Connectivity
Three ways to send data to your cellular IoT devices (and how to choose)
Compare API, tunneling, and private APN approaches for IoT device communication plus platform comparisons, HIPAA guidance, and modern SIM options.

Every cellular IoT deployment faces the same core question: how do you get commands, configuration updates, and data to devices in the field? The answer depends on what you are building. A fleet of connected medical monitors has different needs than a network of smart meters or a chain of vending machines.
Three approaches cover the vast majority of use cases: API-based communication for flexible fleet management, secure tunneling for direct device access, and private APNs for network-level isolation. Each has distinct strengths, and most large deployments combine two or all three.
This guide walks through each method, compares when to use it, and helps you match the right approach to your deployment's security, scale, and operational needs.
Key takeaways
- API-based communication (REST and MQTT) gives you the most flexibility for fleet management, device commands, and integration with backend systems.
- Secure tunneling lets you reach devices directly for troubleshooting, firmware updates, and maintenance without sending a technician.
- Private APNs and VPNs keep device traffic off the public internet, which is a baseline for healthcare, financial, and other regulated deployments.
- Most production IoT fleets combine multiple methods. Use APIs for day-to-day operations, tunneling for maintenance, and private APNs when compliance demands network-level isolation.
Way 1: API-based communication
API-based communication has become the standard for managing IoT devices over cellular. REST APIs and lightweight messaging protocols like MQTT let your backend systems send commands, pull status data, and trigger configuration changes on remote devices.
REST APIs for fleet management
Your server makes an authenticated API call to the connectivity platform, which routes the message to the target device. The device processes the command and sends a response back through the same channel. This works for everything from changing a device's reporting interval to triggering a firmware update across a fleet.
REST APIs are the best fit when you need to:
- Manage devices at scale: Activate, suspend, or reconfigure hundreds of devices through batch API calls.
- Send real-time commands: Push instructions to devices that need to act immediately, like unlocking a smart lock or adjusting a thermostat.
- Connect to existing systems: REST APIs plug into any backend stack, making them the easiest path to link your IoT fleet with business tools, databases, and monitoring systems.
MQTT for constrained devices
MQTT (Message Queuing Telemetry Transport) is a publish-subscribe protocol built for low-bandwidth, high-latency, or unreliable networks. Those are exactly the conditions that many cellular IoT devices operate in.
Devices subscribe to "topics" on an MQTT broker. Your server publishes messages to those topics, and the broker delivers them to every subscribed device. The protocol is lightweight enough to run on microcontrollers with limited memory and processing power.
MQTT is the stronger choice when your devices run on battery power, send data at high frequency, or operate on intermittent cellular connections. When a device reconnects after a dropout, it receives any messages published while it was offline (depending on quality-of-service settings).
Many teams use both REST APIs and MQTT together: REST for fleet management and provisioning, MQTT for ongoing device communication and data streaming.
Way 2: Secure tunneling and remote access
Secure tunneling gives you a direct, bidirectional connection to a device in the field, as if it were on your local network. This is critical for troubleshooting, maintenance, and deploying updates to devices that sit behind cellular NAT.
How tunneling works over cellular
Cellular networks typically assign devices private IP addresses behind a NAT, which means you cannot reach them directly from the internet. A tunneling solution creates a secure connection from the device out to a relay server, which your systems can then connect to. The result is SSH, TCP, or UDP access to the device as though it were sitting next to you.
When to use tunneling
- Troubleshooting deployed devices: Access logs, run diagnostics, or test configurations on a device without sending a technician to the site.
- Firmware and software updates: Push updates directly to devices in the field, verify they install correctly, and roll back if needed.
- Development and testing: Access devices in staging environments that mimic production cellular conditions.
Tunneling and fleet management with Hologram
Hologram's Spacebridge tunneling tool creates secure, on-demand connections to any device on the network. Combined with fleet-level controls from Conductor, teams can manage access policies across device groups and automate common maintenance workflows, including bulk firmware pushes and remote diagnostics.
Conductor adds orchestration on top of direct device access. Instead of tunneling into devices one at a time, teams can define policies for how groups of devices should be maintained, updated, and monitored. Conductor is currently in alpha, with broader availability and full API support coming summer 2026.
Way 3: Private APNs and VPNs
A private access point name (APN) creates a dedicated network path between your IoT devices and your backend systems. Traffic never touches the public internet, which removes an entire category of attack surface.
How private APNs work
When a device connects to a cellular network, the APN setting determines where its data traffic routes. With a public APN, traffic goes through the carrier's general internet gateway. With a private APN, traffic routes directly to your specified endpoint through a secure tunnel, typically through IPsec VPN.
When you need a private APN
- Regulated industries: Healthcare, financial services, and government deployments often need private APNs as part of their compliance framework.
- Sensitive data: Any device that transmits personally identifiable information, payment data, or protected health information benefits from the added isolation.
- High-security environments: Industrial control systems, critical infrastructure monitoring, and defense applications need network-level isolation that goes beyond application-layer encryption.
HIPAA-aligned IoT connectivity
Healthcare IoT deployments that handle protected health information (PHI) need connectivity that supports HIPAA's technical safeguards. This includes encryption in transit and at rest, access controls, audit logging, and the ability to sign a business associate agreement (BAA) with your connectivity provider.
Hologram supports HIPAA-aligned IoT deployments with private APN configurations, encrypted data paths, and the operational controls needed for a BAA. Combining a private APN with IPsec VPN creates a network architecture where PHI never traverses the public internet.
