Private-APN IoT SIM · Spain

IoT SIM with private APN, contractable today

Dedicated APN with your CIDR range and an IPSec or WireGuard tunnel into your VPC, offered as a standard layer over any plan. No need to go through enterprise sales: pilot on 5 SIMs, scale once the case is validated. Combinable with private static IP in the same plan.

Why iot.cards private APN is different

Private APN from pilot, not enterprise-only

Telefónica Tech, 1NCE and Wireless Logic offer private APN as an enterprise module: annual contract, 500-SIM minimum, approval committee, three weeks to first provisioning. We offer it as a standard layer over any plan, on-demand from 5 SIMs, with first provisioning in 24–72 h.

IPSec or WireGuard tunnel into your VPC

Site-to-site IPSec with PSK or certificate authentication, or modern WireGuard (simpler, better performance, updated cryptography). Compatible with AWS Site-to-Site VPN, Azure VPN Gateway, GCP Cloud VPN, OVH and on-prem.

RFC1918 addressing with your CIDR

You pick the CIDR range (10.x.x.x, 172.16.x.x, 192.168.x.x) that overlaps coherently with your corporate addressing plan. The SIM gets an IP from that range, reachable from your VPC without NAT or translations.

Mutual authentication with certificates

For regulated deployments or high-cybersecurity-requirement use cases, mutual authentication with X.509 certificates on top of the tunnel. Each SIM has its credential; deactivating a SIM revokes its access without affecting the rest of the fleet.

Traceability by ICCID and PDP session

Each PDP session is logged with timestamp, ICCID, assigned IP, transferred data and network events. Logs exportable by API for internal audit or regulatory reporting. HMAC-signed webhooks on session change.

Combinable with private static IP in the same plan

Private APN and private static IP are the same architecture: the APN tunnels traffic into your VPC, the static IPs inside the APN give each device stable addressing. Both add-ons on a SIM with a standard plan.

When private APN stops being optional

There are architectures where private APN isn't a comfort upgrade but a functional or regulatory requirement. The most frequent in Spain:

Cases where private APN is required

  • Electricity or water SCADA with direct connection to DSO/water utility
  • Retail chains with 50+ stores connected to corporate DC
  • Regulated deployments with cybersecurity audit (regulator, ENS)
  • Smart metering and industrial IoT where traffic must not traverse public Internet

Tunnel types supported

IPSec site-to-site (PSK)IPSec with X.509 certificatesWireGuardBGP over IPSec (enterprise)

The cloud or DC operator determines the options: AWS recommends policy-based or BGP-based IPSec; Azure supports route-based IPSec; GCP Cloud VPN offers HA-VPN with BGP. We've integrated with all the majors; the technical team configures the tunnel from your side during onboarding.

Technical capabilities of private APN

Beyond the basic tunnel, the private APN is composed of layers that can be contracted bundled or separately:

Private APN technical specification

Product spec sheet detailing modes (shared vs dedicated), tunnel types, integration with main clouds, technical FAQ for configuration.

View full technical spec

Private static IP in the APN

Private static IPv4 per SIM inside the APN. Lets your corporate firewall use stable addressing per device, with no DDNS and no periodic rule reconfiguration.

View static-IP SIM

PDP events via webhook

REST API for APN management, per-SIM activation/suspension, plan change, PDP session queries. HMAC-signed webhooks on PDP session start/end, IP-change alerts.

API documentation

SIM and diagnostic portal

Bilingual web console: see SIMs in the APN, active sessions, tunnel usage, firewall events, export logs. Inbound connectivity test from the portal.

View management portal

Typical use cases in Spain

  • Electricity SCADA (DSO, telemanagement)
  • Municipal water metering
  • SD-WAN routers for multi-store retail
  • Video surveillance cameras with on-prem VMS
  • Bank POS and payment terminals with central back-office
  • EV charging stations with inbound OCPP
  • Alarms connected to monitoring center (CRA)
  • Industrial sensing with proprietary platform

Pricing and lock-in

Private APN is billed as a layer on top of the base plan, with no lock-in or SIM minimum. Three tiers per need:

Shared APN (pay-as-you-go)

You use iot.cards' private APN (shared between customers but isolated by subnet). IPSec tunnel into your VPC. Ideal for pilot and cases where you don't need a fully dedicated APN.

