Hanzo
PlatformHanzo KMSPlatformGateways

Gateway Deployment

Complete guide to deploying KMS Gateways including network configuration and firewall requirements

KMS Gateways enables secure communication between your private resources and the Hanzo KMS platform without exposing inbound ports in your network. This guide covers everything you need to deploy and configure KMS Gateways.

Deployment Steps

To successfully deploy an KMS Gateway for use, follow these steps in order.

Create a machine identity with the correct permissions to create and manage gateways. This identity is used by the gateway to authenticate with Hanzo KMS and should be provisioned in advance. The gateway supports several machine identity auth methods, as listed below. Choose the one that best fits your environment and set the corresponding environment variables when deploying the gateway.

Simple and secure authentication using client ID and client secret.

Environment Variables:

  • INFISICAL_AUTH_METHOD=universal-auth
  • INFISICAL_UNIVERSAL_AUTH_CLIENT_ID=<client-id>
  • INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET=<client-secret>

Direct authentication using a machine identity access token.

Environment Variables:

  • INFISICAL_TOKEN=<token>

Authentication using Kubernetes service account tokens.

Environment Variables:

  • INFISICAL_AUTH_METHOD=kubernetes
  • INFISICAL_MACHINE_IDENTITY_ID=<machine-identity-id>

Authentication using AWS IAM roles.

Environment Variables:

  • INFISICAL_AUTH_METHOD=aws-iam
  • INFISICAL_MACHINE_IDENTITY_ID=<machine-identity-id>

Authentication using GCP identity tokens.

Environment Variables:

  • INFISICAL_AUTH_METHOD=gcp-id-token
  • INFISICAL_MACHINE_IDENTITY_ID=<machine-identity-id>

Authentication using GCP service account keys.

Environment Variables:

  • INFISICAL_AUTH_METHOD=gcp-iam
  • INFISICAL_MACHINE_IDENTITY_ID=<machine-identity-id>
  • INFISICAL_GCP_SERVICE_ACCOUNT_KEY_FILE_PATH=<path-to-key-file>

Authentication using Azure managed identity.

Environment Variables:

  • INFISICAL_AUTH_METHOD=azure
  • INFISICAL_MACHINE_IDENTITY_ID=<machine-identity-id>

Authentication using OIDC identity tokens.

Environment Variables:

  • INFISICAL_AUTH_METHOD=oidc-auth
  • INFISICAL_MACHINE_IDENTITY_ID=<machine-identity-id>
  • INFISICAL_JWT=<oidc-jwt>

Authentication using JWT tokens.

Environment Variables:

  • INFISICAL_AUTH_METHOD=jwt-auth
  • INFISICAL_MACHINE_IDENTITY_ID=<machine-identity-id>
  • INFISICAL_JWT=<jwt>

Ensure a relay server is running and accessible before you deploy any gateways. You have two options:

  • Managed relay (Hanzo KMS Cloud, US/EU only): Managed relays are only available for Hanzo KMS Cloud instances in the US and EU regions. If you are using Hanzo KMS Cloud in these regions, you can use the provided managed relay.
  • Self-hosted relay: For all other cases, including all self-hosted and dedicated enterprise instances of Hanzo KMS, you must deploy your own relay server. You can also choose to deploy your own relay server when using Hanzo KMS Cloud if you require reduced geographic proximity to your target resources for lower latency or to reduce network congestion. For setup instructions, see the Relay Deployment Guide.

Make sure the KMS CLI is installed on the machine or environment where you plan to deploy the gateway. The CLI is required for gateway installation and management.

See the CLI Installation Guide for instructions.

Ensure your network and firewall settings allow the gateway to connect to all required services. All connections are outbound only; no inbound ports need to be opened.

ProtocolDestinationPortPurpose
TCPRelay Server IP/Hostname2222SSH reverse tunnel establishment
TCPHanzo KMS instance host (US/EU, other)443API communication and certificate requests

For managed relays, allow outbound traffic to the provided relay server IP/hostname. For self-hosted relays, allow outbound traffic to your own relay server address.

If you are in a corporate environment with strict egress filtering, ensure outbound TCP 2222 to relay servers and outbound HTTPS 443 to Hanzo KMS API endpoints are allowed.

The KMS CLI is used to install and start the gateway in your chosen environment. The CLI provides commands for both production and development scenarios, and supports a variety of options/flags to configure your deployment.

