The Dynatrace Gateway is a proxy that sits between your OneAgents and the Dynatrace cluster, enabling secure, outbound communication from your monitored environments to Dynatrace SaaS or Managed.
Here’s how it works in practice, imagine you have a very locked-down network, where direct outbound connections to the internet are restricted. You want to monitor these internal systems with Dynatrace. Instead of opening up a direct channel from every server running a OneAgent to Dynatrace’s public endpoints, you deploy a Dynatrace Gateway within your network. The OneAgents then point to this Gateway, and the Gateway, in turn, establishes a single, secure connection to the Dynatrace cluster. This significantly reduces your attack surface and simplifies firewall rules.
Let’s look at a typical deployment. You’d have a dedicated machine, perhaps a Linux VM, where you install the Dynatrace Gateway.
# Download the Gateway installer
curl -O https://{your-dynatrace-domain}/api/v1/deployment/gateway/installer/linux/x86/dynatrace-gateway-linux-x86.sh
# Make it executable
chmod +x dynatrace-gateway-linux-x86.sh
# Install the Gateway
sudo ./dynatrace-gateway-linux-x86.sh
# During installation, you'll be prompted for:
# - Dynatrace Environment ID (e.g., 'a1b2c3d4')
# - Dynatrace Cluster URL (e.g., 'https://{your-dynatrace-domain}/e/{your-environment-id}')
# - Communication-security token (if using token-based authentication)
Once installed and running, the Gateway process (typically dt-gateway) will be listening on a specific port, usually 9999 by default.
# Check the status of the Gateway service
sudo systemctl status dt-gateway
Now, you configure your OneAgents to use this Gateway. On each server where a OneAgent is installed, you modify its configuration. The key parameter is --set network.gateway.address=your-gateway-ip:9999.
# Example of updating OneAgent configuration via command line
sudo /opt/dynatrace/oneagent/agent/bin/update-agent-config.sh \
--set network.gateway.address=192.168.1.100:9999
Alternatively, you can set this during OneAgent installation:
# Example OneAgent installation with Gateway configured
sudo sh dynatrace-oneagent-linux-x86.sh APP_LOG_TO_STDOUT=1 AUTOUPDATE_MODE=enabled ENVIRONMENTID={your-environment-id} ENVIRONMENTURL=https://{your-dynatrace-domain}/e/{your-environment-id} NETWORK_GATEWAY_ADDRESS=192.168.1.100:9999
The Dynatrace Gateway itself establishes a persistent, outbound connection to your Dynatrace cluster. It uses the same protocols (TLS 1.2+) and authentication mechanisms as a direct OneAgent connection. The OneAgent encrypts its data and sends it to the Gateway. The Gateway then forwards this encrypted data to the Dynatrace cluster, effectively acting as a secure tunnel.
The primary problem this solves is bridging isolated or highly secured network segments to Dynatrace. Think of air-gapped environments, highly regulated industries, or even just complex internal network architectures where direct external access is a non-starter. The Gateway acts as the single point of egress, simplifying security policies and audits. It also provides a consolidation point for network traffic, which can be beneficial for monitoring and troubleshooting network-related issues.
The Dynatrace Gateway supports both Dynatrace SaaS and Dynatrace Managed deployments. For Dynatrace Managed, the ENVIRONMENTURL would point to your Managed cluster’s URL. The communication-security token, if used, is generated within your Dynatrace environment and provides an additional layer of authentication for the Gateway connection.
A critical detail often overlooked is the internal network connectivity between the OneAgent and the Gateway. While the Gateway secures communication to Dynatrace, the OneAgent still needs to be able to reach the Gateway’s IP address and port (e.g., 192.168.1.100:9999) within your internal network. Firewalls or network segmentation rules between the OneAgent hosts and the Gateway host must allow this traffic.
The next step in securing your environment might involve exploring Dynatrace’s OneAgent network isolation capabilities for even finer-grained control.