> For the complete documentation index, see [llms.txt](https://docs.keeper.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.keeper.io/keeperpam/privileged-access-manager/getting-started/gateways.md).
# Gateways
## Overview
Keeper Gateway runs rotation, discovery, connections, and tunneling from your managed environments. Deploy it on Docker, Linux, or Windows, on a host, VM, or cluster. One Gateway can reach both on-prem and cloud infrastructure. Deploy one Gateway, or a Gateway pool, for each managed environment.
### **Platforms Supported**
* [**Docker**](/keeperpam/privileged-access-manager/getting-started/gateways/gateway-with-docker.md)
* [**Windows**](/keeperpam/privileged-access-manager/getting-started/gateways/windows-installation.md)
* [**Linux**](/keeperpam/privileged-access-manager/getting-started/gateways/linux-installation.md)
### Platform Specific Capabilities
The Keeper Gateway offers different feature capabilities based on the underlying operating system and hardware. We recommend using Docker on a Linux or Windows host with x86-64 CPUs for full feature support and ease of management.
| Platform | Compatibility |
| ------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- |
| **Docker (Linux or Windows host w/ x86-64)** |
All features supported
|
| **Docker** (Linux host on ARM) |
No Remote Browser Isolation
|
| **Linux (Enterprise Linux 8 and 9 variants)** |
All features supported
|
| **Linux** (Non-EL variants) |
No Remote Browser Isolation
|
| **Windows Native** |
No Remote Browser Isolation
No database connections
|
## System Requirements
System requirements vary based on the number of simultaneous user sessions and the types of connections being established. As the volume of simultaneous connections grows, CPU and memory resources must be scaled accordingly.
### Non-RBI Connections
For non-RBI connections, Keeper Gateway follows a predictable scaling model based on concurrent sessions.
**General Sizing Guidelines (Non-RBI Sessions)**
> **1 CPU core and 2 GB of memory for every 25 concurrent sessions**
| Non-RBI Concurrent Sessions | CPU Cores | Minimum RAM |
| --------------------------- | ---------- | ----------- |
| 0-25 | 2 | 8 GB |
| 26-50 | 3 | 12 GB |
| 51-100 | 4 | 16 GB |
| 101-200 | 8 | 32 GB |
| 200+ | Contact Us | Contact Us |
### RBI Connections
Remote Browser Isolation (RBI) sessions have significantly higher resource requirements compared to standard gateway connections.
Each RBI session launches a dedicated headless Chromium instance, which consumes substantially more memory than non-RBI sessions.
* Estimated memory usage per RBI session: up to 800 MB
* Memory consumption scales linearly with the number of concurrent RBI sessions
* CPU requirements also increase depending on page complexity and user activity
**General Sizing Guidelines (Non-RBI Sessions)**
> 800 MB per RBI Connection
| RBI Concurrent Sessions | CPU Cores | Minimum RAM |
| ----------------------- | ---------- | ----------- |
| 1-5 | 4 | 8 GB |
| 6-10 | 6 | 16 GB |
| 11-20 | 8 | 32 GB |
| 21-40 | 16 | 64 GB |
| 40+ | Contact Us | Contact Us |
{% hint style="info" %}
A minimum of 2 CPU cores, 8 GB of RAM and 10GB of storage is recommended for any deployment, even test environments.
{% endhint %}
#### **Production Environments**
For production deployments, a minimum of 4 CPU cores and 16 GB of memory is required.
Scale CPU and memory resources based on the number of concurrent sessions, and refer to the sizing table above for guidance.
## Installation Steps
The Keeper Gateway generates encryption keys and a local Secrets Manager configuration that is used to authenticate with the Keeper cloud. The location depends on the context in which the Gateway is being run. It can be installed to the local user or installed as a service.
* Login to the **Keeper Web Vault** or **Desktop App**
* Click on **Secrets Manager** on the left side
* Create a new Secrets Manager Application or select existing application
* Click on the "**Gateways**" tab and click "**Provision Gateway**"
* Select Docker, Linux or Windows install method
* Install the Keeper Gateway using the provided method
During the creating of a Keeper Gateway using a one-time token method for Linux and Windows, you have the choice to select "Lock external WAN IP Address of device for initial request". This will additionally IP lock the Gateway in addition to the authentication and encryption built into the service.
### Deployment Methods
Based on your Operating System, refer to the corresponding guide on installing the Keeper Gateway:
* [**Docker**](/keeperpam/privileged-access-manager/getting-started/gateways/gateway-with-docker.md)
* [**Podman**](/keeperpam/privileged-access-manager/getting-started/gateways/gateway-with-podman.md)
* [**Linux**](/keeperpam/privileged-access-manager/getting-started/gateways/linux-installation.md)
* [**Windows**](/keeperpam/privileged-access-manager/getting-started/gateways/windows-installation.md)
Container Services:
* [**Azure Container Instance**](/keeperpam/privileged-access-manager/getting-started/gateways/gateway-on-azure-container-instance.md)
* [**Azure Container App**](/keeperpam/privileged-access-manager/getting-started/gateways/gateway-on-azure-container-app.md)
* [**AWS ECS**](/keeperpam/privileged-access-manager/getting-started/gateways/gateway-on-aws-ecs.md)
* [**Kubernetes**](/keeperpam/privileged-access-manager/getting-started/gateways/gateway-on-kubernetes.md)
#### Additional Installation Configurations
If you are installing on an EC2 instance in AWS, the Keeper Gateway can be configured to use the instance role for pulling its configuration from AWS Secrets Manager. Detailed instructions on this setup can be [found here](/keeperpam/privileged-access-manager/getting-started/gateways/advanced-configuration/gateway-configuration-with-aws-kms.md).
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.keeper.io/keeperpam/privileged-access-manager/getting-started/gateways.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.