A graphic illustrating the transfer of TLS certificates and private keys from AWS IoT Core to the LoRaWAN gateway for secure authentication.

AWS IoT Core: LoRaWAN Gateway Setup Guide

Written by: Robert Liao

|

Published on

|

Time to read 4 min

Author: Robert Liao, Technical Support Engineer

Robert Liao is an IoT Technical Support Engineer at Robustel with hands-on experience in industrial networking and edge connectivity. Certified as a Networking Engineer, he specializes in helping customers deploy, configure, and troubleshoot IIoT solutions in real-world environments. In addition to delivering expert training and support, Robert provides tailored solutions based on customer needs—ensuring reliable, scalable, and efficient system performance across a wide range of industrial applications.

Summary Key Takeaways AWS IoT Core: LoRaWAN Gateway Setup Guide Prerequisites Step 1: Add the LoRaWAN Gateway to AWS Step 2: Generate and Download Certificates Step 3: Configure the Robustel LoRaWAN Gateway Step 4: Verify the Connection Why Use Basic Station? Conclusion: The Serverless Advantage Frequently Asked Questions (FAQ)

Summary

For enterprises building scalable IoT solutions, AWS IoT Core for LoRaWAN is a game-changer. It eliminates the need for a third-party Network Server (like ChirpStack), allowing your LoRaWAN gateway to talk directly to the AWS cloud. This guide provides a technical walkthrough for connecting a Robustel gateway to AWS. We explain the "Basic Station" protocol, the importance of CUPS (Configuration and Update Server), and how to manage the strict TLS security requirements to ensure your industrial data flows securely into AWS services like DynamoDB and Lambda.

Key Takeaways

Serverless Architecture: By connecting your LoRaWAN gateway to AWS, you remove the "middleman" server. Data flows directly into the AWS cloud, reducing latency and management overhead.

Basic Station Protocol: AWS requires the modern Basic Station protocol (not legacy UDP). This uses secure WebSockets (WSS) and simplifies remote fleet management.

Certificate Management: Security is paramount. You must generate a client certificate and private key in AWS and upload them to the LoRaWAN gateway to authorize the connection.

CUPS vs. LNS: AWS uses two endpoints. CUPS handles configuration updates (firmware), while LNS handles the actual sensor data traffic.

AWS IoT Core: LoRaWAN Gateway Setup Guide

In the past, connecting LoRaWAN to the cloud was a three-step dance: Sensor -> Gateway -> Network Server -> Cloud. Amazon Web Services (AWS) simplified this. With "AWS IoT Core for LoRaWAN," they internalized the Network Server.

Now, your LoRaWAN gateway connects directly to AWS.

This architecture reduces complexity and costs, but it requires precise configuration. AWS does not support the insecure legacy "UDP Packet Forwarder." It demands LoRa Basics Station, a secure, robust protocol.

This guide walks you through connecting a Robustel industrial LoRaWAN gateway (like the R1520LG) to the AWS ecosystem.


An architecture diagram showing a LoRaWAN gateway connecting directly to AWS IoT Core via Basic Station protocol, bypassing third-party servers.


Prerequisites

Before starting, ensure you have:

  1. An AWS Account: With administrative access to IoT Core.
  2. A Robustel LoRaWAN Gateway: Updated to the latest RobustOS firmware (which supports Basic Station).
  3. Gateway EUI: The 16-character unique ID found on the device label or web interface.

Step 1: Add the LoRaWAN Gateway to AWS


  1. Log in to the AWS Console and navigate to IoT Core.
  2. In the sidebar, select Wireless Connectivity > Gateways.
  3. Click Add gateway.
  4. Gateway EUI: Enter your device's EUI (e.g., a84041ffff123456).
  5. Frequency Band: Select the correct region (e.g., US915 or EU868).
  6. Name: Give your LoRaWAN gateway a recognizable name (e.g., Production-Gateway-01).

Step 2: Generate and Download Certificates

This is the most critical step. AWS uses Mutual TLS (mTLS) authentication.

  1. After clicking "Add gateway," AWS will prompt you to Create a certificate.
  2. Download the following three files immediately (you cannot download them later):
    • Gateway Certificate (.pem.crt)
    • Private Key (.pem.key)
    • Trust Anchor (Root CA certificate, usually cups.trust)
  1. Also, copy the CUPS Endpoint URL displayed on the screen (starts with https://...).

