On-premises installations
On-premises installations are usually based upon an Airlock Gateway ISO image or a virtual machine disk image.
With a multi-NIC setup, a physical separation between service and public network can be established. For high availability requirements, Airlock Gateway can be set-up in a failover cluster.
Multi-NIC (recommended)
Multi-NIC setups offer the best combination of security advantages and high availability options.
Best practice:
- Set-up a dedicated management NIC to separate back-end and management connections from the public interface.
- Use dedicated IP addresses for public access (virtual hosts) and back-end access.
- Set-up an Airlock Gateway failover cluster. To harden your failover setup:
- -Use the public interface for Failover cluster checks.
- -Use separated IP spaces for PIP/PPIP and virtual hosts.
- -Make the PIPs only reachable by the partner nodes' PPIPs.
Single NIC
Single NIC setups prevent bypassing by design because there is only a single connection between the Gateway and back-ends. Single NIC setups also support Airlock Gateway failover cluster.
Best practice:
- Use dedicated IP addresses for public access (virtual hosts) and back-end access.
- Set-up an Airlock Gateway failover cluster. To harden your failover setup:
- -Use separated IP spaces for PIP/PPIP and virtual hosts.
- -Make the PIPs only reachable by the partner nodes' PPIPs.