Document Overview
This document outlines the network firewall configuration requirements for the Factbird EDGE Industrial IoT device. These requirements ensure proper connectivity between the Factbird EDGE device and AWS cloud services for data collection, processing, and management.
Device Information
Product Name: Factbird EDGE
Technology: AWS Greengrass IoT Device
Region: EU-West-1 (Ireland)
Required Outbound Firewall Rules
1. HTTPS Traffic (TCP Port 443)
Port: TCP 443 (HTTPS)
Direction: Outbound only
Destination: *.amazonaws.com
Purpose: Secure communication with AWS cloud services for:
- IoT Core (
*.iot.eu-west-1.amazonaws.com) - Device management and MQTT messaging - IoT Credentials (
*.credentials.iot.eu-west-1.amazonaws.com) - Temporary credential exchange - S3 Storage (
*.s3.eu-west-1.amazonaws.com) - Firmware updates and data storage - Kinesis Video Streams (
*.kinesisvideo.eu-west-1.amazonaws.com) - Video streaming - CloudWatch Logs (
logs.eu-west-1.amazonaws.com) - Device logging and monitoring - Greengrass Service (
greengrass.eu-west-1.amazonaws.com) - Core device orchestration
Security Note: All communication uses TLS encryption to ensure data confidentiality and integrity.
2. DNS Resolution (UDP Port 53)
Port: UDP 53
Direction: Outbound only
Destination: As configured via DHCP
Purpose: Domain Name System (DNS) resolution to translate AWS service domain names to IP addresses. This is typically handled automatically through your network's DHCP-configured DNS servers.
3. Time Synchronization (UDP Port 123)
Port: UDP 123 (NTP)
Direction: Outbound only
Destination:
pool.ntp.org*.pool.ntp.org
Purpose: Network Time Protocol (NTP) synchronization to maintain accurate system time. Precise time synchronization is critical for:
- Accurate data timestamps
- Security certificate validation
- Coordinated data collection across multiple devices
S4. ICMP Connectivity Checks
Protocol: ICMP (Echo Request / Echo Reply)
Direction: Outbound only
Destination:
www.google.com*.iot.eu-west-1.amazonaws.com
Purpose: Internet Control Message Protocol (ICMP) echo traffic is used by the Factbird EDGE device to verify network reachability and diagnose connectivity issues to upstream services. The following hosts must be reachable via ICMP:
- General internet reachability (
www.google.com) - Validates that the device has functional outbound internet connectivity - IoT Core endpoints (
*.iot.eu-west-1.amazonaws.com) - Confirms reachability to the AWS IoT Core endpoints
Security Note: ICMP echo traffic carries no application data and is used solely for connectivity diagnostics.
Summary Table
| Protocol | Port | Direction | Destination | Purpose |
|---|---|---|---|---|
| TCP | 443 | Outbound | *.amazonaws.com | AWS cloud services communication |
| UDP | 53 | Outbound | DHCP-configured DNS | Domain name resolution |
| UDP | 123 | Outbound | pool.ntp.org, *.pool.ntp.org | Time synchronization |
| ICMP | — | Outbound | www.google.com | Internet reachability check |
| ICMP | — | Outbound | *.iot.eu-west-1.amazonaws.com | IoT Core reachability check |
Important Notes
1. No Inbound Connections Required: The Factbird EDGE device does not require any inbound firewall rules. All connections are initiated from the device outward.
2. Static IP Not Required: The device can operate with DHCP-assigned IP addresses.
3. Proxy Support: If your network requires proxy configuration for outbound HTTPS traffic, please contact Factbird support for configuration assistance.
4. Simplified Domain Rule: While specific AWS subdomains are listed above for clarity, configuring *.amazonaws.com for port 443 will cover all required AWS services.
Security Considerations
- All data transmission occurs over encrypted channels (TLS/HTTPS)
- The device only establishes outbound connections - no listening ports are opened
- AWS IoT certificates provide mutual authentication between device and cloud
- Regular security updates are delivered through the secure update channel