Dedicated APN basic

Your own APN with your CIDR, not shared with other customers. IPSec or WireGuard tunnel. For medium-sized fleets where isolation matters but you don't need an enterprise SLA.

Enterprise (CIDR + SLA + 24/7 support)

Dedicated APN + full CIDR range + contractual SLA + 24/7 support + BGP-over-IPSec support. For critical infrastructure, regulated deployments or large fleets.

Pricing detail at /planes/pago-por-uso. The SIM Test Kit (5 units, €15 VAT included) ships free to Spain and lets you contract shared APN from the first unit to validate integration before bulk deployment.

Frequently asked questions about private APN for IoT SIM

Is there a volume minimum to contract private APN?
No. A single SIM can carry shared APN as an add-on. For dedicated APN, the recommended minimum is 25–50 SIMs for operational economy, but not as a technical or commercial restriction; we also configure it for smaller fleets if the case justifies. This is the difference vs enterprise competitors (Telefónica Tech, 1NCE) that require 500+ SIMs and an annual contract.
Which clouds do you support (AWS / Azure / GCP / OVH)?
We've integrated IPSec tunnels against AWS (Site-to-Site VPN policy-based or BGP-based), Azure (VPN Gateway route-based), Google Cloud (Cloud VPN or HA-VPN with BGP), OVH and on-prem (pfSense, FortiGate, Cisco ASA, Mikrotik). If your DC runs something different, we likely support it — drop us an email.
IPSec or WireGuard, which do we pick?
IPSec if your corporate DC or cloud requires site-to-site IPSec (the most common in enterprise). WireGuard if you want simplicity and performance (and your side supports it). Functionally equivalent for most cases; the decision depends more on what your firewall supports than on our technical preference. We discuss it during technical onboarding.
How long does tunnel provisioning take?
For shared APN, first provisioning in 24 h once we receive your side's technical documentation (peer IP, CIDR to advertise, IPSec policy). For dedicated APN, 48–72 h. For enterprise with BGP-over-IPSec and custom config, up to a week. Compared to the typical 3–4 weeks of enterprise competitors, it's the difference between a fast pilot and a quarterly integration.
How do I integrate the APN with my corporate VPN?
The IPSec/WireGuard tunnel is established between your peer (corporate firewall or cloud VPN gateway) and our GGSN. The SIMs receive IPs from the CIDR you indicated; your corporate firewall rules treat that range as its own subnet. If you already have site-to-site VPN between cloud and on-prem, the SIMs are just another branch of the IGP routing.
Compatible with private static IP?
Yes, and it's the standard combination for industrial deployments. The private APN tunnels traffic, the static IPs inside the APN give each SIM stable, predictable addressing. Both add-ons contracted per SIM on the same base plan. Detail at /productos/sim-ip-fija.
Does it support tunnel failover?
Yes, on enterprise plans. We configure two active-passive or active-active tunnels against two peers of yours (typically cloud + on-prem, or two cloud regions). If one drops, SIMs route through the other without disruption. On shared or dedicated-basic APN, single tunnel.
Monthly cost of dedicated APN?
Fixed monthly fee that scales smoothly with the number of SIMs and the mode (shared/dedicated/enterprise). Calculable on-demand from the portal: enter your estimated volume and mode, and you see the cost before contracting. No lock-in.
Difference vs the enterprise APN of a single carrier?
Three things. (1) Multi-IMSI: even with private APN, the SIM keeps failover across the three national carriers (Movistar, Vodafone, Orange) in Spain, with no single point of failure. (2) Commercial model: on-demand from pilot, not enterprise bottleneck. (3) Cost: at equivalent functionality, typically 30–60 % cheaper than Telefónica Tech or Vodafone Business dedicated APN for medium-sized fleets.

Request a trial private APN for your integration

We ship the SIM Test Kit (5 units, €15 VAT included, free shipping to Spain in 24–48 h) with shared APN already configured so you can validate the tunnel from your side before bulk ordering, or schedule a technical call with a network engineer to review your cloud architecture and define the mode (shared / dedicated / enterprise).

By submitting you accept our privacy policy. No spam, just a human reply.

Buy SIM Test Kit

Test kit · €15 · ships in 48 h

Go to shop

Talk about your project

Custom quote based on your deployment

Tell us about it

Related reading