How Soracom Works

The Soracom platform is a cloud-native IoT connectivity platform. It acts as a virtual carrier, managing the network layer between your devices and your cloud infrastructure. This article explains the core architecture and how the pieces fit together.

The three layers

Every deployment has three layers:

1. Device layer

Your IoT devices — sensors, gateways, cameras, vehicles — connect to cellular networks using platform SIM cards (or virtual SIMs). The SIM authenticates the device and establishes a data session through the platform.

Devices do not need special software or agents. Any hardware that supports a SIM card and standard APN configuration can connect.

2. Platform layer

The platform sits between your devices and your cloud. It provides:

• Connectivity management — SIM provisioning, bandwidth control, session monitoring
• Data routing — Forward device payloads to cloud destinations
• Data storage — Collect and visualize data directly on-platform
• Security — Private networking, credential provisioning, SIM-based authentication
• Device management — Remote configuration, remote access, packet capture

The platform runs on cloud infrastructure and is available in multiple regions.

3. Cloud layer

Your applications, databases, and analytics platforms receive processed device data. The platform integrates with AWS, Azure, GCP, and any HTTP or MQTT endpoint.

You choose where data goes. The platform handles the path between device and destination, including protocol conversion, TLS termination, and credential injection.

How data flows

A typical data path from device to cloud:

1. Device sends a sensor reading over the cellular network
2. The platform receives the packet through the carrier network
3. Group configuration is applied (routing rules, transformations)
4. Data is delivered to the configured destination:
   • Data Store — stored and visualized on-platform
   • Forwarder — sent to an external endpoint with protocol conversion
   • Cloud Delivery — delivered to a managed cloud service (Kinesis, Event Hubs, Pub/Sub)
   • Function Trigger — triggers a serverless function (Lambda, Cloud Functions)

Multiple services can process the same data stream. A group can have the data store enabled for monitoring while the forwarder simultaneously sends to your production backend.

Data flow example

A temperature sensor in the field sends JSON readings every 5 minutes:

Device → Carrier → Platform → Group config → Data Store (monitoring)
                                            → Forwarder (AWS IoT Core)

The device code is the same regardless of the destination. Changing where data goes is a configuration change in the Console, not a firmware update.

Service composition

Platform services are designed to compose. You do not adopt the entire platform at once — you enable the services you need on a per-group basis.

Starting simple: Connector + Data Store gives you connectivity and data visualization with zero cloud infrastructure. Ideal for prototyping.

Adding integration: Connector + Forwarder routes data to your cloud backend with TLS termination and credential injection. Devices send plain HTTP; the forwarder handles the secure connection.

Production hardening: Connector + Private Gateway + Forwarder gives you private networking with no public internet exposure between devices and your cloud.

Full stack: Connector + Private Gateway + Forwarder + Dashboards + Fleet Manager gives you private connectivity, cloud integration, dashboards, and remote device management.

Enabling a service

All service configuration happens at the group level:

1. Create a group in the Console or via API
2. Open the group settings
3. Enable the desired service and configure its parameters
4. Assign devices to the group

Devices in the group immediately begin using the configured services. Move devices between groups to change their service configuration at any time.

Key concepts

Accounts

An account owns devices, groups, and service configurations. One account can manage thousands of devices across multiple regions.

Accounts have:

• A unique account ID
• API credentials (API key and token)
• Billing and payment settings
• Sub-user management for team access

Groups

Groups are the configuration unit. Attach services, set bandwidth tiers, and define routing rules at the group level. Assign devices to groups to apply those configurations.

Groups provide:

• Service configuration (routing, storage, analytics)
• Bandwidth tier settings
• Event rules
• Metadata and tags

A device belongs to exactly one group at a time. Changing a device's group changes its entire service configuration instantly.

Device identity

Every device is identified by its SIM. The platform uses SIM identity for:

• Authentication — The SIM's secure element handles network authentication
• Data attribution — Every data point is tagged with the originating device
• Access control — Per-device or per-group policies control what the device can access
• Billing — Usage is tracked per device for precise cost allocation

No device-side certificates or tokens are needed for basic connectivity. The SIM itself is the credential.

Platform management

You can manage the platform through three interfaces:

• Console — Web-based UI for visual management
• CLI — Command-line tool for scripting and automation
• API — RESTful API for programmatic integration

All three interfaces provide the same capabilities. Choose based on your workflow.

What to read next

• Connectivity Concepts — How cellular IoT networks work
• Getting Started — Platform fundamentals
• Soracom Air — Configure cellular connectivity
• Quick Start — Connect your first device