AWS Partner Network (APN) Blog
Automated Device Provisioning to AWS IoT Core Using 1NCE Global SIM
By Gaurav Gupta, Sr. Partner Solutions Architect – AWS IoT
By Jan Sulaiman, Product Management at 1NCE
Internet of Things (IoT) requires reliable and secure connectivity from wireless networks to share data. Connecting an IoT device to the cloud with long-range wireless technology that can operate reliably for up to 10 years on a single battery charge is becoming popular.
This is especially true in various high-scaling use cases like smart cities, smart meters, asset tracking, smart agriculture, smart building, and various other industrial applications.
AWS IoT Core offers a managed cloud services to ingest trillions of messages from billions of devices, and easily and securely interact with other AWS cloud services and other devices.
In high-scaling use cases, high-throughput standards like 5G-NR (>1Gbps) or LTE-Advanced (300Mbps) are an overkill. Instead, these remote and sometimes mobile applications need low-power, narrowband standards such as LTE Cat 1, LTE-M, and NB-IoT.
Such cellular Low Power Wide Area Network (LPWAN) technology supports data transfer in small, infrequent data packets ranging in size from 10-1000 bytes at speeds of < 375Kbps.
In this post, we’ll describe how you can use the 1NCE IoT Connectivity Suite to take the complexity out of IoT projects and overcome the challenges of cellular IoT adoption.
1NCE is an AWS Advanced Technology Partner that offers managed connectivity services for low bandwidth IoT applications.
Current Challenges with Scaling Cellular IoT
Based upon a customer analysis conducted in March 2020 with more than 2,500 customers of 1NCE, it was identified that businesses often face three significant challenges while ramping up IoT solutions:
- Device security and authentication, and how to manage secure device authentication across cloud and platform environments to allow automation.
- Data protocol support for low-data IoT protocols like UDP or CoAP isn’t readily available.
- Device integration and management, especially the first setup and configuration of devices, requires additional effort to handle. Customers also lack the required staff with technical knowledge.
Figure 1 – 1NCE customer insights.
1NCE IoT Connectivity Suite
In August 2020, 1NCE launched a comprehensive set of services to connect cellular IoT devices to Amazon Web Services (AWS). 1NCE IoT Connectivity Suite is built using AWS services and is fully integrated with AWS IoT. The solution helps customers who need to deploy massive and scalable IoT solutions efficiently and fast.
Figure 2 – 1NCE IoT Connectivity Suite.
The 1NCE solutions offers three main elements, starting with SIM-as-an-Identity to help you map the identities of individual IoT devices using a 1NCE SIM card. This allows you to automate the device onboarding to AWS IoT Core fully.
Second, real “made for IoT” data management enables you to use IoT-optimized transport protocols while still using all of AWS IoT Core’s advanced capabilities.
Finally, a simplified and fully automated device setup and integration using prebuilt Blueprints and a simple-to-operate Data Broker connects IoT data to the right applications.
Customer Journey
You can order the 1NCE SIM with the 1NCE IoT Flat Rate from AWS Marketplace, or through the 1NCE Shop.
After receiving the SIM Cards and logging into the 1NCE Customer Portal, navigating to Connectivity Suite > Account Connection > Via AWS Console (shown in Figure 3) will provide you an AWS CloudFormation template to execute in your desired AWS region.
From there, Connectivity Suite > Account Connection > Via CLI provides you with the AWS Command Line Interface (CLI) commands for advanced users.
As soon as the CloudFormation template is successfully deployed, the SIM-as-an-Identity service will automatically start creating AWS IoT Things for all of your SIM Cards.
Figure 3 – AWS IoT integration with AWS CloudFormation.
You are now ready to insert the 1NCE SIM into your devices. The fastest interaction with all of the provided services is using one of the 1NCE Blueprints SDK provided for different devices; for example, the Blueprint for PyCOM GPy.
The Blueprints enable bootstrapping the devices when attached to the network, and automatically deliver an AWS IoT Core X.509 certificate, key and AWS IoT Core endpoints.
Certificate files are stored in the flash memory of the device and are reloaded during each device’s power cycle. This process ensures a potential threat cannot hijack the certificate and key. After the bootstrap, devices can start sending data directly to AWS IoT Core.
For cases when you are not relying on MQTT, but instead use UDP or CoAP, the devices’ bootstrapping and downloading of an X.509 certificate are unnecessary. Here the SIM Cards, as part of the secured 1NCE Mobile Core Network, act as a trusted element and serve as the authenticator.
SIM-as-an-Identity Service
1NCE uses a SIM-as-an-Identity service to map the individual AWS IoT Core identities of devices with their respective SIM card. The service allows 1NCE customers to fully automate the device onboarding and provisioning process to AWS IoT Core.
Onboarding of devices is based on a CloudFormation template you can launch from within the 1NCE Customer Portal and the Connectivity Suite (as shown in Figure 3).
Resources from the CloudFormation stack are used to set up, create, and configure devices for AWS IoT Core using a default Thing Policy to only connect to device-specific topics. The ICCID of the SIM card is used as Thing name, and you can publish to any topic in the <ICCID>/#
topic hierarchy.
For each SIM card and Things, an individual X.509 certificate is generated using the AWS Root Certificate Authority (CA). Certificate and keys can only be used combined with the specific IoT device leveraging the 1NCE SIM card as a secure element within the 1NCE network.
Figure 4 – 1NCE automated device provisioning architecture.
The auto-provisioning using the CloudFormation templates allows 1NCE to onboard all IoT devices for you in the background. The SIM-as-an-Identity service is based on a serverless architecture leveraging Amazon API Gateway, AWS Lambda, Amazon DynamoDB, and Amazon Simple Queue Service (SQS).