You now have the "digital keys" required to unlock the AWS door for your LoRaWAN gateway.


A graphic illustrating the transfer of TLS certificates and private keys from AWS IoT Core to the LoRaWAN gateway for secure authentication.


Step 3: Configure the Robustel LoRaWAN Gateway

Now, move to the hardware side.

  1. Log in to the RobustOS web interface of your gateway.
  2. Navigate to LoRaWAN > Packet Forwarder.
  3. Protocol: Select Basic Station.
  4. Backend Mode: Select CUPS (Configuration and Update Server). This allows AWS to push LNS settings automatically.
  5. URI: Paste the CUPS Endpoint URL you copied from AWS.
  6. Authentication Mode: Select TLS Client Authentication.
  7. Upload Certificates: Upload the three files you downloaded from AWS:
    • CA Certificate: The Trust Anchor.
    • Client Certificate: The Gateway Certificate.
    • Client Key: The Private Key.

  1. Click Save & Apply.

Step 4: Verify the Connection

The LoRaWAN gateway will restart its LoRa service. It initiates a secure WebSocket connection to the AWS CUPS endpoint.

  1. Return to the AWS IoT Core Console.
  2. Refresh the Gateways list.
  3. Look at the Last uplink received timestamp.
  4. Status: It should change from "Disconnected" to Connected.

If it says "Connected," your LoRaWAN gateway is now a fully authenticated node in the AWS cloud. Any LoRaWAN sensor data received by this gateway will be available in the AWS IoT Core MQTT broker (dt/lorawan/...).


A mockup of the AWS IoT Core console showing a LoRaWAN gateway with a green 'Connected' status indicator.


Why Use Basic Station?

You might ask, "Why is this harder than the old UDP method?" Security. The legacy UDP protocol sends data in plain text. Basic Station wraps everything in a TLS tunnel. For industrial users, this means your LoRaWAN gateway is compliant with strict enterprise security standards (SOC2, ISO 27001) out of the box, as no unencrypted data ever travels over the public internet.

Conclusion: The Serverless Advantage

By connecting your LoRaWAN gateway directly to AWS, you unlock the full power of the cloud. You can route sensor data to DynamoDB for storage, trigger Lambda functions for alerts, or visualize trends in QuickSight—all without managing a single server.

Robustel’s native support for the Basic Station protocol makes this integration seamless, providing a rugged, secure on-ramp for your industrial data journey.

Frequently Asked Questions (FAQ)

Q1: Does AWS charge for the gateway connection?

A1: AWS does not charge for the LoRaWAN gateway connection itself. They charge based on "Messages Metered" (uplinks and downlinks). The first 500k messages per month are typically free under the Free Tier. This makes AWS a very cost-effective option for scaling large fleets.

Q2: Can I use the LNS Endpoint instead of CUPS?

A2: Yes. RobustOS supports connecting directly to the LNS Endpoint. However, using CUPS is recommended. CUPS allows AWS to remotely update the LNS address or push firmware updates to the LoRaWAN gateway in the future. It adds a layer of remote management that pure LNS connection lacks.

Q3: What if I lose the Private Key?

A3: If you lose the .pem.key file before uploading it to the LoRaWAN gateway, you cannot recover it. AWS does not store private keys. You will need to delete the gateway from the AWS Console and re-register it to generate a new set of certificates.

An infographic showing the 3 functions of industrial I/O on edge products: RS485 (Listen), DI (See), and DO (Act).

Industrial I/O: Why It Defines Rugged Edge Products (RS485)
A diagram showing how an industrial raspberry pi alternative (a professional edge product) combines the open OS of a Pi with the rugged hardware of an industrial device.

5G & LTE: The Critical Role of Cellular in Wireless Edge Products
A diagram showing the #1 failure point of edge products: a consumer SD card (used by Pi) failing from vibration/heat/writes vs. a reliable, soldered eMMC on an industrial edge product.

The "SD Card vs. eMMC" Debate: A Reliability Guide for Edge Products
Linkedin
← Go back