Deploy Gateways
Gateways are what Clients connect to in order to access Resources in a Site. They're the data plane workhorse of the Firezone architecture and are responsible for securely routing traffic between Clients and Resources.
Prerequisites
- Any Linux distribution with kernel 3.10 or later
x86_64
,aarch64
, orarmv7l
CPU architectureiptables
andip6tables
commands available on your system- Docker Engine or systemd installed for your distribution
Firewall ports
Gateways implement the industry-standard STUN and TURN protocols to perform secure NAT holepunching. This allows Firezone to establish direct connections between your Users and Resources while keeping your Resources invisible to the public internet.
Inbound ports
In most cases, no inbound firewall ports should be opened for Gateways to function properly. If your network has a stateless firewall in place, however, you'll need to ensure UDP return traffic can reach the Gateway(s). If you're not sure, you should err on the side of caution and leave all inbound ports closed unless you experience connectivity issues.
See the table below for firewall recommendations for popular cloud providers.
Provider | Resource type | Type | Inbound ports |
---|---|---|---|
AWS | Network ACLs | Stateless | By default, AWS ACLs allow all inbound. If you've modified these, be sure that UDP 1024-65536 is allowed from source 0.0.0.0/0 so your Clients can connect directly. If you wish to allow only Relayed connections, use the source IPs in relay-ips.json. |
AWS | Security Groups | Stateful | None |
Azure | Network Security Groups | Stateful | None |
GCP | Firewall Rules | Stateful | None |
Outbound ports
If the network in which your Gateway is deployed applies egress filtering, you'll need to make sure the following outbound traffic is allowed:
Host | IP Address | Port(s) | Protocol(s) | Purpose |
---|---|---|---|---|
api.firezone.dev | 34.102.202.25 | 443 | HTTPS/WebSocket | Control Plane API (IPv4) |
api.firezone.dev | 2600:1901:0:620b:: | 443 | HTTPS/WebSocket | Control Plane API (IPv6) |
N/A | See relay-ips.json | 3478 | STUN | STUN protocol signaling |
N/A | See relay-ips.json | 49152-65535 | TURN | TURN protocol channel data |
github.com, www.firezone.dev | Varies | 443 | HTTPS | Only required for Gateway upgrades. |
Where to deploy Gateways
Ideally, Gateways should be deployed as close to the Resources they're serving -- in some cases, even on the same host. This ensures the lowest possible latency and highest possible throughput for Client connections, and allows you to more easily deploy additional Gateways for other Resources that need to handle more Client connections.
The downside of deploying Gateways close to Resources is that it increases the overall number of Gateways and Sites you need to manage. Firezone's control plane is designed to make this as easy as possible, but it's still something to keep in mind when planning your deployment.
When deploying Gateways, remember that all Gateways and Resources in a Site must have unobstructed network connectivity to each other. This is necessary for Firezone's automatic failover and load balancing features to work correctly.
Sizing recommendations
The Gateway, like the rest of Firezone's data plane stack, is written in Rust. As a result, it's extremely lightweight and computationally efficient by nature.
Gateways are mostly performance-bound by the I/O rate at which they can process packets, so bare metal deployments or VMs with high I/O rates will make a big difference in both throughput and latency.
Despite this, even tiny, shared vCPU VMs can perform acceptably well in many
cases. An f1-micro
instance with just 0.25 vCPU cores on Google Cloud, for
example, can handle around 200 Mbps of sustained throughput.
Gateway size | Approx. users served | CPU cores | Memory | Recommended link speed |
---|---|---|---|---|
Micro | 10 - 50 | 1 | 512 MB | 500 Mbps |
Small | 50 - 100 | 2 | 1 GB | 1 Gbps |
Medium | 100 - 500 | 4 | 2 GB | 2.5 Gbps |
To go beyond the table above, you can deploy additional Gateways and use Firezone's automatic load balancing to distribute Client connections across them.
Deploy a single Gateway
Deploying a single Gateway can be accomplished in the admin portal.
We strongly recommend deploying a minimum of three Gateways in a Site for production use cases. This ensures high availability even when performing rolling upgrades.
Go to Sites -> <name of Site> -> Deploy a Gateway
and follow the prompts to
deploy for your preferred environment. This will deploy a single Gateway.
Deploy multiple Gateways
To achieve high availability, deploy two or more Gateways within the same Site. High availability is achieved through a combination of automatic failover and load balancing, both of which are available on all plans.
You can deploy multiple Gateways within a Site manually from the admin portal,
or automate the process by reusing the FIREZONE_TOKEN
environment variable
shown on the Manual
tab of the Deploy a new Gateway
page. This is a
multi-owner token that can be reused to deploy multiple Gateways within the same
Site.
Note: Be sure to set a unique FIREZONE_ID
for each Gateway you deploy.
This can be any non-empty string and is used to identify Gateways in the
portal.
Deploy as many Gateways as you need to handle the load of Client connections to Resources in a Site. This effectively shards Client connections across all Gateways in a Site, achieving higher overall throughput than otherwise possible with a single Gateway.
Automated Gateway deployment
See our automation recipes for deploying Gateways on various cloud providers using Terraform.
Keeping Gateways up to date
It's a good idea to keep your Gateways up to date with the latest version available. See upgrading Gateways for ways to automate this.
Need additional help?
See all support options or try asking on one of our community-powered support channels:
- Discussion forums: Ask questions, report bugs, and suggest features.
- Discord server: Join discussions, meet other users, and chat with the Firezone team
- Email us: We read every message.