Gateway on Azure Container App

Azure Container Apps (ACA) provides a serverless, managed platform for the Keeper Gateway, offering native High Availability (HA) and built-in secret encryption.

Overview

This document contains information on how to install, configure, and update your Keeper Gateway on an Azure Container App. The Keeper Gateway container is built upon the base image of Rocky Linux 9 and it is hosted in DockerHub.

Prerequisites

Azure Environment Requirements

An active Azure Subscription.
Azure CLI with the containerapp extension.
A Gateway Configuration string from the Keeper Vault.
A keyvault extension if using option B.
A subnet (minimum /27) for the ACA environment, delegated to Microsoft.App/environments

Docker Hub Authentication

To avoid anonymous pull rate limits in Azure (which often result in 429 Too Many Requests ), you must have:

Docker Hub Account: A registered account at hub.docker.com.
Personal Access Token: A Token generated via Account Settings > Security with Read Only permissions

Create a Gateway

A new Gateway deployment can be created by clicking on Create New > Gateway from the Web Vault or Desktop App.

You can also create a Gateway and configuration file from the Commander CLI:

pam gateway new -n "<Gateway Name>" -a <Application Name or UID> -c b64

The Application names and UIDs can be found with secrets-manager app list

Environment Setup

The Container App Environment is the secure boundary for your Gateways.

az containerapp env create \
--name <ENVIRONMENT_NAME> \
--resource-group <RESOURCE_GROUP> \
--location <LOCATION> \
--infrastructure-subnet-resource-id /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<VNET_RESOURCE_GROUP>/providers/Microsoft.Network/virtualNetworks/<VNET_NAME>/subnets/<SUBNET_NAME>

Secrets Management Options

Choose one of the following methods to manage your GATEWAY_CONFIG.

Option A: Internal Managed Secrets

az containerapp create \
  --name <APP_NAME> \
  --resource-group <RESOURCE_GROUP> \
  --environment <ENVIRONMENT_NAME> \
  --image keeper/gateway:latest \
  --cpu 2.0 --memory 8Gi \
  --min-replicas 2 \
  --max-replicas 5 \
  --registry-server index.docker.io \
  --registry-username <DOCKER_HUB_USER> \
  --registry-password <DOCKER_HUB_PASSWORD_OR_PAT> \
  --secrets "gateway-config-secret=<YOUR_BASE64_CONFIG>" \
  --env-vars "ACCEPT_EULA=Y" "GATEWAY_CONFIG=secretref:gateway-config-secret"

Option B: Azure Key Vault

Store Secret: Store your config in Key Vault

az keyvault secret set --vault-name <VAULT_NAME> --name "DOCKER-TOKEN" --value "<YOUR_DOCKER_HUB_PAT>"
az keyvault secret set --vault-name <VAULT_NAME> --name "GATEWAY-CONFIG" --value "<YOUR_BASE64_CONFIG>"

Deploy with Identity: Create the app with a system-assigned identity.

az containerapp create \
  --name <APP_NAME> \
  --resource-group <RESOURCE_GROUP> \
  --environment <ENVIRONMENT_NAME> \
  --image keeper/gateway:latest \
  --cpu 2.0 --memory 8Gi \
  --system-assigned \
  --registry-server index.docker.io \
  --registry-username <DOCKER_HUB_USER> \
  --registry-password <Enter your Docker PAT, which starts with dckr_pat_...>
  --env-vars "ACCEPT_EULA=Y"

Grant Access: Give the app permission to read the secret.

