Skip to main content

Network Requirements

This document outlines all network requirements for MachineMetrics deployment, including firewall rules, required ports, domains, bandwidth, and network architecture options.

Overview

MachineMetrics Edge devices require:

  1. Internet connectivity — to communicate with MachineMetrics cloud
  2. Machine network access — to collect data from your equipment

All communication is edge-initiated outbound. There are no inbound firewall requirements.

Network Architecture Options

The MachineMetrics Edge device has two network interfaces (NICs) that can be configured for various network topologies.

Edge Device - Left Side View

MachineMetrics Edge Device showing dual Ethernet ports (LAN Port 1 and LAN Port 2) and other connectivity options. The dual-NIC design enables secure network isolation between machine networks and corporate/internet networks.

Edge Network Interface Configuration

InterfacePurposeIP ConfigurationTypical Use
LAN Port 1 (eno1)Machine NetworkStatic IP requiredConnect to machines via switch/VLAN
LAN Port 2 (enp2s0)Company/Internet NetworkDHCP or StaticConnect to corporate network or internet

Important: The machine network interface (LAN Port 1) must use a static IP address to ensure consistent connectivity to machines. The company network interface (LAN Port 2) can use DHCP when network isolation is configured.

Option 1: Company Network (Single Interface)

Best for facilities with a single converged network where machines and internet are on the same network.

Company Network Topology

Configuration:

  • Single Ethernet connection to company network
  • Edge device uses DHCP or static IP
  • Machines and internet accessible on same network

Requirements:

  • Network drops (CAT5/CAT6) at each machine
  • Firewall allows outbound ports 443, 7422, 53, 123

Option 2: Isolated Networks (Dual Interface - Recommended)

Best for maximum security - keeps machine network completely isolated from corporate network and internet.

Isolated Network Topology

Configuration:

  • LAN Port 1 (eno1): Connected to isolated machine network (static IP required)
  • LAN Port 2 (enp2s0): Connected to company network with internet access (DHCP or static)
  • Machines have no internet access
  • Edge acts as secure bridge

Benefits:

  • Machines stay isolated from internet (zero attack surface)
  • Reduced cybersecurity risk for OT equipment
  • Edge device provides secure data conduit
  • Compliant with OT security best practices

Requirements:

  • Two network connections at Edge location
  • Machine network switch/VLAN (no internet access)
  • Company network connection with internet access

Option 3: Wireless LAN

Best for flexibility when running Ethernet cables to machines is impractical, but corporate WiFi is available.

Wireless LAN Topology

Configuration:

  • Machines connect via Ethernet to Edge device
  • Edge connects to corporate network via WiFi
  • Single wireless connection provides internet access

Requirements:

  • WiFi-enabled Edge device
  • Reliable WiFi coverage on shop floor
  • WPA2/WPA3 encrypted wireless network

Option 4: Fully Wireless

Best for flexibility when WiFi is available but running Ethernet cables to each machine is impractical. The Edge device acts as a wireless bridge.

Fully Wireless Topology

Configuration:

  • Machines connect to Edge via standard Ethernet (wired LAN devices)
  • Edge device connects to corporate WiFi network
  • Edge acts as wireless bridge between wired machines and WiFi network

Requirements:

  • WiFi-enabled Edge device
  • Standard Ethernet connectivity from machines to Edge
  • Strong WiFi signal at Edge location
  • WPA2/WPA3 encrypted wireless network

Note: No wireless I/O modules required. Machines use standard Ethernet connections to the Edge, and the Edge provides the wireless connectivity to the network.

Option 5: Cellular Network

⚠️ Use at your own risk - least preferred option

Best for remote locations without reliable internet, but comes with limitations and risks.

Configuration:

  • Edge device connects via cellular modem
  • Machines connect to Edge via Ethernet
  • No dependency on corporate network

Requirements:

  • Cellular modem (e.g., Cradlepoint)
  • Cellular data plan with sufficient bandwidth
  • Good cellular signal strength

Limitations & Risks:

  • Higher latency than wired connections
  • Variable bandwidth and reliability
  • Potential data caps and overage charges
  • Signal interruptions can cause data gaps
  • No MachineMetrics support for cellular connectivity issues
  • Customer responsible for cellular infrastructure

Important: Cellular connectivity is not officially supported by MachineMetrics. Use only when no other network option is available, and understand that connectivity issues related to cellular networks are the customer's responsibility.

Firewall Requirements

Required Outbound Ports

PortProtocolDescription
53UDPDNS resolution
123UDPNetwork Time Protocol (NTP)
443TCPHTTPS — all cloud communication
7422TCPNATS — tool monitoring and Edge health

Required Domains (Standard Cloud)

DomainPurpose
api.machinemetrics.comAPI communication
app.machinemetrics.comWeb application
*.balena-cloud.comSoftware updates
cloudlink.balena-cloud.comRemote diagnostics, OS updates
notify.bugsnag.comError reporting
mm-adapter-store.s3.us-west-2.amazonaws.comAdapter scripts
mm-edge-uploads.s3.us-west-2.amazonaws.comData uploads
machinemetrics-deploy.s3.us-west-2.amazonaws.comDeployment artifacts
machinemetrics-public.s3.us-west-2.amazonaws.comPublic resources
352302322568.dkr.ecr.us-west-2.amazonaws.comContainer updates
prod-us-west-2-starport-layer-bucket.s3.us-west-2.amazonaws.comContainer layers

