Managing device identity with global deployments

As mobile networks become more distributed and cloud-native, a subtle but important challenge continues to surface for enterprises and operators alike: how do you keep a consistent IP address scheme for devices when sessions are no longer anchored to a single packet gateway?

For years, the default workaround was to assign devices fixed public IP addresses so they could always be reached in the same way. That approach worked when networks were centralised and security expectations were different. Today, however, public IPs introduce exposure, cost, and operational complexity that increasingly clash with modern zero-trust and edge-first network designs.

The real requirement has now shifted. It is no longer about giving a device a permanent public address. It is about preserving a stable private IP identity for each device, regardless of where it attaches in the world.

Why traditional mobile cores struggle with IP consistency

In conventional EPC and 5G Core deployments, IP addressing is tightly coupled to the packet gateway serving the session. When a device attaches, the serving gateway allocates the IP address and anchors it locally. If that same device later re-attaches through a different gateway – because it has moved location, a closer edge is selected for latency, or a failover has occurred – the IP address will often change.

To avoid this, operators have historically been forced to “pin” traffic for fixed-IP devices back to a single central gateway. While this preserves the address, it creates a series of well-understood compromises:

• Latency increases as traffic is backhauled across regions
• Resilience is reduced because everything depends on one node
• Sovereignty goals become harder to meet
• Scaling the service becomes operationally fragile

The end result is a persistent tension between performance, resilience, and IP stability in traditional core architectures.

Why public IPs on devices are falling out of favour

Assigning public IP addresses directly to devices was once seen as the simplest way to guarantee reachability. In practice, however, this model no longer aligns with how enterprises want to operate secure networks.

Public device addressing introduces several structural issues:

• Devices become directly internet-facing by default
• The attack surface increases significantly
• Firewall management becomes complex at scale
• Public IPv4 availability and cost become real constraints

More importantly, public exposure runs counter to modern security models where no device should be reachable unless access is explicitly granted through secure channels. As a result, most enterprises now want devices to live entirely within private address space, with controlled access delivered via VPNs and secure proxies.

How modern mobile networks preserve private IP identity globally

Newer mobile core architectures increasingly remove the tight coupling between a device’s IP identity and the physical packet gateway serving its session. Instead of the gateway “owning” the IP address, identity is abstracted at the platform or control layer and preserved as sessions move across the network.

In distributed, edge-based user plane designs:

• Devices can attach at the nearest available gateway for performance
• The same private IP address can be maintained across attachments
• IP identity remains consistent even as the gateway to which the device is anchored changes

This is achieved through intelligent routing and traffic-steering layers that operate across a distributed user plane while maintaining stable addressing. From the enterprise application’s perspective, the device appears unchanged – even though the underlying mobile session may now be anchored at a different edge location.

Secure access without public exposure

Because devices retain private IP addresses, secure access is delivered using native capabilities within the mobile and enterprise network stack, rather than relying on direct public internet exposure.

Enterprises typically access devices through:

• Remote access proxy services
• IPsec or WireGuard VPNs
• SSH, HTTPS, and application-level tunnels over encrypted links

This approach naturally supports zero-trust architectures. Devices are never publicly reachable, access is fully authenticated and auditable, and firewall policies can remain simple and predictable. From an operational standpoint, enterprises deal with stable private subnets rather than thousands of individual public IP endpoints.

Why dynamic gateway selection matters

Once IP identity is no longer tied to a single gateway, operators are free to anchor sessions wherever it makes the most technical or regulatory sense. A device can attach to the closest regional edge to minimise latency, while traffic can remain in-country to satisfy sovereignty requirements. If a gateway becomes unavailable, sessions can be re-established elsewhere without breaking enterprise integrations that rely on stable IP addressing.

This unlocks the true value of distributed user-plane architectures:

• Low-latency regional breakout
• Gateway-independent resilience
• Predictable addressing for enterprise platforms
• Easier global scaling without redesigning networks

All without forcing devices onto public internet addresses.

A more natural model for global IoT and enterprise mobility

By combining persistent private IP addressing, distributed edge gateways, intelligent traffic steering, and secure overlay access, modern mobile networks now support a far more natural networking model for global connected devices.

Enterprises no longer have to choose between performance and stability, or between security and reachability. Devices can maintain the same IP identity wherever they go. Traffic can be anchored at the optimal edge. Access is delivered securely, without exposing endpoints to the public internet. And operators can continue evolving toward fully distributed, sovereignty-ready cores without carrying forward many of the architectural compromises of legacy fixed-IP designs.