Akeyless SaaS Core Services

The Akeyless Gateway is a stateless Docker container, provided as a standalone or as a cluster. To function correctly, it requires public network connectivity to the Akeyless SaaS core services (see the table below).

A basic Gateway deployment requires a server with a Docker engine installed. You may download the latest Docker engine on Docker website. You'll need public network access enabled on port 443 to pull a Docker image from the hub.docker.com.

📘

Tenant Environments

Accounts that were created on specific envioremnts should modifiy the services endpoints according to the relevant environments. e.g. for eu https://vault.eu.akeyless.io etc.

The following table describes the main functionality of Akeyless micro-services in the global environment:

Service NameIPPortDescription
Console: https://console.akeyless.io52.223.11.194, 35.71.185.167, 52.223.35.208, 35.71.147.131, 15.197.228.204, 3.33.247.128443Akeyless SaaS platform
Vault : https://vault.akeyless.io
https://vault-ro.akeyless.io
52.223.11.194, 35.71.185.167, 52.223.35.208, 35.71.147.131, 15.197.228.204, 3.33.247.128443User Account Management (UAM), managing user accounts, items, and roles
Auth : https://auth.akeyless.io
https://auth-ro.akeyless.io
52.223.11.194, 35.71.185.167, 52.223.35.208, 35.71.147.131, 15.197.228.204, 3.33.247.128443Akeyless Authentication service
Certificate Auth https://auth-cert.akeyless.io18.189.176.104443Relevant only for Certificate Based Auth
Audit : https://audit.akeyless.io
https://audit-ro.akeyless.io
52.223.11.194, 35.71.185.167, 52.223.35.208, 35.71.147.131, 15.197.228.204, 3.33.247.128443Audit log main service, enables log forwarding from GW & Bastion
BIS : https://bis.akeyless.io
https://bis-ro.akeyless.io
52.223.11.194, 35.71.185.167443Billing Infrastructure Service (BIS)
Gator : https://gator.akeyless.io
https://gator-ro.akeyless.io
52.223.11.194, 35.71.185.167, 52.223.35.208, 35.71.147.131, 15.197.228.204, 3.33.247.128443Main service to sync gateways instances, and connections with Akeyless SaaS
MQ : amqps://mq.akeyless.io52.223.11.194, 35.71.185.1675671Message queue between Akeyless micro-services
KFM: https://kfm1.akeyless.io,
https://kfm1-ro.akeyless.io,
https://kfm2.akeyless.io,
https://kfm2-ro.akeyless.io,
https://kfm3.akeyless.io,
https://kfm3-ro.akeyless.io,
https://kfm4.akeyless.io,
https://kfm4-ro.akeyless.io
52.223.11.194, 35.71.185.167, 52.151.230.203, 52.223.35.208, 35.71.147.131, 15.197.228.204, 3.33.247.128443Key Fragments Services, enabling full DFC encryption
Public Gateway:
https://rest.akeyless.io
https://api.akeyless.io
15.197.223.248, 3.33.244.138443Optional Public Gateway rest API v1\v2
Public HVP:
https://hvp.akeyless.io
15.197.223.248, 3.33.244.138443Optional Public HVP endpoint
Logs : tcp://log.akeyless.io:9997 tcp://log.akeyless.io:944335.192.171.1719997, 9443GW logs, mainly to be reflected during failure scenarios
https://akeyless-cli.s3.us-east-2.amazonaws.comN\A443S3 bucket to download & update Akeyless CLI versions
https://akeylessservices.s3.us-east-2.amazonaws.comN\A443S3 bucket to download & update Akeyless official binaries. e.g. Gateway
https://artifacts.site2.akeyless.io34.149.100.205443Optional Akeyless official artifacts endpoint. Relevant when working with whitelisted IP range

👍

Note

When using proxy services, you can use https://sqs.us-east-2.amazonaws.com instead of classic MQ services. In case you are not working with proxy serivce, and still want to utilize SQS insted of classic MQ , set your Gateway deployment with the SQS_NO_PROXY="true" environment variable.

Working without MQ Connection

If your organization's policies restrict non-web ports, it's important to understand the potential implications of blocking the MQ connection for your Akeyless setup:

  • Cross Gateway Access: The MQ service enables retrieving Gateways secrets and objects (i.e. Dynamic\Rotaetd Secrets, Classic Keys, etc.) across different Gateways and the Akeyless SaaS console. If MQ is blocked, you can still retrieve those secrets directly from their own Gateway. However, requests from other Gateways or the SaaS console will not be processed.
  • Operational Adjustments: Without the MQ service, you will need to ensure you are working directly with the correct Gateway for each relevant item. This may require additional manual oversight and adjustments compared to a setup with MQ enabled.
  • Centralized Management: The MQ service allows for centralized management, enabling you to perform all operations from the SaaS console. If MQ is blocked, this convenience will not be available, and you will need to interact directly with individual Gateways.