Gateway on Azure Container Instance
Instructions for installing Keeper Gateway on an Azure Container Instance
Overview
This document contains information on how to install, configure, and update your Keeper Gateway on an Azure Container Instance. The Keeper Gateway container is built upon the base image of Rocky Linux 9 and it is hosted in DockerHub.
Prerequisites
Azure Environment Requirements
Resource Group: A dedicated resource group.
Virtual Network (VNet): A VNet with a dedicated subnet for the gateway.
Subnet Delegation: The designated subnet must be delegated to
Microsoft.ContainerInstance/containerGroups.Subscription Permissions: Contributor access to create Container Instances and Network resources.
Docker Hub Authentication
To avoid anonymous pull rate limits in Azure (which often result in 429 Too Many Requests or Manifest Unknown errors), you must have:
Docker Hub Account: A registered account at hub.docker.com.
Personal Access Token: A Token generated via Account Settings > Security with
Read Onlypermissions
Create a Gateway
A new Gateway deployment can be created by clicking on Create New > Gateway from the Web Vault or Desktop App.
You can also create a Gateway and configuration file from the Commander CLI:
The Application names and UIDs can be found with secrets-manager app list
Deployment Manifest
A Docker Compose file is provided through the Vault UI. This file can be used to build a Deployment Manifest file. Save this file as keeper-gateway.yml . An example of a Deployment Manifest is below:
Required Parameters
Parameter
Description
<AZURE_REGION>
The Azure region where your VNet and Target VMs reside.
<GATEWAY_INSTANCE_NAME>
A unique name for this container group in Azure.
<DOCKER_HUB_USERNAME>
Your Docker Hub ID (required for production pull limits).
<DOCKER_HUB_PAT_TOKEN>
The Personal Access Token generated in Docker Hub.
<YOUR_BASE64_CONFIG_STRING>
The configuration string generated from the Keeper Vault when generating a Gateway
<SUBSCRIPTION_ID>
Your 36-character Azure Subscription ID.
<SUBNET_NAME>
The name of the subnet delegated to Microsoft.ContainerInstance.
<VNET_NAME>
The name of the Virtual Network where the subnet resides
We use emptyDir for /dev/shm to meet shared memory requirements without managing external storage. This storage is ephemeral. If you delete or update the ACI deployment, this data is wiped. This is acceptable for the Gateway because it syncs its state and recordings to the Keeper Cloud.
In Azure Container Instances (ACI), seccomp and AppArmor are not used because ACI uses Hyper-V isolation by default.
Deployment
Once the YAML file is prepared, upload the file and execute the following commands via the Azure CLI to start the service.
Create the Container Group
Verify the Service
Logging
Gateway Service Management
In an Azure Container Instance (ACI) environment, management is performed via the Azure CLI or the Azure Portal.
Service Control
Starting the Service Deploying the manifest automatically starts the service. If the container is stopped:
Stopping the Service To temporarily halt the Gateway:
Restarting the Service Required after making configuration changes to the YAML manifest:
Connecting to the Gateway Container
For debugging network connectivity or verifying internal environment variables, you can establish an interactive bash session:
Updating the Gateway
To update your production instance to the latest version:
Pull and Restart: ACI will automatically pull the :latest image tag upon restart if the image policy allows, but the most reliable method is to re-run the creation command:
Debugging & Health Checks
Verbose Logging
If you need to enable debug logs for troubleshooting rotation failures or tunnel issues, add the following to the environmentVariables section of your YAML:
Health Checks
To monitor the operational status of the Gateway for load balancing or automated failover, you can configure Liveness Probes. This ensures Azure automatically restarts the container if the Gateway service becomes unresponsive.
Scaling and High Availability
Before deploying additional containers, you must configure the Gateway for scaling and high availability.
After logging into Keeper Commander, get a list of gateways from this command:
Run the following command for the gateway being configured for scaling:
<GATEWAY_UID>is the UID of the Gateway you are scaling.<MAX_INSTANCES>is the maximum number of Gateway instances you want to allow.
Example: The following example allows up to 5 Gateway instances to run concurrently:
For further information on gateway scaling and high availability
In Azure ACI, scaling is horizontal. You deploy multiple independent container groups using the exact same GATEWAY_CONFIG
To add a second instance, duplicate your YAML file and rename the container group and the YAML file.
Upload your new YAML file and run the deployment command
Each instance will automatically join the existing pool.
Network Configuration
The Keeper Gateway establishes outbound-only connections and does not require any inbound firewall rules. The following outbound connections must be allowed:
Keeper Cloud
keepersecurity.[x]
Endpoints:
US: .com
EU: .eu
AU: .com.au
JP: .jp
CA: .ca
US_GOV: .us
TLS Port 443
Communicates with Keeper Cloud to access target infrastructure via native protocols (e.g., SSH, RDP)
Keeper Router
connect.keepersecurity.[x]
Endpoints:
US: .com
EU: .eu
AU: .com.au
JP: .jp
CA: .ca
US_GOV: .us
TLS Port 443
Communicates with Keeper Router to establish secure, real-time WebSocket connections
Keeper Stun/Turn Service
krelay.keepersecurity.[x]
Endpoints:
US: .com
EU: .eu
AU: .com.au
JP: .jp
CA: .ca
US_GOV: .us
TCP and UDP opened on Port 3478 Outbound access to TCP and UDP ports 49152 through 65535
Facilitates secure and encrypted WebRTC connections between end-user's vault and target systems via the Gateway
The Gateway preserves zero knowledge by performing all encryption and decryption of data locally. Keeper Secrets Manager APIs are used to communicate with the Keeper cloud.
Last updated
Was this helpful?