Deploy the Cipherscale Gateway to your VPC or on-prem host. Learn how to use AI-native intent to generate Docker scripts and verify E2EE connectivity.
Overview
A Cipherscale Gateway is a self-hosted software component that acts as a router and firewall to securely broker traffic from user devices to private resources, SaaS applications, and the public internet. Operating as the Data Plane of the Cipherscale architecture, it handles end-to-end encrypted (E2EE) traffic directly between the user's device and itself. The gateway is the core operational component responsible for enforcing your Zero Trust access policies and admission rules, ensuring that users have access only to authorized applications and effectively eliminating lateral movement. To function correctly, a gateway must be installed within a network that can reach the destination resources you want to protect. Because Cipherscale utilizes these distributed local gateways to process requests, it can handle both north-south and east-west traffic while eliminating the latency overhead normally caused by "hairpinning" traffic to a centralized regional Point of Presence.
In the AI-native model, you don't "build" a gateway manually. You tell the Intent Bar where your infrastructure is, and the AI generates the deployment logic, and in some cases, can auto-deploy the Gateway for you.
Maximize your efficiency by navigating to Gateways before entering gateway prompts. You’ll gain instant visibility into the Detail Panes to verify Copilot’s actions and receive tailored Prompt Catalysts to help guide your next steps.
The Intent: What the AI Needs
-
Gateway Name: The name of the gateway you want to deploy.
-
Description (Optional): A short descriptor for the gateway.
-
WireGuard port (Optional): Port 51820 is the default; an alternate can be specified.
-
Deployment Method: Specify how/where you want to deploy:
-
Automated cloud:GCP, Azure
-
Infrastructure-as-Code:Terraform (GCP, Azure, AWS EC2, AWS ECS), CloudFormation (AWS EC2, AWS ECS)
-
Manual scripts:Ubuntu, Docker
-
-
Region (Optional for cloud deployments): The cloud region where the gateway should be deployed.
Interaction Flow
|
Step |
Participant |
Action/Content |
||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
1. The Prompt |
Admin |
"Create a gateway called 'us-east-gw' with description 'US East Coast Gateway' and WireGuard port 51820" |
||||||||||
|
2. The Draft |
AI Copilot |
I'll create that gateway for you right away! Create gateway 'us-east-gw' To set up a new gateway for the US East Coast region with the specified network configuration. {
Gateway Name:"us-east-gw",
Description:"US East Coast Gateway",
WireGuard Port:"51820"
}
|
||||||||||
|
3. Validation |
Copilot |
[Confirm] [Cancel] |
||||||||||
|
4. Validation |
Admin |
Confirm |
||||||||||
|
3. Execution |
Copilot |
✅ Action confirmed, proceeding with execution of operation ✅ Gatewayus-east-gwhas been successfully created! Here's a summary:
|
||||||||||
|
4. Suggested Next Steps |
Copilot |
"The gateway is now inPENDINGstate and ready to be deployed. Would you like me to deploy it to a cloud provider (GCP, Azure, AWS) or generate a deployment script (Ubuntu, Docker, Terraform, CloudFormation)?" |
||||||||||
|
5. The prompt |
Admin |
“Docker” |
||||||||||
|
6. Execute |
Copilot |
"Let me get the deployment options for this gateway from the deployment agent! Docker is available! Now I'll generate the Docker deployment script forus-east-gw. Here's your Docker deployment script for us-east-gw: curl -sL https://gateway-image-repository.s3.eu-west-2.amazonaws.com/qa/docker_setup.sh | sudo bash -s -- us-east-gw rohit-qa [***token***] 51820 qa How to use: Run this command on your Docker host and it will automatically pull and configure the gateway container. ⚠️ Important Requirements:
Failure to meet these requirements may cause connectivity issues even if the container is running correctly. Let me know if you need any help! |
Note
Ensure UDP port 51820 or an assigned alternate port is open to incoming traffic from the internet on the deployed gateway server.
Example List & Find Intents
-
"List all gateways"
-
"Show me all online gateways"
-
"Show me all pending gateways"
-
"Get details for gateway 'production-gw'"
-
"Find gateways with 'prod' in the name"
-
"Get gateway statistics"(online, offline, pending, error counts)
Example Sessions & Links Intents
-
"Show sessions for gateway 'production-gw'"
-
"Get session history for gateway 'production-gw' in the last 24 hours"
-
"Show sessions from the US for gateway 'production-gw'"
-
"List all resources linked to gateway 'production-gw'"
Example Create Intents
-
"Create a gateway called 'production-gw'"
-
"Create a gateway called 'us-east-gw' with description 'US East Coast Gateway' and WireGuard port 51820"
Example Update Intents
-
"Rename gateway 'production-gw' to 'us-west-gw'"
-
"Update the description of gateway 'production-gw' to 'Primary US Gateway'"
-
"Test the configuration of gateway 'production-gw'"
Example Connect Resources Intents
-
"Assign gateway 'production-gw' to resource 'HR Portal'"
-
"Assign gateways 'us-east-gw' and 'us-west-gw' to resource 'HR Portal' with automatic load balancing"
-
"Disconnect resource 'HR Portal' from gateway 'production-gw'"
Example Delete Gateway Intents
-
"Delete gateway 'production-gw'"
-
"Delete gateways 'us-east-gw' and 'us-west-gw'"
-
"Deprovision gateway 'production-gw'"
Note
This deletes the configuration in Cipherscale and does not free infrastructure resources.