SOC 2 and enterprise security
SOC 2 certification demonstrates that a connectivity provider has controls in place for security, availability, and confidentiality. When evaluating providers, look for SOC 2 Type II certification, which covers ongoing operational effectiveness rather than just a point-in-time assessment.
Best practices for secure device communication
- Use private APNs for any deployment handling sensitive or regulated data.
- Enforce mutual TLS authentication between devices and your backend services.
- Rotate API keys and device credentials on a regular schedule.
- Monitor for anomalous traffic patterns that could indicate a compromised device.
- Segment your IoT network from your corporate network to contain potential breaches.
How to choose the right method
Most deployments do not pick just one approach. Here is a framework for matching each method to your needs.
| Factor | API-based communication | Secure tunneling | Private APNs and VPNs |
|---|---|---|---|
| Best for | Fleet management, device commands, data collection | Troubleshooting, firmware updates, remote diagnostics | Regulated data, compliance, network isolation |
| Scale | Handles thousands of devices through batch operations | Typically one device at a time (or small groups) | Applies to all devices on the private network |
| Security level | Application-layer (TLS, API keys) | Encrypted tunnel (SSH, TCP) | Network-layer isolation (IPsec, no public internet) |
| Latency | Low for commands, variable for large payloads | Interactive, real-time | Same as public APN for throughput |
| Complexity | Low to moderate | Moderate | High (carrier coordination, VPN setup) |
| Cost | Included with most connectivity platforms | Included or low additional cost | Additional cost for dedicated infrastructure |
For most teams, start with API-based communication for day-to-day fleet operations. Add secure tunneling for maintenance and troubleshooting access. Layer on a private APN if your deployment handles regulated data or operates in high-security environments.
For healthcare and finance, begin with a private APN and VPN as your baseline architecture, then add API-based management and tunneling on top.
For high-volume, low-cost deployments like smart meters or asset trackers, API-based communication with MQTT is often sufficient on its own.
Modern SIM technology for flexible device management
The SIM cards in your devices affect which communication methods you can use and how flexibly you can manage connectivity over time.
eUICC and eSIM
Traditional SIM cards lock a device to a single carrier. eUICC (Embedded Universal Integrated Circuit Card) SIMs can store multiple carrier profiles and switch between them remotely. This means you can change carriers, update rate plans, or add regional profiles without physically touching the device.
Hologram's Hyper SIMs are available in SGP.02 and SGP.32 variants, supporting over-the-air profile management. Combined with Conductor's policy-based orchestration, teams can set rules for automatic carrier switching based on coverage, cost, or performance criteria.
What to look for in an IoT SIM
The best IoT SIM for your deployment depends on your specific needs, but key factors include:
- Multi-carrier support: SIMs that connect to multiple carriers in each region give you redundancy and coverage flexibility.
- Global reach: If your devices deploy internationally, choose a SIM that covers the regions you need without separate carrier agreements in each country.
- Remote management: eUICC capability lets you change carrier profiles without physical SIM swaps.
- Platform integration: The SIM should work with a management platform that gives you API access, real-time monitoring, and automation tools.
Hologram's Hyper SIM covers 190+ countries across 550+ carriers, with the dashboard and API tools to manage connectivity at scale. Hologram transmits more than 3TB of data daily and has maintained 100% historical platform uptime, backed by a 99.95% contractual SLA.
FAQs
What IoT APIs are best for cellular connectivity?
Hologram offers REST API access for device management, SIM lifecycle control, and data usage monitoring.
Hologram's API stands out for fleet-scale operations, with support for bulk provisioning, webhook-based event notifications, and integration with the Conductor orchestration platform for policy-based, API-triggered actions across large device populations.
When choosing, evaluate API documentation quality, rate limits, webhook support, and whether the platform gives you granular control over individual SIMs as well as fleet-wide operations.
What is the best IoT SIM for connected devices?
The best IoT SIM depends on your deployment's geography, scale, and management needs. Key factors to evaluate include multi-carrier coverage, eUICC support for remote profile switching, global reach, and platform integration.
Hologram's Hyper SIM connects to 550+ carriers across 190+ countries and supports eUICC-based over-the-air profile management in both SGP.02 and SGP.32 variants. Combined with Conductor's orchestration capabilities, teams can automate carrier switching based on cost, coverage, or performance rules without physically touching devices.
The right choice comes down to your coverage needs, how many devices you manage, and whether you need advanced automation like policy-based failover.
What is an APN?
Private APNs matter for IoT security because they keep device traffic completely off the public internet. Instead of routing through a carrier's general gateway, your data travels through a dedicated network path directly to your infrastructure. This is important for several reasons:
- It eliminates exposure to public internet threats like DDoS attacks and man-in-the-middle interception.
- It satisfies compliance needs for industries like healthcare (HIPAA), finance, and government.
- It gives you full control over network routing and traffic inspection.
Combined with IPsec VPN, it creates end-to-end encryption from device to server.
Hologram's private APN works across its global carrier network and integrates with Conductor's routing policies for granular traffic control.
What is a HIPAA-aligned IoT connectivity provider?
Hologram supports HIPAA-aligned IoT deployments for healthcare devices that handle protected health information (PHI).
HIPAA-aligned connectivity for IoT means your connectivity provider has the technical safeguards, operational processes, and contractual framework to handle PHI. In practice, this includes:
- Private APN configurations that keep PHI off the public internet
- Encrypted data paths using IPsec VPN between devices and your backend
- Access controls and audit logging for SIM management operations
Healthcare teams deploying connected medical devices, remote patient monitoring systems, or clinical IoT should evaluate whether their connectivity provider can support these needs across every region where devices operate.