The services require two interfaces to other 1NCE systems. First, integrate with the Connectivity Management Portal or BSS system to retrieve SIM details for you. Next is the integration with the 1NCE Core Network via the Packet Gateway (PGW).
Communication with your AWS accounts is secured by resources policies and private API gateways, configured and provisioned during the CloudFormation stack rollout. New SIM cards are automatically sent to your AWS account via SQS, and an AWS Step Function workflow provisions the IoT Thing.
1NCE Data Broker
The 1NCE Data Broker is a highly scalable data broker to process messages from UDP and CoAP endpoints and forward them to the your AWS IoT Core account. Different protocols, such as LwM2M, are in development.
The Broker also adds enrichment data to the payload sent like IMSI, ICCID, and IP address device. As of the writing for this post, the 1NCE Data Broker supports only the uplink of data (in UDP/CoAP), meaning that IoT devices can send data to the AWS IoT Core.
The 1NCE Data Broker helps you connect devices with AWS IoT Core even more efficiently utilizing integration efforts and data/protocol economics. Cellular devices using leaner protocols such as UDP and CoAP consume less bandwidth, and that extends battery life up to twice as much compared to MQTT protocols.
Figure 5 – 1NCE console to enable Data Broker.
Devices using UDP or CoaP connect via the 1NCE SIM and 1NCE Mobile Core Network and are authenticated by 3GPP wireless standards. Though X.509 certificates and keys exist uniquely for every SIM, devices do not need TLS/DTLS level security while connecting to 1NCE Data Broker using UDP or CoAP.
1NCE Data Broker identifies each device uniquely, and your corresponding account as each device is allocated a static private IP during the network connection.
Figure 6 – 1NCE Data Broker architecture.
The 1NCE Data Broker is a fully containerized application set running on Amazon Elastic Container Service (Amazon ECS) to ensure high scalability.
Devices with a 1NCE SIM card can connect directly via DNS names (for example, coap.connectivity-suite.cloud or udp.connectivity-suite.cloud), or using IP addresses when DNS resolution is not supported by the firmware of the IoT Device. The Data Broker also forwards to your AWS IoT Core when enabled.
The following example shows a generic NodeJS Script to connect to the Data Broker and send a Hello World message.
Figure 7 – NodeJS code to connect to 1NCE Data Broker.
All active SIM cards from you will be able to successfully publish messages via the UDP endpoint, as shown in the Figure 7. The incoming message is enriched by Core Networks IDs and transformed into a JSON message:
Figure 8 – JSON message in AWS IoT from 1NCE Data Broker.
All messages forwarded to AWS IoT Core are sent to the device-specific topic with the format of {thing_name}/messages where thing_name is the SIM Cards ICCID.
1NCE Blueprint and SDK
1NCE offers different Blueprints and SDKs (built using AWS IoT Device SDK) to allow customers a seamless setup and use of all features as part of 1NCE IoT Connectivity Suite.
Currently, Blueprints are available for PyCom cellular devices using NodeJS, and Cellular FreeRTOS (a variant of Amazon FreeRTOS with cellular IoT and constraint protocols support such as UDP, CoAP). Each Blueprint-supported device can communicate via AWS IoT Core using the SIM-as-an-Identity service for automated onboarding, or send data via UDP or CoAP utilizing 1NCE Data Broker.
The topic structure for messages follows <ICCID>/#
, where # is the topic name for all communication paths. The topic structure is consistent whether the device connects directly to AWS IoT or indirectly via the 1NCE Data Broker using UDP or CoAP. This way, the application logic is decoupled from the underlying used technology.
The onboarding script for the PyCom Blueprint configuration can be found in config.py
in the root folder. You can review the Blueprint SDK for a better understanding of all features offered by the solution by using it as provided, or as a template for their firmware covering even more complex use cases.
The Blueprints consist of multiple example scripts for different use cases, like publishing a message to AWS IoT Core. For running a chosen script on a PyCom GPy, the script needs to be renamed to main.py
and located within the root directory of the /flash on the device.
The following test scripts are available:
- Publish and subscribe a message to an IoT Core Topic.
- Send a UDP message.
- Send a CoAP POST request.
If the Publish and Subscribe to the AWS IoT Core example (main.py
) is executed, the following steps are performed:
- Load in the configuration variables.
- Starts onboarding process:
- Retrieves device-specific configuration (Certificates, etc.).
- Download the Root CA based on the given URL.
- Saves all keys and certificates to the local file system.
- Connect to AWS IoT Core with the given certificate, private key, and Root CA certificate.
- Subscribe to the <ICCID>/hello-world topic.
- Publish a Hello-world message on the <ICCID>/hello-world topic.
- Close MQTT connection.
- Close network connection.
- Put the PyCom in idle mode/low-power mode.
Summary
The 1NCE IoT Connectivity Suite complements the service included within the 1NCE IoT Flat Rate to a full Connectivity-as-a-Service (CaaS) solution. It helps customers who need to deploy large and scalable IoT solutions efficiently and fast.
The 1NCE IoT Connectivity Suite represents a comprehensive set of IoT services that have been developed in close collaboration with AWS to ensure performance and seamless integration for new and existing IoT solutions.
With the integration of AWS IoT Core, 1NCE IoT Connectivity Suite offers plug-and-play IoT services that ease device integration and data management.
1NCE – AWS Partner Spotlight
1NCE is an AWS Advanced Technology Partner that offers managed connectivity services for low bandwidth IoT applications.
Contact 1NCE | Partner Overview | AWS Marketplace
*Already worked with 1NCE? Rate the Partner
*To review an AWS Partner, you must be a customer that has worked with them directly on a project.