matters.

Use the Hologram Dashboard and APIs to:

  • Tag and group SIMs
    Group by: product line, region, customer, or environment (dev, qa, prod). Apply different private networking/VPN policies per group.

  • Apply traffic policies

    • Allowlist which destinations (IP/port) each group can reach.
    • Deny traffic that doesn’t go through your private networking setup.
    • Use network firewalls to block unsolicited inbound traffic.

  • Monitor and troubleshoot

    • Track which devices are connected, where, and how much data they’re using in real time.
    • Set alerts for unusual patterns (e.g., suddenly high data usage or unexpected destinations).
    • Leverage Hologram’s “all systems operational” transparency alongside your own monitoring to distinguish device issues from network issues.

  • Automate lifecycle via API
    Build workflows such as:

    • On factory activation (using Test Mode): assign devices to a non-production private-network segment for QA; once passed, move them to the production VPN segment via API.
    • On security incident: programmatically quarantine a subset of SIMs by reassigning them to an isolated network group or disabling them.
    • On customer onboarding: automatically create tags and apply private-network policies tied to a specific tenant or contract.

6. Scale and Add Redundancy

Once your private networking is working for a pilot fleet, scale safely:

  • Redundant tunnels:
    Configure multiple IPsec tunnels to different Hologram endpoints or redundant gateways in your cloud/on-prem environment. Use BGP or failover rules to keep telemetry flowing during incidents.

  • Outage Protection SIMs:
    If device availability is non-negotiable, combine private networking with Hologram’s Outage Protection SIMs: these can automatically fallback to a 2nd mobile core if a primary core has a major outage. Your private connectivity then rides on whichever core is available.

  • Multi-region architecture:
    Align private networking with your data residency and performance needs:

    • For EU patient data, terminate the VPN into an EU region VPC and keep paths local.
    • For latency-sensitive video or critical control loops, choose the nearest region to minimize RTT.

Common Mistakes to Avoid

  • Treating private networking as an afterthought:
    If you bolt it on after mass deployment, you’ll end up re-SIMming devices, changing APNs in the field, or rewriting device code. Design around private networking from your first prototypes and leverage Test Mode to validate your setup before full rollout.

  • Assuming “VPN = security solved”:
    A tunnel without proper segmentation, TLS, and credential hygiene still leaves you exposed. Combine VPN/private networking with end-to-end encryption, strict identity, and least-privilege network policies.

Real-World Example

In a previous role, I helped operate a distributed video/security gateway fleet for physical sites that had no reliable Wi‑Fi. We initially ran everything over a single carrier and public APN. It seemed fine—until a carrier core incident took out a big chunk of our fleet, and we discovered how hard it was to prove whether a given issue was “the device” or “the network.”

During our redesign, we moved to:

  • Hologram SIMs for multi-carrier redundancy across 190+ countries.
  • Site-to-site VPN from Hologram’s SDN into our AWS VPC.
  • Private subnets dedicated to device traffic, with strict rules limiting which services each product SKU could reach.
  • Automated SIM management using Hologram’s APIs so devices entered Test Mode at the factory, then were shifted into the production private network segment only at deployment.

The result:

  • Network troubleshooting became far simpler—if the tunnel was up, we knew exactly where and how traffic flowed.
  • Security reviewers were satisfied because traffic never hit the open internet, and we could demonstrate end-to-end encryption plus segmentation.
  • During later carrier outages, devices automatically failed over to alternate carriers and our VPN remained the single, controlled ingress path for telemetry.

Pro Tip: When you design your VPC or on-prem network for Hologram private networking, treat “Hologram device subnets” as first-class citizens—give them dedicated route tables, security groups, and logs. That makes it much easier to prove compliance and debug issues than mixing them with generic server traffic.

Summary

Setting up Hologram private networking or VPN for secure device telemetry is about more than turning on a tunnel. You:

  • Define your security and compliance requirements.
  • Stand up a dedicated entry point in your cloud or data center.
  • Work with Hologram to configure private IP addressing and a site-to-site VPN from their Software-Defined Network.
  • Keep devices simple—using the Hologram APN, strong TLS, and robust reconnection logic.
  • Use the Hologram Dashboard and APIs to segment fleets, enforce least-privilege access, and automate lifecycle management.
  • Layer in redundancy with Outage Protection SIMs and multi-region design.

Done well, you get outage-resistant connectivity that “just works,” with telemetry flows that are predictable, secure, and observable from a single pane of glass.

Next Step

Get Started

Back to IoT Connectivity Platforms

Keep Reading

More from IoT Connectivity Platforms

How do I automate SIM lifecycle actions with the Hologram REST API (activate/suspend, usage reporting, alerts)?

Read more

Who do I contact at Hologram for enterprise pricing (data pools, custom network configs, zero fees for inactive SIMs)?

Read more

How do I bulk-activate, suspend, and tag SIMs in the Hologram Dashboard for a large rollout?

Read more