An APN (Access Point Name) is the logical name of the GTP tunnel that connects your SIM to a given IP network. By default an MNO gives you a public APN (internet.operator.xx or similar) that exits to the Internet through NAT. A private APN is an APN dedicated to your project, whose traffic terminates in your own infrastructure over a dedicated interconnect (typically MPLS, IPsec or VPLS).
What a private APN actually gives you
- Isolation from the rest of the Internet. Devices are not reachable from outside unless your interconnect exposes them.
- Your own IP addressing plan. You can assign fixed per-device IPs (static or quasi-static per IMSI) inside a private range.
- Routing control. Traffic goes from the mobile network to your DC without traversing the public Internet — lower latency, smaller attack surface.
- Inbound reachability. On a public APN you usually cannot initiate a session from your server to the device (NAT). On a private APN you can, if you design routing for it.
What it does NOT give you
- Application encryption. GTP and MPLS do not encrypt at packet level — your operator can see your traffic. If you want confidentiality from the operator, you still need end-to-end TLS or IPsec.
- Protection against a compromised device. If an endpoint inside the APN is breached, the attacker is inside your network. Segment like you would a LAN.
Cheaper alternatives that often suffice
- Public APN + mutual TLS. Client certificate authentication, TLS 1.3 traffic, server pinning. For most sensors with outbound-only traffic, this is enough.
- Public APN + device-initiated IPsec VPN. The device brings up a tunnel against your concentrator. You get an internal IP and encryption without paying for a private APN.
- SIM with public static IP. If the real issue is "I need to know the device IP to set up ACLs", a fixed IP inside the standard public APN can solve it.
Ballpark costs: a private APN usually means a setup fee (low thousands of euros), a recurring fee, and a minimum SIM volume. Under ~1,000 devices, mutual TLS or client VPN is usually more cost-effective.
Decision tree
- Need to initiate sessions from your DC to the device by its IP? → Private APN or device-initiated IPsec.
- Traffic is outbound and the operator seeing packets is fine? → Public APN + TLS.
- Regulator or customer requires traffic to avoid the public Internet? → Private APN with dedicated interconnect.
- Small fleet and cost sensitive? → Mutual TLS; reconsider private APN above ~1,000 SIMs.
- Critical devices, 10+ year lifecycle, minimum exposure desired? → Private APN, plus end-to-end TLS.