> For the complete documentation index, see [llms.txt](https://docs.keeper.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.keeper.io/keeperpam/privileged-access-manager/getting-started/gateways/scaling-and-high-availability.md).

# Scaling and High Availability

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FnwuJqkgX2fBDINuI1SlH%2FKeeper%20Gateway%20High%20Availability.jpg?alt=media&#x26;token=78795788-d2db-4790-835c-d8a356b83e4d" alt=""><figcaption></figcaption></figure>

The Keeper Gateway powers [Connections](/keeperpam/privileged-access-manager/connections.md), [Tunnels](/keeperpam/privileged-access-manager/tunnels.md), [Discovery](/keeperpam/privileged-access-manager/discovery.md), and [Password Rotation](/keeperpam/privileged-access-manager/password-rotation/rotation-overview.md).

Scaling lets you run multiple Gateway instances with the same configuration. Those instances form one Gateway pool. The pool improves capacity and availability for PAM workloads.

A Gateway pool distributes requests across healthy instances in round-robin order.

## How Scaling Works

<figure><img src="/files/SxeUnQzZQafiFx4Pjlvv" alt=""><figcaption></figcaption></figure>

When Gateway scaling is enabled, you can operate multiple Gateway instances using identical configuration. These instances form a Gateway pool that collectively manages PAM workloads.

* **Workload distribution** — requests are distributed across available Gateway instances.
* **Automatic failover** — if one instance becomes unavailable, traffic shifts to healthy instances.
* **Configurable maximum** — you define how many instances can run at once.
* **Cross-platform support** — instances can run on any supported Gateway platform.

{% hint style="info" %}
`pam gateway list` in Commander shows the Gateway Pool as a single entry. Use `pam gateway list --verbose` to see additional details including OS, machine type, and device name. Individual running instances are not listed separately.
{% endhint %}

### Scaling Down

Reducing the maximum instance count doesn't automatically stop running Gateways — manual intervention is required. If you lower the limit (example: 3 → 2), existing instances continue running until you manually stop them to comply with the new maximum.

## Setup

### Prerequisites

Before you enable scaling, make sure you have:

* Keeper Gateway version **1.7.6 or higher**
* Keeper Commander version **17.2 or higher**
* A user who can create, deploy, and manage Keeper Gateways
* An existing Gateway deployment

### 1. Set Maximum Gateway Instances

After logging into Keeper Commander, retrieve your gateway list:

```bash
pam gateway list
```

Configure scaling for your gateway:

```bash
pam gateway set-max-instances -g <GATEWAY_UID_OR_NAME> -m <MAX_INSTANCES>
```

Where `<GATEWAY_UID_OR_NAME>` is your Gateway's UID or name, and `<MAX_INSTANCES>` is your desired concurrent instance limit (minimum: 1).

**Example:**

```bash
pam gateway set-max-instances -g Dmg5bh63p3Yj7ov738BTAw -m 5
```

### 2. Run Another Gateway with the Same Configuration

Deploy the same Gateway configuration to additional servers or environments. Each instance joins the same Gateway pool and respects the configured maximum.

Copy the configuration from an existing running Gateway and reuse it on each new host. If you created the original Gateway with the base64 configuration option, reuse that printed `GATEWAY_CONFIG` value.

For full deployment steps, see the platform guides:

* [Gateway with Docker](/keeperpam/privileged-access-manager/getting-started/gateways/gateway-with-docker.md)
* [Gateway on Linux Native](/keeperpam/privileged-access-manager/getting-started/gateways/linux-installation.md)
* [Gateway on Windows](/keeperpam/privileged-access-manager/getting-started/gateways/windows-installation.md)

### Deploying new Instances

Gateway initialization methods differ depending on what system the gateway is deployed on:

* Windows-native and Linux-native gateways are initialized with a One-Time-Token.
* Docker gateways are initialized with a Base64 Configuration file.

Deploying multiple instances of the same gateway is straightforward with Docker deployments, as the configuration file is the same, therefore you can deploy new instances with the same command:

{% code overflow="wrap" %}

```bash
curl -fsSL https://keepersecurity.com/pam/gatewayctl/install | sudo bash -s -- -c <b64_config>
```

{% endcode %}

For gateways that are initialized with a One-Time-Token, this isn't possible, as the One-Time-Token cannot be reused, even to deploy a new instance.

Instead, create and deploy a new temporary gateway with a One-Time-Token. Once installed, you can replace the configuration file.

* Configuration file location on Windows:

{% code overflow="wrap" %}

```
C:\ProgramData\KeeperGateway\config\gateway-config.json
```

{% endcode %}

* Configuration file location on Linux:

{% code overflow="wrap" %}

```
/etc/keeper-gateway/gateway-config.json
```

{% endcode %}

After a restart, the gateway should be running as an instance of the gateway pool, and the temporary gateway can be safely discarded. You can verify running instances with Keeper Commander:

{% code overflow="wrap" %}

```bash
pam gateway list
rocky9.gateway                                     pp4pwiBcR5KUV   ONLINE (2 instances)
   |- Instance 1 (connected: 2026-06-11 10:25:30)  10.0.0.57       ONLINE        1.8.1
   |- Instance 2 (connected: 2026-06-11 13:16:19)  10.0.0.47       ONLINE        1.8.1
```

{% endcode %}

### Converting JSON and Base64 Configuration Files

If you want to run a Linux-native / Windows-native gateway and a Docker gateway together in a pool, the configuration is stored in different formats:

* Linux stores the configuration in JSON
* Docker stores the configuration in Base64 (in the docker-compose.yml file)

To work with both formats, you can encode into / decode from Base64

* Encode a JSON config (Linux / Windows) into Base64 (Docker):

{% code overflow="wrap" %}

```bash
cat /etc/keeper-gateway/gateway-config.json | base64
```

{% endcode %}

* Decode a Base64 config (Docker) into JSON (Linux / Windows):

{% code overflow="wrap" %}

```bash
echo 'ewogICAgImF...' | base64 --decode > /etc/keeper-gateway/gateway-config.json
```

{% endcode %}

In the above command, `> /etc/keeper-gateway/gateway-config.json`  will write the JSON directly into the gateway config file. Remove it to print the JSON to stdout.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeperpam/privileged-access-manager/getting-started/gateways/scaling-and-high-availability.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.