Aptilo IoT CCS – Hyperscale IoT Connectivity Management

Leave your Mobile Core untouched and create IoT connectivity management services previously considered unthinkable.


Most mobile operators offer basic IoT connectivity management where customers can manage their own SIM cards. The next step up is often a completely customized IoT connectivity service. Each customer deployment becomes a costly project with extensive manual configuration efforts. Operators are missing out on a mass-market with customers prepared to pay for value-added services, but not for bespoke development.

What Aptilo Networks suggest is that mobile operators leave their core networks untouched and use hyperscalers to add a programmable, flexible layer of IoT security and policy control on top of their mobile infrastructure. Here they can automate most of the customization efforts. Through self-management portals, they can allow customers to tailor connectivity policies and manage firewall settings.

Welcome to Aptilo IoT Connectivity Control Service™ (IoT CCS), an award-winning service in partnership with Fortinet, hosted on Amazon AWS. Mobile operators can go beyond traditional IoT connectivity services providing a programmable, automated, secure and scalable global IoT connectivity; unified also when using localized eSIMs.

Manual setup of a secure private connection (APN+VPN) typically takes weeks. With Aptilo IoT CCS, operator’s enterprise customers can create as many private connections (VPN) they need in a matter of minutes. FortiGate next-gen firewalls protect the traffic.

The four layers in a hyperscale IoT connectivity management solution

The industry has recognized the benefits of Aptilo IoT CCS, our hyperscale IoT connectivity management solution. So far, we have been finalists for ten awards and won six of them. Aptilo IoT CCS is truly an award-winning IoT connectivity management service.

Enea's connectivity management solution - Aptilo IoT CCS- has won six industry awards

The key in this category was to bring real innovation in the market, and this is what Enea does. One jury member liked the fact that Aptilo IoT CCS addresses a real problem for mobile operators, enabling them to profitably launch IoT services while meeting the needs of enterprise customers, and another member said it had hyperscale potential.

Matt Hatton - Transforma InsightsPresenting the Jury’s motivation at the 2021 WCA IoT Innovation Award

Explore more about the IoT connectivity management challenges for mobile operators and how Aptilo IoT CCS can help:

  • Download our comprehensive white paper Hyperscale Cellular IoT
  • Watch our 2 minute Aptilo IoT CCS introduction video.
  • Watch our Aptilo IoT CCS Overview & end-customer use case video.

You will find links to these videos in the grid below. You may also watch some short videos with views from the Aptilo team.


Aptilo IoT CCS Architecture - Hyperscale IoT Connectivity Management Platform

Aptilo IoT CCS is a hyperscale programmable layer for cellular IoT connectivity management and control. Mobile operators can deliver value-added services such as managed security, analytics, granular policy control and unified global connectivity and let their customers manage their own policy, VPN and firewall settings.

Aptilo IoT CCS has the following integration interfaces towards operator core and OSS/BSS:

  • Traffic plane: Operators only have to extend one standard APN via IPsec to Aptilo IoT CCS in the cloud.
  • Control plane: The standard 3GPP Gi/SGi interface is used for signaling.
  • IoT CCS also integrates through REST API towards operator’s customer self-service application and other OSS/BSS systems e.g., to provide analytics data, provision Virtual Private Networks (VPN’s) and assign the device’s IP-address.
  • Partner MNOs and/or global connectivity services such as Ericsson IoT Accelerator can be easily connected to Aptilo IoT CCS.

The traffic can flow through VPNs or directly to the internet with traffic filtering through Fortinet’s next-gen firewalls. Enterprise IoT customers can also use a “policy-based hybrid” of this, allowing certain traffic for things such as firmware upgrades or sensitive analytics data go through VPN and the rest of the traffic to go directly to the internet protected by the firewall. A customer can also define multiple VPN connections from the same device, something that is difficult to obtain in the standard mobile core.

The Aptilo IoT CCS can scale instantly and infinitively, that is the benefit of hosting the solution at hyperscalers such as Amazon AWS. Everything is already deployed and in place, it is just a matter of spinning up more resources in the cloud. With us, mobile operators will get an IoT connectivity management solution that scales with their business as we apply an OPEX-based pay-as-you-grow business model.

