-
Notifications
You must be signed in to change notification settings - Fork 2
Home
The Gateway is part of Twingate Identity Firewall, which extends Zero Trust and Privileged Access Management controls to every user, resource, and agent in your organization. The Gateway is an open-source Layer 7 reverse proxy deployed within your environment that enables identity propagation and comprehensive auditing.
The Gateway extends your existing Twingate deployment, leveraging private networking to keep infrastructure hidden from the public internet. Access policies are defined using identity, device posture, and other contextual signals, providing a flexible and extensible foundation for access control.
- Seamless Identity Propagation: Twingate passes user identity through to upstream services (e.g., Kubernetes API servers, SSH servers, web applications), eliminating double authentication and removing the need for plaintext credentials stored on end-user machines.
- Compliance-Ready Auditing: All user activity is logged and attributed to specific identities, with session recording and replay for forensic review and compliance requirements.
- Simplified Policy Management: A unified policy engine governs both network and application access, reducing management overhead and eliminating credential sprawl.
Secure access to private Kubernetes clusters with identity propagation, RBAC integration, and session recording for kubectl commands.
Secure access to SSH servers with identity propagation, session recording, and support for shell, exec, SFTP, and port forwarding.
Secure access to web applications with identity-aware reverse proxying.
Secure access to databases such as PostgreSQL and MySQL with identity propagation.
See How It Works for a detailed architecture overview.
Unlike other Twingate components, the Gateway is completely isolated within your environment. Its only external communication is fetching Twingate's public key for identity verification. All audit logs and session recordings stay entirely within your infrastructure and are never uploaded to Twingate. Logs are exported to stdout and can be streamed to your preferred SIEM or storage solution.
Session recordings are captured in Asciicast v2 format and can be replayed via the Twingate Asciicast web player at https://www.twingate.com/sessionplayer.
Copyright © 2025 Twingate.
Kubernetes
SSH
Operations
Development