Infrastructure Gateways
An infrastructure gateway is a single entry point that mediates access to internal services. Rather than exposing multiple services directly, all traffic flows through the gateway, which handles authentication, authorization, and logging centrally.
The Gateway Pattern
Section titled “The Gateway Pattern”Without a Gateway
Section titled “Without a Gateway”Each service manages its own security:
Problems:
- Each service must implement authentication
- Access policies may be inconsistent
- Audit logging is fragmented
- Attack surface is larger
With a Gateway
Section titled “With a Gateway”All access flows through a single point:
Benefits:
- Single authentication implementation
- Consistent access policies
- Unified audit logging
- Reduced attack surface
Gateway Responsibilities
Section titled “Gateway Responsibilities”A well-designed gateway handles:
| Responsibility | Description |
|---|---|
| Authentication | Verify user identity |
| Authorization | Check permissions for each request |
| Rate Limiting | Prevent abuse and DoS |
| Logging | Record all access for audit |
| Request Routing | Direct requests to appropriate services |
| Protocol Translation | Convert between protocols if needed |
| TLS Termination | Handle encryption at the edge |
Types of Gateways
Section titled “Types of Gateways”API Gateway
Section titled “API Gateway”Manages access to APIs, typically for web and mobile applications:
Mobile App → API Gateway → MicroservicesWeb App → ↗Focus: Developer experience, rate limiting, API versioning
Identity-Aware Proxy (IAP)
Section titled “Identity-Aware Proxy (IAP)”Protects internal web applications:
User → IAP → Internal Apps ↓ Identity ProviderFocus: User authentication, single sign-on
Infrastructure Gateway
Section titled “Infrastructure Gateway”Secures access to infrastructure tools and APIs:
Admin → Infrastructure Gateway → Cloud APIsDevOps → → Container OrchestrationCI/CD → → Database AdminFocus: RBAC, audit logging, compliance
Rack Gateway is an infrastructure gateway for Convox rack access.
The Rack Gateway Architecture
Section titled “The Rack Gateway Architecture”Single-Tenant Design
Section titled “Single-Tenant Design”Rack Gateway follows a single-tenant model:
Production Rack: └── Rack Gateway (Production) └── Convox API
Staging Rack: └── Rack Gateway (Staging) └── Convox APIEach gateway:
- Serves one rack
- Has its own database
- Has its own user base
- Has its own audit logs
Benefits:
- Complete isolation between environments
- Independent policies per rack
- Separate audit trails
- Simpler failure domains
Gateway Security Properties
Section titled “Gateway Security Properties”Defense in Depth
Section titled “Defense in Depth”The gateway adds security layers:
Layer 1: Network (VPN/Tailscale) ↓Layer 2: Authentication (OAuth) ↓Layer 3: Authorization (RBAC) ↓Layer 4: MFA (step-up) ↓Layer 5: Audit (logging) ↓Protected ResourceEach layer must be passed before reaching the resource.
Single Choke Point
Section titled “Single Choke Point”All traffic flows through one point:
Security implications:
- Easier to monitor all access
- Policy changes apply universally
- Single point to audit
Credential Isolation
Section titled “Credential Isolation”The gateway holds the Convox API token; users don’t:
Traditional: User → Convox Token → Convox API
With Gateway: User → Session Token → Gateway → Convox Token → Convox API ↑ Token never exposedBenefits:
- Convox token never leaves server
- Users can be revoked without rotating token
- Token usage is logged per-user
Implementing Gateway Security
Section titled “Implementing Gateway Security”Zero Trust Integration
Section titled “Zero Trust Integration”The gateway is a natural enforcement point for zero trust:
| Zero Trust Principle | Gateway Implementation |
|---|---|
| Verify explicitly | Every request authenticated |
| Least privilege | RBAC with minimal permissions |
| Assume breach | All actions logged, MFA required |
See Zero Trust Security for more.
Authentication Options
Section titled “Authentication Options”| Method | Use Case | Rack Gateway |
|---|---|---|
| OAuth/OIDC | Interactive users | ✅ Google OAuth |
| API Tokens | CI/CD, automation | ✅ Supported |
| mTLS | Service-to-service | Not needed |
| API Keys | Simple automation | API tokens |
Authorization Models
Section titled “Authorization Models”| Model | Complexity | Rack Gateway |
|---|---|---|
| Allow/Deny lists | Low | ✅ ADMIN_USERS |
| RBAC | Medium | ✅ Primary model |
| ABAC | High | Future consideration |
Gateway Deployment Patterns
Section titled “Gateway Deployment Patterns”Sidecar Pattern
Section titled “Sidecar Pattern”Gateway deployed alongside each service:
Pod: ├── Application Container └── Gateway SidecarUse case: Service mesh (Istio, Linkerd)
Centralized Pattern
Section titled “Centralized Pattern”Single gateway for all services:
Gateway Cluster → Service A → Service B → Service CUse case: Rack Gateway, API gateways
Hybrid Pattern
Section titled “Hybrid Pattern”Centralized gateway with service-specific policies:
Central Gateway → Per-Service Gateways → ServicesUse case: Large organizations with diverse requirements
Common Pitfalls
Section titled “Common Pitfalls”Gateway as Single Point of Failure
Section titled “Gateway as Single Point of Failure”Problem: If the gateway goes down, nothing works
Solutions:
- Run multiple gateway instances (HA)
- Load balancer with health checks
- Graceful degradation (read-only mode)
Gateway Bypass
Section titled “Gateway Bypass”Problem: Services still accessible without gateway
Solutions:
- Network segmentation (services only reachable from gateway)
- Service-level authentication (mTLS)
- Audit for direct access attempts
Credential Sprawl
Section titled “Credential Sprawl”Problem: Gateway needs credentials for all backend services
Solutions:
- Centralized secret management (Vault)
- IAM roles for AWS services
- Short-lived tokens where possible
Logging Overload
Section titled “Logging Overload”Problem: Logging everything creates too much data
Solutions:
- Structured logging for efficient querying
- Log aggregation and rotation
- Sampling for high-volume endpoints
Rack Gateway Specifics
Section titled “Rack Gateway Specifics”What It Protects
Section titled “What It Protects”| Resource | Protection |
|---|---|
| Convox API | All operations authenticated and authorized |
| App deployments | Deploy approval workflow |
| Environment variables | Secret redaction in logs |
| Exec access | MFA for sensitive operations |
Deployment Model
Section titled “Deployment Model”Recommended: Internet → VPN/Tailscale → Rack Gateway → Convox
Optional (with TLS): Internet → TLS → Rack Gateway → ConvoxConfiguration Example
Section titled “Configuration Example”services: gateway: domain: gateway.example.com port: 8443 resources: - database environment: - RACK_HOST=rack.example.com - RACK_TOKEN # From Convox resources - GOOGLE_CLIENT_ID - GOOGLE_CLIENT_SECRET - ADMIN_USERS=admin@example.com
resources: database: type: postgresKey Takeaways
Section titled “Key Takeaways”- Gateways centralize security at a single enforcement point
- Single-tenant design provides isolation between environments
- Credential isolation keeps sensitive tokens server-side
- Zero trust integrates naturally with gateway architecture
- High availability is essential—gateways are critical path
- Network segmentation prevents gateway bypass
Further Reading
Section titled “Further Reading”- Architecture Overview - Rack Gateway architecture
- Zero Trust Security - Security model
- Private Network Deployment - Network security
- Convox Deployment - Deploying Rack Gateway