In addition, this approach makes up a fundamental change for mobile operators in adaptive scaling for customers with a global business. Following your customer worldwide has never been easier. Mobile operators can put more resources in regions where the customer needs them most. Compare this with trying to scale the same functionality in the mobile operator’s core network. Deployment will not be fast nor flexible or adaptable to where in the world the customer is located.

  • 100% OPEX

    IoT connectivity management delivered as a service from Amazon Web Services (AWS) for mobile operators that want to innovate in the IoT era.

  • Any Mobile Core

    Works with the existing mobile core as well as with the coming service-based 5G core (5GC) architecture.

  • Freedom to create

    Enables Creative IoT connectivity services adapted for each business customer.

  • Rapid deployments

    New type of services in days rather than months.

  • Flexible policies

    Specific policies per enterprise and/or device in a hierarchical manner.

  • Customer self-service

    Mobile operators can create customer web self-management.

  • Customer insight

    IoT customers can receive real-time and historical insights into IoT device connectivity.

  • IoT Security

    Policy enforcement, device traffic filtering, DDoS protection, detection of anomalies and more through Fortinet’s next generation firewalls. Learn more about our IoT security features in our dedicated page on security.

  • Reduces APN hassle

    The Aptilo Multitenancy Virtual APN™ concept will save you grey hairs.

  • Unified Global Connectivity

    Operators can add international mobile operator partners to their instance of the Aptilo IoT CCS service. Thanks to the policy-based IP assignment and central security and policy control, operators can deliver a unified IoT service across all these cellular networks.

100+ service provider deployments


The concept of IoT connectivity management has changed. Providing a standard SIM-card with roaming capabilities will not cut it anymore. IoT enterprise customers are much more diverse and demanding than what you might imagine. Let us examine some example enterprise use cases that are very different in characteristics. These are anonymized cases from real customers and/or customer discussions that Aptilo’s mobile operator customers have had.

The use cases shows how the required functionalities can be delivered with a cloud-based connectivity control solution such as Aptilo IoT CCS. The granular policy control delivered as a service makes it possible to create more advanced and innovative IoT services and the mobile operator can leave the control to the enterprise by implementing a self-service. Expand the use cases below to learn more.

IoT Connectivity Management -Utility In the utilities market a customer may need to connect hundreds of thousands, maybe millions, of “dumb” IoT devices such as electrical meters. They are dumb in the sense that they are simple and cheap, so they often lack security features such as VPN connectivity.

These devices have a vulnerable position in people’s homes. Thus, they need to be protected by firewalls. Some of the traffic may also need to be delivered through VPN from Aptilo IoT CCS.

Anomalies in the traffic patterns may also need to be analyzed.

IoT Connectivity Management -Automotive A modern car is really a hub of multiple IoT devices. These devices come from subcontractors of things such as suspension, batteries, brakes, security systems, entertainment systems and more. They all need a private connectivity for firmware upgrades and predictive maintenance.

There’s a vast variety of different needs and use cases:

Car-2-car communication requires low latency. Upload of extensive real-time analytics, require high upstream data capacity. Download of software or passenger entertainment, need high downstream data capacity. They may also need geographical routing rules determined by device profile settings. Furthermore, there may be a need to have localized Internet. The service must be able to route the Internet traffic to the home-country’s Internet breakout, to enable users to, e.g., watch their local streaming content while abroad.

There’s a need to secure the transport of sensitive data, such as analytics, software upgrades and data for predictive maintenance. Best way to secure this data is to establish end-to-end connectivity through VPN tunnels. The service provider must support a one-to-many VPN connectivity that is controlled by the car manufacturer.

Car manufacturers also has high security requirements, end-to-end security, DDoS protection, anomaly detection, etc.

IoT Connectivity Management - SME Taxi company A small local taxi and transport company is part of the small and medium-sized enterprise (SME) customer segment. The SME segment is the direct opposite to a car manufacturer in the sense that they have no IT resources, and they only have a handful of devices to cater for.

