Skip to main content

Managed Gateway

An AISIX Cloud managed gateway serves live AI traffic in your runtime environment while connecting back to AISIX Cloud for configuration, telemetry, certificate rotation, and managed budget checks.

The managed connection uses an AISIX Cloud-issued certificate bundle. The bundle identifies the gateway and the environment it belongs to, then lets the gateway authenticate to AISIX Cloud with mutual TLS.

Managed Gateway Connection

A managed gateway starts with a certificate bundle and a Cloud manager URL. The gateway serves proxy traffic locally, while AISIX Cloud manages the resource configuration projected into that gateway.

Use the certificate bundle issued for the same environment the managed gateway should serve. The bundle includes a client certificate, private key, and CA bundle. Provide all three values together, either as inline PEM values or as file paths.

Cloud-Issued Connection Values

AISIX Cloud issues the Cloud manager URL, gateway certificate, private key, and CA bundle from the environment's Data planes view. It also generates install snippets for common deployment targets. A managed gateway also needs outbound network access to AISIX Cloud and a writable state directory.

The state directory is also part of the managed connection. The gateway writes its persisted mTLS files, gateway identity, and local configuration snapshot under this directory so restarts can reuse the same identity and recover from temporary Cloud connectivity loss.

Cloud-Generated Install Snippets

In AISIX Cloud, open the target environment and go to Data planes. Issue a gateway certificate, choose the deployment target, and copy the generated install snippet.

Treat the generated snippet as sensitive because it includes one-time certificate material for the managed gateway. Store it in your deployment secret system and avoid committing or sharing it.

If you use inline PEM values instead of files, provide the certificate, key, and CA PEM variables together. Do not mix inline PEM and file-path values for the same certificate role.

The managed configuration binds the proxy listener to port 3000 and the dedicated metrics listener to port 9090 by default. It does not bind the local admin listener.

If you run the binary directly, use the equivalent --config flag or AISIX_CONFIG environment variable:

aisix --config /path/to/config.managed.yaml

Make the state directory writable by the same user that runs the gateway. Mounting only the certificate subdirectory is not enough because the process also writes gateway identity and snapshot files under the state directory.

Connectivity Signals

After the gateway starts, verify the managed connection in order:

  • The process starts without certificate or trust-chain errors.
  • AISIX Cloud shows a healthy registered data plane with a recent heartbeat for the expected environment.
  • Projected resources reach the managed gateway.
  • A live request through the managed gateway endpoint succeeds.
  • Usage or telemetry for that request appears in AISIX Cloud.

If heartbeat fails, check the Cloud manager URL, certificate bundle, trust root, file permissions, state directory, and outbound network access. If heartbeat is healthy but resources or live traffic do not behave as expected, continue with Resource Projection.

Managed Configuration

Use file-path variables when certificates are mounted as files. Use inline PEM variables when AISIX Cloud or your deployment system injects the bundle directly into the process environment.

ConfigureUse
Cloud manager URLAISIX_MANAGED__CP_BASE_URL
Certificate fileAISIX_MANAGED__CP_CERT_FILE
Private key fileAISIX_MANAGED__CP_KEY_FILE
CA bundle fileAISIX_MANAGED__CP_CA_FILE
Inline certificateAISIX_MANAGED__CP_CERT_PEM
Inline private keyAISIX_MANAGED__CP_KEY_PEM
Inline CA bundleAISIX_MANAGED__CP_CA_PEM

The managed configuration derives the Cloud etcd endpoint from the Cloud manager URL unless your deployment supplies a separate etcd endpoint. Use AISIX_MANAGED__CP_ETCD_ENDPOINT only when AISIX Cloud gives you a distinct etcd endpoint for the environment.

Next Steps

Continue with Resource Projection for how Cloud resources reach the gateway.

API7.ai Logo

The digital world is connected by APIs,
API7.ai exists to make APIs more efficient, reliable, and secure.

Sign up for API7 newsletter

Product

API7 Gateway

SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN PTE. LTD 2019 – 2026. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the Apache Software Foundation