PRINCIPAL_ID=$(az containerapp show -n <APP_NAME> -g <RESOURCE_GROUP> --query identity.principalId -o tsv) 
az role assignment create --assignee $PRINCIPAL_ID --role "Key Vault Secrets User" --scope /subscriptions/<SUB_ID>/resourceGroups/providers/Microsoft.KeyVault/vaults/<VAULT_NAME>

Reference Secret: Link the Key Vault secret to the app.

az containerapp secret set -n <APP_NAME> -g <RESOURCE_GROUP> \
--secrets "docker-password-kv=keyvaultref:https://<VAULT_NAME>.vault.azure.net/secrets/DOCKER-TOKEN,identityref:system" \
"gateway-config-kv=keyvaultref:https://<VAULT_NAME>.vault.azure.net/secrets/GATEWAY-CONFIG,identityref:system"

Assign the secret to the registry

az containerapp registry set 
-n <APP_NAME> \
-g <RESOURCE_GROUP> \
--server index.docker.io \
--username <DOCKER_HUB_USER> \
--password "secretref:gateway-config-kv"

Enable Shared Memory

The Keeper Gateway requires expanded shared memory (/dev/shm) for session recording. This must be applied via a YAML update after the initial creation.

Export Configuration

az containerapp show -n <APP_NAME> -g <RESOURCE_GROUP> -o yaml > keeper-app.yaml

Edit the YAML

Locate the template section and add the volumes and volumeMounts blocks.

template:
  containers:
  - name: <APP_NAME>
    image: keeper/gateway:latest
    env:
    - name: GATEWAY_CONFIG
      secretRef: gateway-config-kv # Use name from Option A or B
    volumeMounts:
    - mountPath: /dev/shm
      volumeName: shm-volume
  volumes:
  - name: shm-volume
    storageType: EmptyDir

Apply the Update

az containerapp update -n <APP_NAME> -g <RESOURCE_GROUP> --yaml keeper-app.yaml

Operational Commands

Action

Command

Verify Storage

az containerapp exec -n <APP_NAME> -g <RESOURCE_GROUP> --command "df -h | grep shm"

View Logs

az containerapp logs show -n <APP_NAME> -g <RESOURCE_GROUP> --follow

Scale to Zero

az containerapp scale update -n <APP_NAME> -g <RESOURCE_GROUP> --min-replicas 0 --max-replicas 0

Scale Up

az containerapp scale update -n <APP_NAME> -g <RESOURCE_GROUP> --min-replicas 2 --max-replicas 5

Network Configuration

The Keeper Gateway establishes outbound-only connections and does not require any inbound firewall rules. The following outbound connections must be allowed:

Destination Endpoint

Ports Needed

More Info

Keeper Cloud keepersecurity.[x]

Endpoints:

US: .com

EU: .eu

AU: .com.au

JP: .jp

CA: .ca

US_GOV: .us

TLS Port 443

Communicates with Keeper Cloud to access target infrastructure via native protocols (e.g., SSH, RDP)

Keeper Router connect.keepersecurity.[x]

Endpoints:

US: .com

EU: .eu

AU: .com.au

JP: .jp

CA: .ca

US_GOV: .us

TLS Port 443

Communicates with Keeper Router to establish secure, real-time WebSocket connections

Keeper Stun/Turn Service

krelay.keepersecurity.[x]

Endpoints:

US: .com

EU: .eu

AU: .com.au

JP: .jp

CA: .ca

US_GOV: .us

TCP and UDP opened on Port 3478 Outbound access to TCP and UDP ports 49152 through 65535

Facilitates secure and encrypted WebRTC connections between end-user's vault and target systems via the Gateway

The Gateway preserves zero knowledge by performing all encryption and decryption of data locally. Keeper Secrets Manager APIs are used to communicate with the Keeper cloud.

PreviousGateway on Azure Container Instance NextGateway on AWS ECS

Last updated 5 days ago

Was this helpful?

hashtagOverview

hashtagPrerequisites

hashtagAzure Environment Requirements

hashtagDocker Hub Authentication

hashtagCreate a Gateway

hashtagEnvironment Setup

hashtagSecrets Management Options

hashtagOption A: Internal Managed Secrets

hashtagOption B: Azure Key Vault

hashtagEnable Shared Memory

hashtagOperational Commands

hashtagNetwork Configuration

Overview

Prerequisites

Azure Environment Requirements

Docker Hub Authentication

Create a Gateway

Environment Setup

Secrets Management Options

Option A: Internal Managed Secrets

Option B: Azure Key Vault

Enable Shared Memory

Operational Commands

Network Configuration