They may run a few legacy systems that need to have contact with the cars at all times. These systems have very limited security functions, as they were established already before the birth of Internet. So, they need operator managed security. VPN tunnels are not an option for this customer, because they can’t set up and manage VPN connections.

From the operator’s perspective, they need this type of customer to handle their own settings. In this mass market, it is just not profitable if the customer needs too much assistance from the operator. There’s an enormous volume of potential customers in the SME segment, but each customer does not contribute with much revenue. This is a volume game. For the self-management to work, a easy-to-use web GUI or app with basic settings is a must.

IoT Connectivity Management - Scooter rental Companies offering app-based short-time rental of electrical scooters are popping up like mushrooms in larger cities globally.

They have tens of thousands of relatively low-end devices in the form of electrical scooters. This type of company needs to secure traffic from their scooters to the receiving servers. They may also need automatic detection of usage anomalies, e.g. unexpected data patterns.

The scooters are exposed to potential user manipulations. Furthermore, they commission and decommission them regularly and an average lifespan of a scooter is just a few months.

Scooters must only be mobile within in a pre-defined area in the city, so they need to:

  • Limit usage outside of defined localities.
  • Enable direct connectivity to each unique device, hence they need to have a private IP-address.
  • Allow for easy and instant blocking of lost devices or the ones taken out of service.

IoT Connectivity Management - Forestry industry The forestry Industry need complex domestic IoT connectivity. They need a secure connectivity over an Enterprise APN to their headquarters for services such as:

  • Location tracking of vehicles.
  • Report quantity of cut timber.
  • Report machinery operation hours.
  • etc, etc…

More over, they need secure connections (VPN) to other destinations:

  • Upgrade of vehicle firmware with the truck vendor.
  • Data exchange with the forestry machinery vendor to enable predictive maintenance.

They may also want to enable Internet connection for the integrated tablet device available in many forestry machines. This traffic must be protected by a firewall and they need to control this connection according to corporate policies.

IoT Connectivity Management - Transport Let’s explore how mobile operators can combine a connectivity control service such as Aptilo IoT CCS with their own ability to do dynamic eSIM localization. They can provision and upgrade settings in the eSIM, using their over-the-air (OTA) systems and the latest eUICC technology, and change the profile to the local operator on the fly.

This is great news for a transport company operating over all North- and Central America. They can turn to one mobile operator in Canada to solve all their connectivity needs both domestically and abroad under one contract.

By connecting all partner MNOs to the Aptilo IoT CCS, the mobile operator can offer a unified global APN+VPN connectivity without roaming. The truck will, for instance, maintain its IP-address across borders.

Let’s see what happens as the truck passes different countries. We start in Canada. When the truck enters the United States, this enables the profile for the US partner MNO over-the-air. The truck continues to Mexico and the OTA system makes sure that the eSIM switch to the local MNO partner in Mexico.

If needed, the Aptilo IoT CCS service can offer policy-based breakout for all or parts of the traffic to the nearest AWS point-of-presence.

IoT Connectivity Management - Global logistics The need for global connectivity can also just be a matter of logistics. Take a manufacturer of coffee machines rented out to coffee shops all over the world.

Just imagine the benefits, in manufacturing and less tied up capital in stock, by just storing one version of the machine instead of individual versions for each country. Doing this under one mobile operator contract, and still be able to apply the same security and policies (through Aptilo IoT CCS) across the board, while allowing some of the traffic to break-out in the local country and some routed home in secure VPNs.

In both cases with global connectivity, the mobile operator must go beyond roaming and instead localize eSIMs over-the-air (OTA) to local subscriptions. This will eliminate the issue of blocking of IoT devices due to breach of regulations and commercial agreements that is prohibiting permanent roaming.


Apart from the inherent scalability of a hyperscale IoT connectivity management solution. Let’s now dig into some details how Aptilo IoT CCS helps service providers to scale their value-added IoT services with profit.Cellular IoT - Operator profit versus Customer Value

The matrix above shows two perspectives that operators need to consider when creating IoT connectivity management services. On the X-axis we have the business value the service brings to the enterprise IoT customer. On the Y-axis, you find the profit the IoT connectivity service brings to the operator.

