MachineMetrics Edge Devices connect to manufacturing equipment over a machine network, analyze and normalize that data, and transmit that data over an Internet-bound network to the MachineMetrics Cloud where it is used for driving factory floor systems including reporting, dashboards, custom workflows, expedited communication, predictive and preventative maintenance, and others.
The Edge Device reaches out to the machine to gather data and pushes it to the cloud. It also reaches out to the cloud for updates and configuration changes. Because of this edge-initiated communication, there are no in-bound firewall requirements.
If your network policies require strict access control for communication either internally or externally from on-site hardware, this document covers the options available.
Note: It is recommended to review this article with your internal IT support.
Topics covered in this article:
|53||UDP||Required||DNS: used to resolve balena hostnames for connection to the balena service|
|123||UDP||Required||NTP: used to synchronize time|
|443||TCP||Required||HTTPS: used by the edge to stream machine data and to poll for edge software updates; OpenVPN is used when needed as a secure means to remotely diagnose issues and apply occasional operating system updates.|
|7422||TCP||Required||NATS: Used for transmitting data related to the health of Edge Devices and MachineMetrics Services.|
Domains and IP Addresses
By default, our edge software uses Google DNS (18.104.22.168 and 22.214.171.124). This can be overridden by including DNS entries in your DHCP configuration or by statically assigning DNS servers using our edge management page. You may still see attempts to access Google DNS servers even if you’ve specified others; however, you can block Google DNS IP addresses in this case and the edge will fall back to those provided by your configuration.
Each service used by our edge device utilizes dynamic IP assignments that can change without warning and is sourced from vast ranges of addresses provided by Platform as a Service company such as Amazon Web Services, Google Cloud Platform, and others. Because of this, IP-based firewall rules cannot be used to limit which services our edge device can communicate with on the internet. Domain-based firewall rules can be used instead. Use the table below for all of the domain names accessed by our edge device. Wildcard domain names are used in places where a more finite set of fully qualified domain names cannot be guaranteed.
|*.balena-cloud.com||For remote updates|
|*.docker.com||For remote updates|
|*.docker.io||For remote updates|
|notify.bugsnag.com||For bug reporting|
|*.amazonaws.com||For cloud data storage|
If your organization would like to filter for specific URLS hosted by Amazon (thereby eliminating the need for that particular wildcard), they are as follows:
Time synchronization via the network time protocol (NTP) cannot be filtered via Domain-based firewall rules. Due to the nature of how pool.ntp.org operates, a range of IP addresses can also not be provided. If you have a preferred NTP server that you would like to use instead of pool.ntp.org, they can be specified in your DHCP configuration. If you also require our edge device to maintain a consistent IP address, a MAC-based assignment can be used. MAC addresses for all network interface cards can be found on the edge management page. The domain name that MachineMetrics uses to communicate with the pool.ntp.org fleet is *.resinio.pool.ntp.org.
Edge health data is transmitted over a protocol called NATS on port 7422. This protocol does not support domain name-based firewall rules. To allow for firewall rules to be instituted, these NATS services operating on port 7422 are tied to a fixed set of IP addresses, they are as follows:
Security is taken very seriously at MachineMetrics. It's not recommended that your machine be connected to the internet or your network for security reasons. Often machines run PC's with older operating systems that are more susceptible to viruses. The MachineMetrics Edge, with dual ethernet, wifi, and dockerized containers, provides this secure barrier between the internet, your network, and your machine's control.
Edge-to-Machine Firewall Requirements
Additionally, traffic on the network between the MachineMetrics Edge and the machine's control can be further regulated. Machines communicate over varying protocols, below is a list of the protocols and machine controls that we communicate with. Depending on the protocol, the network requirements for what ports are used will vary.
Note: It is not necessary to limit the Edge communication with the machine network through port-based firewall rules.
- FANUC FOCAS (port 8193)
- Citizen M700 (port 683)
- Mitsubishi (port 683)
- HAAS Serial (port 4001)
- HAAS MTConnect (port 8082)
- MTConnect adapter (port 7878)
- MTConnect Agent (port 5000)
- Heidenhain (port 19000)
- Bystronic OPC-UA (port 56000)
- Siemens OPC-UA (port 4840)
- Kepware OPC-UA (port 49320)
- Fanuc Robot OPC-UA (port 4880)
As with anything networking-related, if you have specific requirements that fall outside of what is outlined in this document, contact email@example.com to discuss alternative approaches.