The security team of one of our customers informed us that they are detecting unrecognized incoming connections via IP 220.127.116.11 and 18.104.22.168 to a Dynatrace ActiveGate we are using with them; such connections are worrying this costumer and they asked us if such IPs belong to the Dynatrace Clusters or Mission Control; we recognized the IP 22.214.171.124 but IP 126.96.36.199 does not seem to be listed in any part either in the documentation or in the Dynatrace UI, does this IP belong to Dynatrace?
Are you absolutely sure the connections are to the gateway and not from the gateway?
Since only agents initiate communication to the gateway and the gateway initiates the communication to the cluster (not vice versa).
We are sure, the network analysis done by the security team of our customer is listing that the Dynatrace ActiveGate Host is receiving inbound/incoming request from both IP addresses. The network team told us that in the beginning they thought that the requests were a form of DDoS.
Is your environment ActiveGate port (default to 9999) publicly available from internet?
ActiveGate has no control over what is trying to connect to it. If you wish to control it, you need to use firewall / iptables rules to manage this and allow communiction only from your environment.
However, a valid token is required to pass communication further to Dynatrace Cluster through the ActiveGate. Each agent has this token in its configuration. So even if someone is able to establish a TCP connection to the gateway, it's useless without the token. (Unless someone is trying to do DDoS).