# Gateway on Azure Container App
## Overview This document contains information on how to install, configure, and update your Keeper Gateway on an Azure Container App. The Keeper Gateway container is built upon the base image of Rocky Linux 9 and it is hosted in [DockerHub](https://hub.docker.com/r/keeper/gateway). ## Prerequisites #### Azure Environment Requirements * An active Azure Subscription. * Azure CLI with the `containerapp` extension. * A Gateway Configuration string from the Keeper Vault. * A `keyvault` extension if using option B. * A subnet (minimum `/27`) for the ACA environment, delegated to `Microsoft.App/environments` #### **Docker Hub Authentication** To avoid anonymous pull rate limits in Azure (which often result in `429 Too Many Requests` ), you must have: * **Docker Hub Account:** A registered account at [hub.docker.com](https://hub.docker.com/). * **Personal Access Token:** A Token generated via **Account Settings > Security** with `Read Only` permissions
*** ## Create a Gateway A new Gateway deployment can be created by clicking on **Create New** > **Gateway** from the Web Vault or Desktop App. You can also create a Gateway and configuration file from the Commander CLI: ``` pam gateway new -n "" -a -c b64 ``` The Application names and UIDs can be found with `secrets-manager app list` *** ## Environment Setup The Container App Environment is the secure boundary for your Gateways. ``` az containerapp env create \ --name \ --resource-group \ --location \ --infrastructure-subnet-resource-id /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/ ```
### Secrets Management Options Choose one of the following methods to manage your `GATEWAY_CONFIG`. #### Option A: Internal Managed Secrets ``` az containerapp create \ --name \ --resource-group \ --environment \ --image keeper/gateway:latest \ --cpu 2.0 --memory 8Gi \ --min-replicas 2 \ --max-replicas 5 \ --registry-server index.docker.io \ --registry-username \ --registry-password \ --secrets "gateway-config-secret=" \ --env-vars "ACCEPT_EULA=Y" "GATEWAY_CONFIG=secretref:gateway-config-secret" ``` #### Option B: Azure Key Vault **Store Secret**: Store your config in Key Vault ``` az keyvault secret set --vault-name --name "DOCKER-TOKEN" --value "" az keyvault secret set --vault-name --name "GATEWAY-CONFIG" --value "" ``` **Deploy with Identity**: Create the app with a system-assigned identity. ``` az containerapp create \ --name \ --resource-group \ --environment \ --image keeper/gateway:latest \ --cpu 2.0 --memory 8Gi \ --system-assigned \ --registry-server index.docker.io \ --registry-username \ --registry-password --env-vars "ACCEPT_EULA=Y" ```
**Grant Access**: Give the app permission to read the secret. ``` PRINCIPAL_ID=$(az containerapp show -n -g --query identity.principalId -o tsv) az role assignment create --assignee $PRINCIPAL_ID --role "Key Vault Secrets User" --scope /subscriptions//resourceGroups/providers/Microsoft.KeyVault/vaults/ ``` **Reference Secret**: Link the Key Vault secret to the app. ``` az containerapp secret set -n -g \ --secrets "docker-password-kv=keyvaultref:https://.vault.azure.net/secrets/DOCKER-TOKEN,identityref:system" \ "gateway-config-kv=keyvaultref:https://.vault.azure.net/secrets/GATEWAY-CONFIG,identityref:system" ``` **Assign** the secret to the registry ``` az containerapp registry set -n \ -g \ --server index.docker.io \ --username \ --password "secretref:gateway-config-kv" ```
*** ### Enable Shared Memory The Keeper Gateway requires expanded shared memory (`/dev/shm`) for session recording. This must be applied via a YAML update after the initial creation. **Export Configuration** `az containerapp show -n -g -o yaml > keeper-app.yaml`
**Edit the YAML** Locate the `template` section and add the `volumes` and `volumeMounts` blocks. ``` template: containers: - name: image: keeper/gateway:latest env: - name: GATEWAY_CONFIG secretRef: gateway-config-kv # Use name from Option A or B volumeMounts: - mountPath: /dev/shm volumeName: shm-volume volumes: - name: shm-volume storageType: EmptyDir ``` **Apply the Update** `az containerapp update -n -g --yaml keeper-app.yaml` #### Operational Commands | **Action** | **Command** | | -------------- | -------------------------------------------------------------------------------------------------- | | Verify Storage | `az containerapp exec -n -g --command "df -h \| grep shm"` | | View Logs | `az containerapp logs show -n -g --follow` | | Scale to Zero | `az containerapp scale update -n -g --min-replicas 0 --max-replicas 0` | | Scale Up | `az containerapp scale update -n -g --min-replicas 2 --max-replicas 5` | *** ## Network Configuration The Keeper Gateway establishes outbound-only connections and does not require any inbound firewall rules. The following outbound connections must be allowed:
Destination EndpointPorts NeededMore Info

Keeper Cloud
keepersecurity.[x]

Endpoints:

US: .com

EU: .eu

AU: .com.au

JP: .jp

CA: .ca

US_GOV: .us

TLS Port 443Communicates with Keeper Cloud to access target infrastructure via native protocols (e.g., SSH, RDP)

Keeper Router
connect.keepersecurity.[x]

Endpoints:

US: .com

EU: .eu

AU: .com.au

JP: .jp

CA: .ca

US_GOV: .us

TLS Port 443Communicates with Keeper Router to establish secure, real-time WebSocket connections

Keeper Stun/Turn Service

krelay.keepersecurity.[x]

Endpoints:

US: .com

EU: .eu

AU: .com.au

JP: .jp

CA: .ca

US_GOV: .us

TCP and UDP opened on Port 3478

Outbound access to TCP and UDP ports 49152 through 65535
Facilitates secure and encrypted WebRTC connections between end-user's vault and target systems via the Gateway
The Gateway preserves zero knowledge by performing all encryption and decryption of data locally. Keeper Secrets Manager APIs are used to communicate with the Keeper cloud.