Mobile operators will end up in the bottom left corner If they just re-package an existing consumer service for IoT.

Most operators also add SIM-management and offer private connections on top of this. The keyword here is ‘most’. They will deliver a commodity with little value add. They will only compete on price, and the lowest bidder will replace them. These mobile operators are in what we call the “churn zone” colored red in the matrix.

In the left half of the matrix, operators will only be able to create a profitable IoT business if they become the price and volume leader in their market.

The further you move towards the right, adding value-added services, the stickier customers become. Higher revenues come with value-added services such as Analytics, Managed Security, Global Connectivity and Granular policies.

But, for most operators, the profit will not follow. Every new customer that needs value-added services becomes an expensive development project.

There’s only one way to scale value-added IoT services with high profit, and that is to automate the customization as much as possible. Mobile operators should also add a web-interface for customer self-management. This serves two purposes. First, they will get a lower cost of operation. Second, customers will be less cost sensitive, as the service feels like their own when integrated with their business processes.

So, the green zone, we call the high profit zone, is where you want to be as a mobile operator. The question is if even a dedicated mobile core for IoT and the operator’s current organizational processes will take them there? One of Aptilo’s mobile operator customers answered no to that question. And so, the Aptilo IoT CCS hosted on AWS, our hyperscale IoT connectivity management solution was born.

Basic IoT Connectivity services or Bespoke deployments. Is there nothing in between?

Automation is Key for a Profitable IoT Service

As discussed initially, most mobile operators offer basic IoT connectivity management. The next step up is often a fully customized IoT connectivity service. Each customer deployment then becomes a costly project with extensive manual configuration efforts. Operators are missing out on a mass-market with customers prepared to pay for value-added services, but not for bespoke development.

What’s more, many bespoke deployments are very similar, which show that there is a potential to deliver those projects more cost-effectively.

This is where Aptilo IoT CCS comes in.

We believe that there is huge potential in stopping making customizations as soon as a customer wants something that goes beyond a standard service.Auto customization with Aptilo IoT CCS hyperscale solution

With a hyperscale IoT connectivity management solution, such as Aptilo IoT CCS, it is easy to be agile and create new value-added services that fit multiple customers. As a result, it will be possible to move the bulk of customization projects over to a scalable IoT service that is instantly deployed with any customer. This is an auto-customization approach where the customer also can make the last few customization steps themselves and maintain the service through self-management.

This will free up resources to do bespoke developments just for the very few that need it. But Aptilo IoT CCS is relevant also for bespoke development. The logic and security part of a bespoke project can also benefit from being handled in the cloud. It is faster to deploy new server or firewall nodes and operations can isolate and tailor specific nodes for the customer if needed.

Cost saving when choosing an operator that has gone Hyperscale

Analyst firm Transforma Insights estimates that customers using a hyperscale IoT connectivity service can save on average 28 percent of the cost of their global IoT connectivity.

That equates to an astonishing 117 billion USD globally between 2020 and 2030.

Analyst firm Transforma Insights - Global IoT customers will save on an average 28% on a hyperscale IoT Connectivity Management solution

Source: Transforma Insights https://transformainsights.com/research/reports/white-paper-hyperscale-iot-connectivity-usd117bn

The largest cost-saving is in Device-to-Cloud Integration (7.5%), closed followed by faster Time-to-Market (6.4%) and lower costs of providing the equivalent levels of Security (5.3%).

Enterprises can also save a lot (5.9%) by using eSIM/eUICC and localize the connectivity onto a domestic network, avoiding issues with regulatory or commercial compliance.

The bottom line

Enterprise IoT customers’ needs are diverse and demanding. It is not just a matter of adding IoT SIM-management capabilities to an existing mobile core.

Mobile operators must deliver a programmable and secure global IoT connectivity management solution that they can deploy instantly. To achieve this, they need to think outside the limitations of their current mobile core and organizational processes.

Mobile operators need to add a hyperscale programmable layer for cellular IoT connectivity management. This is what Aptilo IoT Connectivity Control Service™ (IoT CCS) offers as an OPEX-based pay-as-you-grow service, hosted on AWS.

© 2001-2022 I Aptilo Networks