Architecture Overview The Infisical Gateway provides secure access to private resources within your network without needing direct inbound connections to your environment. This method keeps your resources fully protected from external access while enabling Infisical to securely interact with resources like databases. Architecture Components:
  • Gateway: Lightweight agent deployed within your VPCs that provides access to private resources
  • Relay: Infrastructure that routes encrypted traffic (instance-wide or organization-specific)
Common use cases include generating dynamic credentials or rotating credentials for private databases.
Gateway is a paid feature available under the Enterprise Tier for Infisical Cloud users. Self-hosted Infisical users can contact sales@infisical.com to purchase an enterprise license.

How It Works

The Gateway system uses SSH reverse tunnels for secure, firewall-friendly connectivity:
  1. Gateway Registration: The gateway establishes an outbound SSH reverse tunnel to a relay server using SSH certificates issued by Infisical
  2. Relay Routing: The relay server routes encrypted traffic between the Infisical platform and gateways
  3. Resource Access: The Infisical platform connects to your private resources through the established gateway connections
Key Benefits:
  • No inbound firewall rules needed - all connections are outbound from your network
  • Firewall-friendly - uses standard SSH over TCP
  • Certificate-based authentication provides enhanced security
  • Automatic reconnection if connections are lost

Deployment

The Infisical Gateway is integrated into the Infisical CLI under the gateway command, making it simple to deploy and manage. You can install the Gateway in all the same ways you install the Infisical CLI—whether via npm, Docker, or a binary. For detailed installation instructions, refer to the Infisical CLI Installation instructions. Prerequisites:
  1. Relay Server: Before deploying gateways, you need a running relay server:
    • Infisical Cloud: Instance relays are already available - no setup needed
    • Self-hosted: Instance admin must set up shared instance relays, or organizations can deploy their own
  2. Machine Identity: Configure a machine identity with appropriate permissions to create and manage gateways
Once authenticated, the Gateway establishes an SSH reverse tunnel to the specified relay server, allowing secure access to your private resources.

Get started

1

Create a Gateway Identity

  1. Navigate to Organization Access Control in your Infisical dashboard.
  2. Create a dedicated machine identity for your Gateway.
  3. Best Practice: Assign a unique identity to each Gateway for better security and management. Create Gateway Identity
2

Configure Authentication Method

You’ll need to choose an authentication method to initiate communication with Infisical. View the available machine identity authentication methods here.
3

Choose Your Relay Setup

You have two options for relay infrastructure:
Infisical Cloud: Instance relays are already running and available - no setup required. You can immediately proceed to deploy gateways using these shared relays.Self-hosted: If your instance admin has set up shared instance relays, you can use them directly. If not, the instance admin can set them up:
# Instance admin sets up shared relay (one-time setup)
export INFISICAL_RELAY_AUTH_SECRET=<instance-relay-secret>
infisical relay start --type=instance --ip=<public-ip> --name=<relay-name>
4

Deploy the Gateway

Use the Infisical CLI to deploy the Gateway. You can run it directly or install it as a systemd service for production:
For production deployments on Linux, install the Gateway as a systemd service:
Gateway v2: The infisical gateway systemd install command deploys the new Gateway v2 component.If you are migrating from Gateway v1 (legacy infisical gateway install command), this is not in-place. Gateway v2 provisions new gateway instances with new gateway IDs. Update any resources that reference a gateway ID (for example: dynamic secret configs, app connections, or other gateway-bound resources) to use the new Gateway v2 gateway ID.
sudo infisical gateway systemd install --token <your-machine-identity-token> --domain <your-infisical-domain> --name <gateway-name> --relay <relay-name>
sudo systemctl start infisical-gateway
This will install and start the Gateway as a secure systemd service that:
  • Runs with restricted privileges:
    • Runs as root user (required for secure token management)
    • Restricted access to home directories
    • Private temporary directory
  • Automatically restarts on failure
  • Starts on system boot
  • Manages token and domain configuration securely in /etc/infisical/gateway.conf
The install command requires:
  • Linux operating system
  • Root/sudo privileges
  • Systemd
For detailed information about the gateway commands and their options, see the gateway command documentation.
Requirements:
  • Ensure the deployed Gateway has network access to the private resources you intend to connect with Infisical
  • The gateway must be able to reach the relay server (outbound connection only)
  • Replace <relay-name> with the name of your relay server and <gateway-name> with a unique name for this gateway
5

Verify Gateway Deployment

To confirm your Gateway is working, check the deployment status by looking for the message “Gateway started successfully” in the Gateway logs. This indicates the Gateway is running properly. Next, verify its registration by opening your Infisical dashboard, navigating to Organization Access Control, and selecting the Gateways tab. Your newly deployed Gateway should appear in the list.Gateway List