Domains and Network Configuration
The Memfault SDKs always initiate traffic to the platform. No sessions are ever initiated from the cloud back to the SDK. The SDKs send all network traffic over SSL.
Overview
The network traffic of the platform web application, CLI, SDKs, and API goes through a variety of services hosted on different domains. This page documents the domain names (FQDNs), IP addresses, ports, and protocols that the app, CLI, and SDKs use, as well as the purpose of each domain.
Add these domains to your allow-lists and firewall exceptions.
Domains
| Domain | Protocol | Port | Purpose | Used by device? |
|---|---|---|---|---|
memfault.com | TCP | 443 | Marketing webpage. Used by web browsers. | No |
api.memfault.com | TCP | 443 | API URL. Used by non-interactive API consumers such as the Memfault CLI and custom user scripts. | No |
app.memfault.com | TCP | 443 | Frontend web application URL. Used by web browsers. | No |
chunks.memfault.com | TCP | 443 | Used to upload chunks generated by the Memfault Firmware SDK. Used only by the MCU Firmware SDK. | Yes (MCU only) |
device.memfault.com | TCP | 443 | Used by devices to query the platform API, such as querying for the latest firmware updates. | Yes |
files.memfault.com | TCP | 443 | URL used to upload files from web and desktop clients. Used by the Memfault CLI and the SDKs. | Yes |
ingress.memfault.com | TCP | 443 | Used to upload events and reboot events to Memfault. | Yes |
ota-cdn.memfault.com | TCP | 443 | URL of Memfault's CDN for downloading OTA payloads. | Yes |
memfault-prod-east1.s3.amazonaws.com | TCP | 443 | AWS S3 URL for uploading and downloading files to and from Memfault's S3 buckets. | Yes |
memfault-tmp-production-us-east-1.s3.amazonaws.com | TCP | 443 | AWS S3 URL for uploading and downloading files to and from Memfault's S3 buckets. | Yes |
memfault-expires-never-production-us-east-1.s3.amazonaws.com | TCP | 443 | AWS S3 URL for downloading OTA payloads. | Yes |
device-nrf.memfault.com | TCP | 443 | Used by nRF9160 devices on and before Firmware SDK v1.7.0. Deprecated. | Yes (MCU only) |
chunks-nrf.memfault.com | TCP | 443 | Used by nRF9160 devices on and before Firmware SDK v1.7.0. Deprecated. | Yes (MCU only) |
The platform services do not use static IP addresses or IP address ranges.
Cipher suite support
The device-facing endpoints support TLS versions 1.2 and 1.3.
With TLS 1.2, the following cipher suites are supported:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHATLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHATLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384TLS_RSA_WITH_AES_128_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_GCM_SHA256TLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHA256TLS_RSA_WITH_AES_256_GCM_SHA384
With TLS 1.3, the following cipher suites are supported:
TLS_AES_128_GCM_SHA256TLS_AES_256_GCM_SHA384TLS_CHACHA20_POLY1305_SHA256
The Internet Assigned Numbers Authority (IANA) defines the official cipher suite names listed here. TLS stacks may use different identifiers for the suites. For example, to convert the OpenSSL names to the IANA names, see the testssl.sh OpenSSL-to-IANA mapping.
For the official list of TLS cipher suites, along with links to the RFC specifications for each suite, see the IANA TLS parameters registry.
OTA URL behavior
When a device queries the device OTA endpoint and the device needs to be updated, the endpoint returns a URL that points to an OTA payload.
For projects created after April 2023, the returned URL points to a file on the
OTA CDN domain ota-cdn.memfault.com. For projects created before April 2023,
the URL might be an AWS S3 URL. This is important if you need to allow-list
certain endpoints in firewalls.
Projects created before April 2023 are not automatically updated to use the CDN, but the S3 URL behavior is deprecated. If your network setup requires the OTA CDN domain on an older project, contact support to request the change.