Dec, 3 2020

EMnify Cloud Connect Integration Into AWS Transit Gateway


Connect devices securely to AWS VPC without using public Internet

EMnify is a cellular cloud provider and the mobile network and management platform resides on AWS. Based on this, EMnify already secures the data path up to AWS and customers with application servers on AWS can have a secure connection to their device by directly peering their VPCs with the one from EMnify.

How the integration looks like


AWS Page Elements-11-1


The setup of Cloud Connect with the Transit Gateway attachment requires: 

    • device with an active EMnify SIM
    • the device sends data to application in VPC/EC2 instance (e.g. Python, Node.js, Java application / MQTT broker) 
    • in the EMnify Portal, the service profile of the device has a local breakout configured to have the same region as the application server (can be configured during setup steps below)


  • devices and the application infrastructure reside within the same private network
  • remotely access devices from AWS infrastructure via telnet / SSH
  • device data does not traverse public internet
  • VPC / EC2 instances do not need public IP
  • fully scalable and managed AWS service


The secure connection is associated with a specific VPC - for example when hosting an own MQTT server or utilizing a VM for remote access. When only ASW IoT is intended to be used - a seperate guide is provided in the AWS IoT Core setup page.

Configuration Steps

The following steps illustrate how to create an attachment using Cloud Connect to peer with your VPC:

  1. In the EMnify platform, navigate to the tech settings page. In the Cloud Connect panel, click + Create:add-secure-connection
  2. Select Transit Gateway as the attachment type:select-transit-gateway
  3. Enter the destination account details and private CIDRs addresses. The CIDRs should be existing VPC or subnet IPV4 address ranges with a prefix between /32 and /22. If the IP address range is already taken you will be prompted to select a new one:


  4. In the AWS console, accept the pending resource share in Resource Share Manager:

    Once you have accepted the Transit Gateway resource share the EMnify communication platform will automatically provision the private network interconnection through the TGW. This may take a couple of minutes - in which you can already proceed with configuring your side of the connection. 
  5. In the VPC dashboard, navigate to Transit Gateways in the menu item and select Transit Gateways Attachments (ensuring you are in the correct region as specified in the previous steps). Create a Transit Gateway Attachment and attach the VPC where the Application Servers are located to the shared Transit Gateway. During the process, the Transit Gateway can be configured to attach to one or multiple subnets of the VPC.
  6. The final steps for setup is to configure the VPC Routing Table and the Security Group to allow routing data through the transit gateway.
    In the VPC dashboard, navigate to Route Tables and edit the routes that are used by your application server. Click Add Route and EMnify's IP ranges and (to allow traffic from any of your IP ranges assigned to your account) and select the newly-created Transit Gateway as the target.

    Tip: an explanation of these route tables and how they should be configured can be found in the AWS documentation for Route Tables.

  7.  Existing security groups need to be updated or you may create a new security which allow traffic from the transit gateway. A good security practice would be to limit the inbound and outbound rules of the security groups to only the ports and protocols that your application is using. Exactly which ports and protocols will depend on the use case and the type of application you are running in your VPC.

Verifying the attachment

If everything is correctly configured, the Cloud Connect panel in the EMnify portal will show Active. In case the Transit Gateway is in a pending state (waiting on AWS, EGN or CRG) than please wait a couple minutes until the provisioning is complete. 
If the state says "Pending Customer Action" then return to step 5 to accept the Resource share.


Some basic connectivity checks can be performed using the ping network utility. The static private IP address of a device Endpoint is visible within the EMnify portal, so given an example IP address of and that the Endpoint is showing online (has an active PDP context), the following check can be performed:

  • A response is expected from an EC2 instance within your VPC toward the EMnify device IP:
    PING 56 data bytes
    64 bytes from icmp_seq=0 ttl=56 time=16.225 ms


    For in-depth details and troubleshooting tips for AWS Cloud Connect attachments, see the EMnify Knowledge Base article on Cloud Connect via AWS Transit Gateway.


Subscribe to our Developer Newsletter