The shared versus dedicated gateway decision depends on three key factors: security requirements, scale, and operational maturity. Here’s a framework for making the right choice:
Shared vs Dedicated Gateways - Security Isolation Analysis:
Shared gateways create a larger attack surface and blast radius. If compromised, an attacker gains access to multiple protocols and device types through a single entry point. This is particularly risky when mixing critical infrastructure devices (HVAC, access control) with non-critical sensors (temperature, occupancy) on the same gateway.
Dedicated gateways provide security boundaries:
- Protocol isolation: Bluetooth compromise doesn’t affect LoRaWAN devices
- Device type isolation: Critical devices physically separated from non-critical
- Credential isolation: Each gateway uses separate Cloud IoT Core authentication
- Network isolation: Dedicated gateways can use separate VLANs/subnets
However, security isolation isn’t binary. Implement defense-in-depth regardless of architecture:
- Gateway-level authentication and authorization per device
- Encrypted communication between devices and gateway
- Regular security patches and firmware updates
- Intrusion detection monitoring on gateway traffic
- Network segmentation even with shared gateways
Scalability Trade-offs and Operational Complexity:
Shared gateways scale better operationally:
- Single hardware platform to maintain across all locations
- Unified monitoring and alerting configuration
- Simplified firmware update process
- Reduced spare parts inventory
- Lower training requirements for field technicians
For 100+ gateway deployments, operational overhead of dedicated gateways becomes significant. Each protocol-specific gateway requires separate monitoring, updates, and troubleshooting procedures. Our experience: 500 shared gateways = 1.5 FTE operations overhead, while 1500 dedicated gateways (3 protocols × 500 locations) = 4 FTE overhead.
Dedicated gateways scale better technically:
- Right-sized hardware per protocol (no over-provisioning)
- Independent failure domains (one protocol down doesn’t affect others)
- Easier capacity planning per protocol
- Simpler troubleshooting (protocol-specific issues isolated)
Recommended Decision Framework:
Use dedicated gateways when:
- Critical infrastructure or safety systems involved
- Regulatory compliance requires physical separation
- Device types have vastly different security classifications
- Protocol-specific hardware optimization needed (cost-sensitive deployments)
- Scale is under 100 gateways (operational overhead manageable)
Use shared gateways when:
- All devices are similar security classification
- Scale exceeds 200+ gateways (operational efficiency critical)
- Hardware standardization is priority
- Rapid deployment required (fewer device types to procure/install)
- Strong network segmentation and monitoring available
Use hybrid approach (recommended for most deployments):
- Dedicated gateways for critical/regulated devices
- Shared gateways for commodity sensors
- Security zones define gateway boundaries, not just protocols
Example hybrid architecture for 1000-device deployment:
- 50 dedicated gateways for critical systems (building automation, access control)
- 150 shared gateways for environmental sensors (temperature, humidity, occupancy)
- Total: 200 gateways vs 1000 if fully dedicated, or 50 if fully shared
This balances security isolation for critical systems with operational efficiency for high-volume sensors. The 4:1 ratio (150 shared vs 50 dedicated) provides cost savings while maintaining security boundaries where they matter most.
Implementation Recommendations:
Regardless of architecture choice, implement these best practices:
- Use Cloud IoT Core gateway associations to logically group devices
- Implement per-gateway rate limiting and quota management
- Deploy gateway health monitoring with automated failover
- Maintain hardware spares (10% of deployed count minimum)
- Document protocol-specific troubleshooting procedures
- Test gateway failure scenarios regularly
Our production deployment uses hybrid architecture: 85 dedicated gateways for critical infrastructure across 30 sites, plus 180 shared gateways for 8000+ environmental sensors across 180 sites. This achieves security compliance for critical systems while keeping operational overhead reasonable for the sensor fleet.