MachineMetrics Edge Devices connect to equipment on the machine network, gather and normalize data, and securely transmit it to the MachineMetrics Cloud. The Edge also reaches out to the cloud for updates and configuration changes. All communication is edge-initiated outbound. There are no inbound firewall requirements.
If your organization enforces strict outbound firewall policies, the following requirements must be met to ensure reliable operation.
Required Ports
| Port | Protocol | Description |
|---|---|---|
| 53 | UDP | DNS resolution |
| 123 | UDP | Network Time Protocol |
| 443 | TCP | HTTPS communication, updates, remote diagnostics |
| 7422 | TCP | NATS communication for tool monitoring and Edge health |
Required Domains and Addresses
Domains
| URL | Description |
|---|---|
| api.machinemetrics.com | MachineMetrics communication |
| app.machinemetrics.com | MachineMetrics communication |
| *.balena-cloud.com | Software updates |
| cloudlink.balena-cloud.com | Remote diagnostics and OS updates |
| notify.bugsnag.com | Bug reporting |
| mm-adapter-store.s3.us-west-2.amazonaws.com | Machine data communication |
| mm-edge-uploads.s3.us-west-2.amazonaws.com | Machine data communication |
| machinemetrics-deploy.s3.us-west-2.amazonaws.com | Machine data communication |
| machinemetrics-public.s3.us-west-2.amazonaws.com | Machine data communication |
| 352302322568.dkr.ecr.us-west-2.amazonaws.com | Software container updates |
| prod-us-west-2-starport-layer-bucket.s3.us-west-2.amazonaws.com | Machine data communication |
⚠️ GovCloud Only
The following domains and static IP addresses must be accessible when using MachineMetrics GovCloud:
| URL | Description | Static IPs |
|---|---|---|
| api.machinemetrics-us-gov.com | MachineMetrics communication | 18.252.129.108, 18.254.70.116, 182.30.131.220 |
| app.machinemetrics-us-gov.com | MachineMetrics communication | — |
| stream.machinemetrics-us-gov.com:7422 | NATS (tool monitoring and edge health) | See GovCloud NATS IPs |
| api.balena.machinemetrics-us-gov.com | Software updates | 18.253.182.20 |
| ca.balena.machinemetrics-us-gov.com | Software updates | 18.253.182.20 |
| cloudlink.balena.machinemetrics-us-gov.com | Remote diagnostics and OS updates | 18.253.182.20 |
| logs.balena.machinemetrics-us-gov.com | Software updates | 18.253.182.20 |
| ocsp.balena.machinemetrics-us-gov.com | Software updates | 18.253.182.20 |
| registry2.balena.machinemetrics-us-gov.com | Software updates | 18.253.182.20 |
| s3.balena.machinemetrics-us-gov.com | Software updates | 18.253.182.20 |
| tunnel.balena.machinemetrics-us-gov.com | Software updates | 18.253.182.20 |
| machinemetrics-adapter-store.s3.us-gov-east-1.amazonaws.com | Machine data communication | — |
| machinemetrics-govcloud-edge-uploads.s3.us-gov-east-1.amazonaws.com | Machine data communication | — |
| machinemetrics-deploy.s3.us-gov-east-1.amazonaws.com | Machine data communication | — |
| machinemetrics-govcloud-public.s3.us-gov-east-1.amazonaws.com | Machine data communication | — |
| 139811071765.dkr.ecr.us-gov-east-1.amazonaws.com | Software updates | — |
DNS Requirements
The Edge Device uses Google DNS (8.8.8.8 and 8.8.4.4) by default.
DNS may be overridden via DHCP or statically in the Edge management page.
If Google DNS is blocked, the Edge will fall back to the configured DNS servers.
Network Time Protocol (NTP)
The Edge synchronizes time using the pool.ntp.org fleet:
*.resinio.pool.ntp.org
Internal NTP servers may be specified via DHCP if required.
IP-based filtering is not possible due to the distributed nature of public NTP pools.
NATS (Tool Monitoring and Edge Health)
NATS requires outbound access to port 7422.
NATS IP Addresses
The following IP addresses must be reachable for NATS services:
54.218.103.126
52.24.16.63
52.34.161.223
35.155.82.103
⚠️ GovCloud Only
GovCloud uses dedicated NATS endpoints on port 7422:
18.252.129.108
18.254.70.116
182.30.131.220
Deep Packet Inspection (DPI)
Deep packet inspection must not be applied to any traffic between the Edge Device and the MachineMetrics Cloud, including:
MachineMetrics domains
Balena domains
S3 endpoints
NATS services
All encrypted HTTPS traffic
If DPI is enabled (e.g., Palo Alto, Fortinet, Cisco), create bypass rules for Edge traffic.
Edge-to-Machine Protocol Ports
If a firewall exists between the Edge Device and the machine network, allow outbound access from the Edge to the appropriate protocol ports:
| Protocol / Controller | Port |
|---|---|
| FANUC FOCAS | 8193 |
| Citizen M700 | 683 |
| Mitsubishi | 683 |
| Haas Serial | 4001 |
| Haas MTConnect | 8082 |
| MTConnect Adapter | 7878 |
| MTConnect Agent | 5000 |
| Heidenhain | 19000 |
| Bystronic OPC-UA | 56000 |
| Siemens OPC-UA | 4840 |
| Kepware OPC-UA | 49320 |
| Fanuc Robot OPC-UA | 4880 |
| Modbus TCP / SeaLevel | 502 |
Comments
0 comments
Please sign in to leave a comment.