Akeyless Gateway Best Practices

Network & Security

  • Akeyless Gateway (GW) cluster should not be reachable from the external network, i.e., ingress traffic should be blocked, while egress traffic should be able to reach the required services. A list of the required endpoints that should be reachable from your GW can be found here.

  • Gateway Authentication method - should be used with a dedicated authentication method, which will be stored under a path that only your admin users can access.

  • Dedicated environment - GW should be the only application running on the machine. This can be done using a dedicated docker that runs on that machine or a dedicated Kubernetes (K8s) cluster. This reduces the risk that another process running on the same machine is compromised and can interact with your GW.

  • Configure TLS

  • Use your own Customer Fragment to enable Zero-Knowledge

  • Configure your default encryption key


  • Log Forwarding - Create a dedicated GW with a dedicated Authentication method to collect and forward all Akeyless logs to your logs system. Such a dedicated Authentication Method should be associated with a dedicated Access Role, which will have permission to view all GWs logs. Only admins will have permission to view this GW Authentication Method and Access Role.

High Availability

  • Configure a meaningful name for your cluster - GW instances can be set as a cluster where the mutual identifier for your GW instances is a combination of your cluster name and the access ID of the authentication method you used to spin the GW instance. Providing a meaningful name to your clusters will ensure easier management and scalable environments of your GWs.

  • High Availability - You can create GW clusters to ensure service continuity and resiliency. Your GW instances can be located in different regions while working as a Geo-Cluster. GW instances don't need to communicate with each other directly. Akeyless Platform does the entire operation of synchronizing your instances. Working with Geo-Cluster provides an extra level of resiliency. In addition, your GW instances can work either in active-active or active-passive modes to address high loads.