Required Domains (GovCloud)

DomainPurposeStatic IPs
api.machinemetrics-us-gov.comAPI communication18.252.129.108, 18.254.70.116, 182.30.131.220
app.machinemetrics-us-gov.comWeb application
stream.machinemetrics-us-gov.com:7422NATSSee NATS IPs below
api.balena.machinemetrics-us-gov.comUpdates18.253.182.20
ca.balena.machinemetrics-us-gov.comUpdates18.253.182.20
cloudlink.balena.machinemetrics-us-gov.comDiagnostics18.253.182.20
logs.balena.machinemetrics-us-gov.comUpdates18.253.182.20
ocsp.balena.machinemetrics-us-gov.comUpdates18.253.182.20
registry2.balena.machinemetrics-us-gov.comUpdates18.253.182.20
s3.balena.machinemetrics-us-gov.comUpdates18.253.182.20
tunnel.balena.machinemetrics-us-gov.comUpdates18.253.182.20
machinemetrics-adapter-store.s3.us-gov-east-1.amazonaws.comAdapters
machinemetrics-govcloud-edge-uploads.s3.us-gov-east-1.amazonaws.comUploads
machinemetrics-deploy.s3.us-gov-east-1.amazonaws.comDeployment
machinemetrics-govcloud-public.s3.us-gov-east-1.amazonaws.comPublic
139811071765.dkr.ecr.us-gov-east-1.amazonaws.comContainers

NATS IP Addresses

NATS is used for tool monitoring and Edge health telemetry on port 7422.

Standard Cloud

  • 54.218.103.126
  • 52.24.16.63
  • 52.34.161.223
  • 35.155.82.103

GovCloud

  • 18.252.129.108
  • 18.254.70.116
  • 182.30.131.220

DNS Configuration

The Edge device uses Google DNS by default:

  • Primary: 8.8.8.8
  • Secondary: 8.8.4.4

DNS can be overridden via:

  • DHCP configuration
  • Static configuration in Edge management

If Google DNS is blocked, the Edge falls back to configured DNS servers.

NTP Configuration

The Edge synchronizes time using the pool.ntp.org fleet:

*.resinio.pool.ntp.org

Internal NTP servers can be specified via DHCP if required.

Note: IP-based filtering is not possible for NTP due to the distributed nature of public NTP pools.

Machine Protocol Ports

If a firewall exists between the Edge device and machines, allow outbound access from the Edge to these ports:

Protocol / ControllerPort
Allen Bradley (EtherNet/IP)44818
FANUC FOCAS8193
MTConnect Adapter7878
MTConnect Agent5000
Haas Serial (via Moxa)4001
Haas MTConnect8082
Citizen M700683
Mitsubishi683
Heidenhain19000
Siemens OPC-UA4840
Kepware OPC-UA49320
Bystronic OPC-UA56000
Fanuc Robot OPC-UA4880
Modbus TCP / SeaLevel502

Bandwidth Requirements

MachineMetrics has minimal bandwidth requirements:

Upload (Edge to Cloud)

Machine TypeBandwidth
Standard machine~1 kbps
High-data machine (FANUC FOCAS)~5 kbps

Download (Cloud to Browser)

ViewBandwidth
Dashboard~250 bps per machine
Workcenter View~2 kbps (assumes 1 part/min)

Example: A facility with 50 machines needs approximately:

  • Upload: 50-250 kbps
  • Download: 12.5-100 kbps

Deep Packet Inspection (DPI)

Deep packet inspection must NOT be applied to traffic between the Edge device and MachineMetrics cloud.

Exempt the following from DPI:

  • All MachineMetrics domains
  • All Balena domains
  • S3 endpoints
  • NATS services
  • All encrypted HTTPS traffic

If DPI is enabled (Palo Alto, Fortinet, Cisco, etc.), create bypass rules for Edge traffic.

Proxy Configuration

If your network requires a proxy:

  1. Configure proxy settings during Edge device activation
  2. Or update via the Edge management interface

The Edge supports HTTP/HTTPS proxy with optional authentication.

Troubleshooting

Edge Device Not Connecting

  1. Verify internet connectivity from the Edge location
  2. Check that required ports (443, 7422) are open
  3. Confirm required domains are accessible
  4. Check for DPI interference
  5. Verify DNS resolution is working

Machines Not Reporting Data

  1. Verify local network connectivity between Edge and machines
  2. Check machine protocol ports are accessible
  3. Confirm machine IP addresses are correct in MachineMetrics
  4. Check for VLAN or switch configuration issues

Intermittent Connectivity

  1. Check for network congestion
  2. Verify WiFi signal strength (if wireless)
  3. Review firewall logs for blocked traffic
  4. Check NTP synchronization

Network Checklist

Before deployment, verify:

  • Outbound ports 53, 123, 443, 7422 are open
  • Required domains are accessible (or whitelisted)
  • DPI is disabled for MachineMetrics traffic
  • Machine network is accessible from Edge device location
  • Bandwidth is sufficient for number of machines
  • DNS resolution is working
  • NTP synchronization is available