Showing results for 
Show  only  | Search instead for 
Did you mean: 

Dynatrace Saas - Active gate configuration


Could you please clarify on the below question?

Currently we are configuring active gate for Dynatrace SaaS.

Customer is asking for strong clarification on "Why Active gate servers should be in DMZ"

Could you please clarify?




Dynatrace Guru
Dynatrace Guru

ActiveGates in SaaS are going to be communicating with an external network (in this case the internet) as we're sending data from the OneAgents to Dynatrace SaaS. In this case the ActiveGate is the only component that needs to be exposed to the Internet in any way. It is simply a common best practice in these scenarios to deploy such hosts in a DMZ as an additional layer of security. The description of the purpose of a DMZ from Wikipedia should make it clear that it applies here:

"In computer security, a DMZ or demilitarized zone (sometimes referred to as a perimeter network or screened subnet) is a physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted network, usually a larger network such as the Internet.The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN): an external network node can access only what is exposed in the DMZ, while the rest of the organization's network is firewalled. The DMZ functions as a small, isolated network positioned between the Internet and the private network and, if its design is effective, allows the organization extra time to detect and address breaches before they would further penetrate into the internal networks."

Thank you so much for the clarification

Dynatrace Champion
Dynatrace Champion

I believe an Environment AGs only needs to be placed in the DMZ if it's going to be receiving agent traffic from the public internet. AGs that simply send agent traffic from on-premise to the SaaS cluster need not be deployed in the DMZ.

Featured Posts