Gateway Best Practices

Network & Security

  • Gateway cluster should not be reachable from the external network i.e. ingress traffic should be blocked, while egress traffic should be able to reach the required services. A list of the required endpoints that should be reachable from your Gateway can be found here.

  • Gateway Authentication method - should be used with a dedicated authentication method, which will be stored under a path that only your admin users can access.

  • Dedicated environment - Gateway should be the only application running on the machine, this can be done using a dedicated docker which runs on that machine, or using a dedicated K8s cluster. This reduces the risk that another process running on the same machine is compromised and can interact with your Gateway.

  • Configure TLS

  • Use your own Customer Fragment to enable Zero-Knowledge

  • Configure your default encryption key

Management

  • Log Forwarding - Create a dedicated Gateway, with a dedicated Authentication method to collect and forward all Akeyless logs to your logs system, such dedicated Authentication Method should be associated with a dedicated Access Role, which will have permission to view all Gateways logs, where only admins will have permissions to view this Gateway Authentication Method and Access Role.

High Availability

  • Configure a meaningful name for your cluster - Gateway instances can be set as a cluster where the mutual identifier for your Gateway instances is a combination of your cluster name and the access ID of the authentication method you used to spin the Gateway instance. Providing a meaningful name to your clusters will ensure easier management and scalable environments of your Gateways.

  • High Availability - You can create Gateway clusters to ensure service continuity and resiliency. Your Gateway instances can be located in different regions while working as a Geo-Cluster. Gateway instances don't need to communicate with each other directly, the entire operation of synchronizing your instances is done by our SaaS. Working with Geo-Cluster provides an extra level of resiliency. In addition, your Gateway instances can work either in active-active or active-passive modes to address high loads.


Did this page help you?