Domains & Network Configuration
Traffic is always initiated by the Memfault SDKs to Memfault. No sessions are ever initiated from Memfault back to the SDK. All network traffic from the SDKs is sent over SSL.
Overview
The network traffic of Memfault's web application, CLI, SDKs, and API goes through a variety of services hosted on different domains. This page documents the various domain names (FQDNs), IP addresses, ports, and protocols that the Memfault app, CLI, and SDKs use, as well as the use of each domain.
These domains should be added to allow-lists and added as exceptions to a firewall.
Domains
| Domain | Protocol | Port | Purpose | Used By Device? |
|---|---|---|---|---|
| memfault.com | TCP | 443 | Marketing webpage. Used by web browsers. | No |
| api.memfault.com | TCP | 443 | Memfault's API URL. Used by non-interactive API consumers such as Memfault's CLI, custom scripts by users, etc. | No |
| app.memfault.com | TCP | 443 | Memfault's frontend web application URL. Used by web browsers. | No |
| chunks.memfault.com | TCP | 443 | Route used to upload Memfault Firmware SDK generated chunks to. Used only by the MCU Firmware SDK. | Yes (MCU Only) |
| device.memfault.com | TCP | 443 | Used by devices to query the Memfault API, such as querying for the latest firmware updates | Yes |
| files.memfault.com | TCP | 443 | URL used to upload files to Memfault from web and desktop clients. Used by Memfault's CLI and SDKs. | Yes |
| ingress.memfault.com | TCP | 443 | Used to upload events and reboot events to Memfault. | Yes |
| ota-cdn.memfault.com | TCP | 443 | URL of Memfault's CDN for downloading OTA payloads. | Yes |
| memfault-prod-east1.s3.amazonaws.com | TCP | 443 | AWS S3 URL for uploading and downloading files to and from Memfault's S3 buckets. | Yes |
| memfault-tmp-production-us-east-1.s3.amazonaws.com | TCP | 443 | AWS S3 URL for uploading and downloading files to and from Memfault's S3 buckets. | Yes |
| memfault-expires-never-production-us-east-1.s3.amazonaws.com | TCP | 443 | AWS S3 URL for downloading OTA payloads. | Yes |
| device-nrf.memfault.com | TCP | 443 | Used by nRF9160 devices on and before Firmware SDK v1.7.0. Deprecated | Yes |
| chunks-nrf.memfault.com | TCP | 443 | Used by nRF9160 devices on and before Firmware SDK v1.7.0. Deprecated | Yes |
Memfault does not use any static IP addresses or IP address ranges.
Cipher Suite Support
Memfault supports TLS versions 1.2 and 1.3 for the device-facing endpoints.
With TLS 1.2, the following cipher suites are supported:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHATLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHATLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384TLS_RSA_WITH_AES_128_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_GCM_SHA256TLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHA256TLS_RSA_WITH_AES_256_GCM_SHA384
With TLS 1.3, the following cipher suites are supported:
TLS_AES_128_GCM_SHA256TLS_AES_256_GCM_SHA384TLS_CHACHA20_POLY1305_SHA256
Note: The cipher suite names listed here are the official names as specified by the Internet Assigned Numbers Authority (IANA). TLS stacks may use different identifiers for the suites, for example, to convert the OpenSSL names to the IANA names, see here:
https://testssl.sh/openssl-iana.mapping.html
The official list of TLS cipher suites as specified by IANA, along with links to the RFC specifications for each suite, can be found at the following link:
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
OTA URL Behavior
When a device queries the Device OTA Endpoint and the device needs to be updated, there will be a URL returned which points to an OTA payload.
For Memfault Projects created after April 2023, the URL returned will point to a
file with the domain ota-cdn.memfault.com, Memfault's CDN. For Projects
created before April 2023, the URL might be an AWS S3 URL. This is important if
you need to allow-list certain endpoints in firewalls.
Memfault will not automatically update all Projects created prior to April 2023 to use the CDN, but its usage is deprecated. If the OTA CDN domain is required on an older project for your particular network setup, please
contact support and they can make the necessary changes.