Example Automated Cloud Deployments Intents
-
"Deploy gateway 'production-gw' to GCP"
-
"Deploy gateway 'production-gw' to Azure"
Example Cloud Shutdowns Intents
-
"Shutdown gateway 'production-gw' on GCP"
-
"Shutdown gateway 'production-gw' on Azure"
Example Manual Deployment Scripts
-
"Get the Ubuntu deployment script for gateway 'production-gw'"
-
"Get the Docker deployment script for gateway 'production-gw'"
Example Infrastructure-as-Code
-
"Get the Terraform script for gateway 'production-gw' on GCP"
-
"Get the Terraform script for gateway 'production-gw' on Azure"
-
"Get the Terraform script for gateway 'production-gw' on AWS EC2"
-
"Get the Terraform script for gateway 'production-gw' on AWS ECS"
-
"Get the CloudFormation template for gateway 'production-gw' on AWS EC2"
-
"Get the CloudFormation template for gateway 'production-gw' on AWS ECS"
-
"Get the AWS CloudFormation launch URL for gateway 'production-gw'"
Example Combined Gateway and Resource Intents
-
"Create a gateway 'us-east-gw' and assign it to the HR Portal resource"
-
"List all resources linked to gateway 'production-gw' and show their associated policies"
-
"Which gateways are assigned to the HR Portal resource?"
-
"Show me all gateways and the resources they serve"
-
"Deploy gateway 'production-gw' to GCP and assign it to the HR Portal resource"
Navigate to Gateways using the Navigation Menu to verify the Copilot actions or view the current system state.
-
The Gateways Data Grid: The data grid that displays the list of gateways with their Name and Status, Last Online date and time, and Connected resources. The copy icon appears when hovering over a Gateway's name, making it easy to copy and paste it into the Intent Bar for use with a prompt. Search allows quick filtering of the rows to show the matching gateways.
-
A Specific Gateway's Data Grid: To view details for a specific gateway, click that gateway's name. The gateway name and status will be displayed in the data grid's title. You will see two tabs: Details and Sessions. The Details tab provides information on when the gateway was deployed, when it was last online, its public IP address and port, and a list of the resources connected to it, along with their access policies. The Sessions tab provides details on the current and past sessions of the gateway, which include the Start time, End time, Duration, Public IP and the session's current Status. To go back to the Gateways Data Grid, click Gateways from the breadcrumb.
-
You can also verify system state by using prompts in the Intent Bar. Example prompts are shown in Example Gateway Prompts
Gateway Status Representation
Gateway statuses are visually represented by the following colors:
-
Orange: Pending deployment
-
Red: Offline
-
Green: Online
-
Verify Gateway Status: Check the visual status of your gateways. Orange indicates the gateway is pending deployment, Red means it is offline, and Green confirms it is online.
-
Ensure Proper Port and Firewall Configuration: For the gateway to function and receive connections, you must ensure that UDP port 51820 or an alternate is open to incoming traffic from the internet.
-
Leverage Copilot: Ask a plain-English question like, "Why can't User A access the Production Database?", the AI will automatically correlate access policies, admission rules, real-time logs, and gateway reachability to pinpoint the exact failure point.
-
Confirm Network Reachability and DNS: A gateway must be installed in a network that has access to the destination resources. If access is failing, verify that the gateway's host environment can route traffic properly to the intended Private Resource, SaaS Application, or Internet access point. Note: The gateway on the private network automatically uses the assigned DNS server to resolve domain names.
-
Check High Availability (HA) Settings: If a resource is reachable by multiple gateways, check your load balancing mode. If set to Manual High Availability, ensure the gateways are dragged into the correct priority order. If set to Automatic, Cipherscale will dynamically load balance across gateways with similar data speeds and performance, automatically avoiding gateways that offer worse performance.
-
If the heartbeat fails: Ensure your host can reach
internal-grpc.cipherscale.comon port 443. If using AWS, check that your Security Group allows outbound traffic. -
If the Docker script fails to run: Verify that Docker and Docker Compose are installed on your host machine.
Comments
0 comments
Article is closed for comments.