# Private Networks A private network is a fundament for our advanced network services. When you deploy a private network and assign SIM cards to it, you are creating an isolated subnet that allows you to control network access. ## Private network basics When you create a private network, you must specify a subnet size of IPv4 addresses for the VPN in the form of a Classless Inter-Domain Routing (CIDR) block. For example, /24 (256 hosts). A random subnet in the 10.0.x.x IP space will be assigned to your private network. Read more on CIDR blocks [here](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) and [here](https://www.davidc.net/sites/default/subnets/subnets.html). A Virtual Private Cloud (VPC) spans all of the Availability Zones in the Region. The following diagram shows a new VPC. After you create a VPC, you can add one or more subnets in each Availability Zone. For more information, see [Subnets for your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/configure-subnets.html). ## Specifications and limitations * An IPv4 subnet is randomly assigned to your account, depending on the required subnet size. It is not possible to choose a custom subnet. * Once a private network is deployed, it is not possible to increase or decrease the subnet size of the private network. * [Contact our support team](https://www.simbase.com/support-request) if you require a subnet larger than size /22 (1022 hosts). * There is a daily fee per private network, that depends on the size of your private network. * There is **no minimum term** for a private network. You can terminate anytime * You can deploy as many private networks as you need. So you can create individual networks per customer, business division, etc. * Once the private network is deployed, you can assign individual SIM cards to your private network. Each assigned SIM card will receive a static IP that can be obtained via our dashboard or API. * The OpenVPN service is included in any size private network and supports up to 3 simultaneous users. * Optionally, you can disable internet access for your SIM cards. * Your SIM cards cannot initiate data sessions with OpenVPN users. Should you require 2-way traffic, we encourage you to look into an IPSec tunnel. * The IP assigned to your SIM is NAT-ed in our mobile core, to be able to offer active-active geo-redundancy over 2 data centers. This means that your device will obtain a non-static IP in the 10.192.x.x range, which is NAT-ed to a static IP in the 10.x.x.x range. Read more on NAT [here](https://support.simbase.com/fundamentals/ip-addresses/network-address-translation-nat) ## Deploy a private network {% @supademo/embed demoId="Tr\_bKyD17PnKo5SE8vM0K" url="" fullWidth="true" %} To deploy a private network, please see the video above or the steps below: * Log in to our dashboard (user rights owner or admin are required). * Navigate to **'Private Network'** * Click **'Create New Private Network'** * Give your network a friendly name, select the required subnet size, disable Internet access or leave it to enabled. * Click **'Deploy Private Network'.** * Once all resources are deployed, click **'See details'.** Your network is now ready. ## Assign a SIM to a Private Network {% @supademo/embed demoId="YW-pp\_jA-4APdBjTZcl1L" url="" fullWidth="true" %} To add a SIM to a private network, please see the video above or the steps below: * Navigate to **'SIM cards'** and select the checkbox of the card(s) you want to add to a subnet. * Click **'Assign to Private Network'** in the blue bar that appears. * Select the correct network in the popup that appears and click 'Assign'. * Reboot your hardware for changes to take effect. ## Ping your device via OpenVPN Please see [this](https://support.simbase.com/open-vpn#connect-to-your-device) page for instructions on how to connect to your device via OpenVPN. ## Terminate a Private Network If you would like to terminate your private network, please follow the steps in the video below. {% @supademo/embed demoId="tWulymnXksLOcTnr0CaMX" url="" fullWidth="true" %} ## Architecture For those users interested in the full details of our mobile setup, please see the information in this paragraph. Schematic overview of our private network architecture In the sketch above, you can see how our mobile core is set up. Some notes to this: * We are using 2 dedicated packet gateways in an active-active that are deployed in two geo-redundant Equinox data centers. This ensures the highest level of redundancy in case of disasters like [this](https://www.reuters.com/article/us-france-ovh-fire-idUSKBN2B20NU). * Because of the active-active setup, both gateways use their own subnet to avoid IP conflicts. This is the reason, why your device is assigned a dynamic IP in the 10.192.x.x/16 range. * Both packet gateways are connected to our NAT gateways via their own DirectConnect connection to isolated, redundant resources. These NAT-gateways NAT the dynamic IPs assigned by the PGWs to a static IP that is visible in our platform. * The isolated NAT gateways forward all traffic to an active internet gateway. The Internet gateways function as internet-facing NAT gateways, OpenVPN servers, and IPSec VPN. To avoid IP conflicts, they are set up in an active-standby setup. * There are many details to this setup that we are happy to explain to you in detail. Please consult your account manager for further assistance.