What is a private APN
Quick definition
A private APN is a mobile network access point dedicated to a single company or project. Your IoT traffic never touches the public internet: it exits the carrier straight to your data center over a private tunnel, with your own IP plan, firewall rules, and routing.
What it solves
A carrier's public APN shares IP space across thousands of subscribers, runs NAT, and blocks inbound connections. Fine for a phone; a bottleneck for a fleet of EV chargers or payment terminals. A private APN gives you full control over addressing, internet egress (or no egress), and integration with your own infrastructure.
What it pairs with
Usually three things: an IPSec or WireGuard VPN to the customer data center, a static IP range (private or public), and firewall rules that only allow the port and destination each device actually needs. Your OCPP charger, PLC, or POS booth is never exposed to the public.
- ·IPSec/WireGuard VPN to your DC
- ·Static IP plan (private or public)
- ·Per-port and per-destination firewall
When you do NOT need a private APN
If devices only open outbound connections (telemetry push to a cloud MQTT broker) and never need to be reached back, a properly configured public APN often suffices. A private APN is justified when you need inbound reachability, strict regulatory isolation, or a routing SLA.
Example
A fast-charging operator with 800 OCPP points picks a private APN with IPSec to its back end. Result: no charger is reachable from the internet, everything goes through their firewall, and audit logs are clean.
FAQ
How much does a private APN cost?+
Usually a fixed monthly fee (50 to 250 EUR depending on vendor and volume) plus a per-SIM cost. From around 100 devices it tends to pay off; below that, a public APN with tight rules is almost always more efficient.
Can I change APN after the device is in production?+
If the SIM allows it, yes. Modern IoT SIMs accept APN changes via remote configuration (OMA-DM, AT commands, or through the provider portal). On eUICC the change can come from loading a new profile.
What happens when a device travels abroad?+
The private APN works the same way: the device connects to the local carrier, traffic is routed to the gateway at your home carrier's private APN, and from there to your DC. Latency adds 30-80 ms on top, depending on country.
Related terms
What is an IoT VPN
An IoT VPN is an encrypted tunnel between the carrier exit and the customer infrastructure. It lets devices on the cellular network reach private servers without going over the public internet. Typical options are IPSec, WireGuard, and L2TP/IPSec.
What is a static-IP IoT SIM
A static-IP SIM is an IoT card the carrier always assigns the same IP address to, instead of a different dynamic IP per session. It can be public (reachable from the internet) or private (reachable from your private APN or VPN). It is essential whenever a server needs to initiate the connection to the device.
What is MQTT
MQTT (Message Queuing Telemetry Transport) is a very lightweight publish/subscribe protocol designed for devices with little CPU, little RAM, and flaky links. It works against a central broker (Mosquitto, HiveMQ, EMQX, AWS IoT Core) and carries most modern industrial IoT traffic.