Gateway Best Practices

Network & Security

  • Gateway cluster should not be reachable from the external network i.e. ingress traffic should be blocked, while egress traffic should be able to reach the required services. A list of the required endpoints that should be reachable from your Gateway can be found here.

  • Gateway Authentication method - should be used with a dedicated authentication method, which will be stored under a path that only your admin users can access.

  • Dedicated environment - Gateway should be the only application running on the machine, this can be done using a dedicated docker which runs on that machine, or using a dedicated K8s cluster. This reduces the risk that another process running on the same machine is compromised and can interact with your Gateway.

  • Configure TLS - Akeyless Gateway should always be used with TLS. In case you are working with Load Balancers, or reverse proxies in front of your Gateway, TLS should be used for all network connections to ensure all traffic is encrypted at transit.

  • Use your own Customer Fragment to enable Zero-Knowledge- You can use multiple fragments where each fragment will be used for a specific encryption key. Those encryption keys can be used to force privacy segregation among different teams, departments, and organization units. Those fragments must be stored & saved for backups. Losing your fragments means you will not be able to decrypt those encrypted items at all.

  • Configure your default encryption key based on your fragment to enforce Zero-Knowledge by default for all your secrets. This setting will ensure that any item which will be created either via Akeyless UI, CLI, or SDKs will be encrypted using your account default encryption key.


  • Multiple admins on your Gateway - Set the Allowed AccessID with sub-claims to avoid a scenario where a wide range of users will be able to log in and configure your Gateway.

  • Log Forwarding - Create a dedicated Gateway, with a dedicated Authentication method to collect and forward all Akeyless logs to your logs system, such dedicated Authentication Method should be associated with a dedicated Access Role, which will have permission to view all Gateways logs, where only admins will have permissions to view this Gateway Authentication Method and Access Role.

High Availability

  • Configure a meaningful name for your cluster - Gateway instances can be set as a cluster where the mutual identifier for your Gateway instances is a combination of your cluster name and the access ID of the authentication method you used to spin the Gateway instance. Providing a meaningful name to your clusters will ensure easier management and scalable environments of your Gateways.

  • High Availability - You can create Gateway clusters to ensure service continuity and resiliency. your Gateway instances can be located in different regions while working as a Geo-Cluster. Gateway instances don't need to communicate with each other directly, the entire operation of synchronizing your instances is done by our SaaS. Working with Geo-Cluster provides an extra level of resiliency. In addition, your Gateway instances can work either in active-active or active-passive modes to address high loads.

Did this page help you?