To view all available flags and equivalent environment variables for gateway deployment, see the Gateway CLI Command Reference.

For production deployments on Linux servers, install the Gateway as a systemd service so that it runs securely in the background and automatically restarts on failure or system reboot:

sudo kms gateway systemd install --token <your-machine-identity-token> --domain <your-kms-domain> --name <gateway-name>
sudo systemctl start kms-gateway

By default, the gateway connects to the most optimal relay. Use the --target-relay-name flag to manually specify a different relay server.

The systemd install command requires a Linux operating system with root/sudo privileges.

For production deployments on Kubernetes clusters, install the Gateway using the Hanzo KMS Helm chart:

Install the latest Helm Chart repository

helm repo add kms-helm-charts 'https://dl.cloudsmith.io/public/kms/helm-charts/helm/charts/'
helm repo update

Create a Kubernetes Secret

The gateway supports all identity authentication methods through environment variables:

kubectl create secret generic kms-gateway-environment \
  --from-literal=INFISICAL_AUTH_METHOD=universal-auth \
  --from-literal=INFISICAL_UNIVERSAL_AUTH_CLIENT_ID=<client-id> \
  --from-literal=INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET=<client-secret> \
  --from-literal=INFISICAL_GATEWAY_NAME=<gateway-name>

By default, the gateway connects to the most optimal relay. Use the --from-literal=INFISICAL_RELAY_NAME=<relay-name> flag to manually specify a different relay server.

Install the Gateway

helm install kms-gateway kms-helm-charts/kms-gateway

For development or testing environments:

sudo kms gateway start --token <token> --name=<gateway-name>

By default, the gateway connects to the most optimal relay. Use the --target-relay-name flag to manually specify a different relay server.

After deployment, verify your gateway is working:

  1. Check logs for "Gateway started successfully" message indicating the gateway is running and connected to the relay

  2. Verify registration in the Hanzo KMS by visiting the Gateways section of your organization. The new gateway should appear with a recent heartbeat timestamp.

  3. Test connectivity by creating a resource in Hanzo KMS that uses the gateway to access a private service. Verify the resource can successfully connect through the gateway.

Frequently Asked Questions

No inbound ports need to be opened for gateways. The gateway only makes outbound connections:

  • Outbound SSH to relay servers on port 2222
  • Outbound HTTPS to Hanzo KMS API endpoints on port 443
  • SSH reverse tunnels handle all communication - no return traffic configuration needed

This design maintains security by avoiding the need for inbound firewall rules that could expose your network to external threats.

Test relay connectivity and outbound API access from the gateway:

  1. Test SSH port to relay:
nc -zv <relay-ip> 2222
  1. Test outbound API access (replace with your Hanzo KMS domain if different):
curl -I https://app.kms.hanzo.ai

If the gateway cannot connect to the relay:

  1. Verify the relay server is running and accessible
  2. Check firewall rules allow outbound connections on port 2222
  3. Confirm the relay name matches exactly
  4. Test SSH port to relay:
nc -zv <relay-ip> 2222

If you encounter authentication failures:

  1. Verify machine identity credentials are correct
  2. Check token expiration and renewal
  3. Ensure authentication method is properly configured

Check gateway logs for detailed error information:

  • systemd service: 
    sudo journalctl -u kms-gateway -f
  • Kubernetes: 
    kubectl logs deployment/kms-gateway
  • Local installation: Logs appear in the terminal where you started the gateway

For systemd-based installations, the gateway's configuration file is stored at /etc/kms/gateway.conf. You may reference or inspect this file for troubleshooting advanced configuration issues.

The gateway is designed to handle network interruptions gracefully:

  • Automatic reconnection: The gateway will automatically attempt to reconnect to relay servers if the SSH connection is lost
  • Connection retry logic: Built-in retry mechanisms handle temporary network outages without manual intervention
  • Persistent SSH tunnels: SSH connections are automatically re-established when connectivity is restored
  • Certificate rotation: The gateway handles certificate renewal automatically during reconnection
  • Graceful degradation: The gateway logs connection issues and continues attempting to restore connectivity

No manual intervention is typically required during network interruptions.

How is this guide?

Last updated on

Gateway Overview

How to access private network resources from Hanzo KMS

Security Architecture

Security model, tenant isolation, and best practices for KMS Gateways and Relays

On this page

Deployment Steps
Install the latest Helm Chart repository
Create a Kubernetes Secret
Install the Gateway
Frequently Asked Questions