3.6 KiB
Architectural Decision Record: Local Gateway + External Backend
Status
Accepted
Context
Initial design considered direct communication between IoT devices (ESP32) and a backend hosted on the internet.
Concerns identified:
- High volume of small messages from devices
- Unnecessary exposure of raw telemetry to the internet
- Increased complexity on constrained devices (TLS, crypto, reconnect logic)
- Security overhead (encryption, signing on every message)
At the same time, the system does not require real-time global access to raw device data. Most data is only useful locally or in aggregated form.
Decision
Adopt a local gateway architecture:
ESP32 devices → Local Backend (LAN) → External Backend (Internet) → Mobile App
Key principles
-
Devices communicate only within LAN
- No direct internet access required
- No inbound connections to devices
- Devices initiate outbound connections only to local backend
-
Local backend acts as a gateway
- Maintains persistent secure connection (WebSocket over TLS) to external backend
- Aggregates telemetry data
- Translates and routes commands
-
External backend is the only internet-facing component
- Serves mobile applications
- Sends commands to local backend
- Receives aggregated data only
Rationale
1. Reduced complexity on devices
ESP32 devices:
- Do not implement TLS
- Do not handle complex cryptography
- Maintain simple communication protocol
Result:
- Lower memory and CPU usage
- Simpler firmware
- Higher reliability
2. Network efficiency
Instead of many small messages:
- Local backend aggregates data
- Sends fewer, larger messages
Result:
- Reduced bandwidth usage
- Fewer connections
3. Clear trust boundary
- LAN is treated as a controlled (conditionally trusted) environment
- Internet is treated as untrusted
Security measures are concentrated at the boundary:
- TLS on gateway ↔ external backend
- Authentication and validation at gateway
4. Data control and privacy
- Raw telemetry remains in local network
- Only aggregated/necessary data leaves the network
- No dependency on third-party cloud for device data
Security Model
LAN (conditionally trusted)
Assumptions:
- Network is controlled
- Unauthorized access is unlikely but possible
Mitigations:
- Device IP whitelist
- Device identification (deviceId)
- Simple authentication (pre-shared token)
- Network segmentation (IoT VLAN)
No encryption required inside LAN.
Internet (untrusted)
- All communication secured via TLS
- Strong authentication required
- Single controlled connection (gateway → backend)
Command Flow
- Mobile app → External backend
- External backend → Local backend (via secure WebSocket)
- Local backend → Device (LAN)
Local backend is responsible for:
- Validating commands
- Ensuring they match device capabilities
Consequences
Positive
- Simpler device firmware
- Reduced attack surface (no exposed devices)
- Better performance and scalability
- Full control over data
Negative
- Requires always-on local backend
- Adds one architectural component (gateway)
- LAN cannot be treated as fully secure
Notes
If LAN is compromised, impact is broader than IoT telemetry leakage and should be treated as a separate security incident class.
Therefore, the system does not attempt to provide full zero-trust security within LAN, but instead applies reasonable safeguards.
Future Considerations
- Optional message signing inside LAN if threat model changes
- Key rotation for device tokens
- Device revocation mechanisms
- Monitoring of gateway ↔ external connection