DOCS-346: review gateway network connectivity pages

docs/Akeyless Gateway/gateway-network-connectivity/akeyless-saas-core-services-eu.md

@@ -18,10 +18,10 @@ The table below outlines the primary functionalities of Akeyless microservices i
 | Audit | `https://audit.eu.akeyless.io`, `https://audit-ro.eu.akeyless.io` | 15.197.166.202, 3.33.166.129, 13.248.216.215, 76.223.80.182 | 443 | Audit Log main service, enables log forwarding from Gateway and Bastion |
 | Auth | `https://auth.eu.akeyless.io`, `https://auth-ro.eu.akeyless.io` | 3.33.166.129, 15.197.166.202, 13.248.216.215, 76.223.80.182 | 443 | Akeyless Authentication service |
 | BIS | `https://bis.eu.akeyless.io`, `https://bis-ro.eu.akeyless.io` | 15.197.166.202, 3.33.166.129 | 443 | Billing Infrastructure Service (BIS) |
-| Certificate Auth | `https://auth-cert.eu.akeyless.io` | 18.158.96.32, 3.68.125.9, 52.28.6.110 | 443 | Relevant only for Certificate-Based Authentication |
+| Certificate Auth | `https://auth-cert.eu.akeyless.io` | 18.158.96.32, 3.68.125.9, 52.28.6.110 | 443 | Relevant only for certificate-based authentication |
 | Gator | `https://gator.eu.akeyless.io`, `https://gator-ro.eu.akeyless.io` | 3.33.166.129, 15.197.166.202, 76.223.80.182, 13.248.216.215 | 443 | Main service to sync gateway instances and connections with Akeyless SaaS |
 | KFM | `https://kfm1.eu.akeyless.io`, `https://kfm1-ro.eu.akeyless.io`, `https://kfm2.eu.akeyless.io`, `https://kfm2-ro.eu.akeyless.io`, `https://kfm3.eu.akeyless.io`, `https://kfm3-ro.eu.akeyless.io`, `https://kfm4.eu.akeyless.io`, `https://kfm4-ro.eu.akeyless.io` | 3.33.166.129, 15.197.166.202, 76.223.80.182, 13.248.216.215 | 443 | Key Fragments Services, enabling full DFC encryption |
-| Logs | `tcp://log.eu.akeyless.io:9997`, `tcp://log.eu.akeyless.io:9443` | 3.124.145.245 | 9997, 9443 | Gateway logs, mainly used during failure scenarios |
+| Logs | `tcp://log.eu.akeyless.io:9443` | 3.124.145.245 | 9443 | Gateway logs over TLS-encrypted Splunk forwarding for the dedicated EU production tenant |
 | MQ | `amqps://mq.eu.akeyless.io` | 15.197.166.202, 3.33.166.129 | 5671 | Message queue (MQ) between Akeyless microservices |
 | Public Gateway | `https://rest.eu.akeyless.io`, `https://api.eu.akeyless.io` | 3.33.196.150, 15.197.225.215 | 443 | Optional Public Gateway REST API v1/v2 |
 | Public HashiCorp Vault Proxy | `https://hvp.eu.akeyless.io` | 3.33.196.150, 15.197.225.215 | 443 | Optional Public HashiCorp Vault Proxy endpoint |

docs/Akeyless Gateway/gateway-network-connectivity/akeyless-saas-core-services-us.md

@@ -3,6 +3,8 @@ title: US SaaS Core Services
 excerpt: ''
 deprecated: false
 hidden: false
+link:
+  new_tab: false
 metadata:
   title: ''
   description: ''
@@ -18,13 +20,15 @@ The following table describes the main functionality of Akeyless microservices i
 | Vault | `https://vault.us.akeyless.io`, `https://vault-ro.us.akeyless.io` | 68.154.26.48, 4.242.224.82 | 443 | User Account Management (UAM), managing user accounts, items, and roles |
 | Auth | `https://auth.us.akeyless.io`, `https://auth-ro.us.akeyless.io` | 68.154.26.48, 4.242.224.82 | 443 | Akeyless Authentication service |
 | Certificate Auth | `https://auth-cert.us.akeyless.io` | 172.206.81.32 | 443 | Relevant only for certificate-based authentication |
-| Audit | `https://audit.us.akeyless.io`, `https://audit-ro.us.akeyless.io` | 68.154.26.48, 4.242.224.82 | 443 | Audit log main service, enables log forwarding from GW and Bastion |
+| Audit | `https://audit.us.akeyless.io`, `https://audit-ro.us.akeyless.io` | 68.154.26.48, 4.242.224.82 | 443 | Audit Log main service, enables log forwarding from Gateway and Bastion |
 | BIS | `https://bis.us.akeyless.io`, `https://bis-ro.us.akeyless.io` | 68.154.26.48, 4.242.224.82 | 443 | Billing Infrastructure Service (BIS) |
 | Gator | `https://gator.us.akeyless.io`, `https://gator-ro.us.akeyless.io` | 68.154.26.48, 4.242.224.82 | 443 | Main service to sync gateway instances and connections with Akeyless SaaS |
-| MQ | `amqps://mq.us.akeyless.io` | 172.177.144.122 | 5671 | Message queue between Akeyless microservices |
+| MQ | `amqps://mq.us.akeyless.io` | 172.177.144.122 | 5671 | Message queue (MQ) between Akeyless microservices |
 | KFM | `https://kfm1.us.akeyless.io`, `https://kfm1-ro.us.akeyless.io`, `https://kfm2.us.akeyless.io`, `https://kfm2-ro.us.akeyless.io`, `https://kfm3.us.akeyless.io`, `https://kfm3-ro.us.akeyless.io`, `https://kfm4.us.akeyless.io`, `https://kfm4-ro.us.akeyless.io` | 68.154.26.48, 4.242.224.82 | 443 | Key Fragments Services, enabling full DFC encryption |
 | Public Gateway | `https://rest.us.akeyless.io`, `https://api.us.akeyless.io` | 68.154.26.48, 4.242.224.82 | 443 | Optional Public Gateway REST API v1/v2 |
-| Public HashiCorp Vault Proxy | `https://hvp.us.akeyless.io` | 68.154.26.48 | (none) | Optional Public HashiCorp Vault Proxy endpoint |
-| Logs | `tcp://log.akeyless.io:9997`, `tcp://log.akeyless.io:9443` | N/A | 9997, 9443 | GW logs, mainly to be reflected during failure scenarios |
+| Public HashiCorp Vault Proxy | `https://hvp.us.akeyless.io` | 68.154.26.48 | 443 | Optional Public HashiCorp Vault Proxy endpoint |
+| Logs | `tcp://log.akeyless.io:9443` | N/A | 9443 | Gateway logs over TLS-encrypted Splunk forwarding for US and global environments |
 | Akeyless CLI | `https://akeyless-cli.s3.us-east-2.amazonaws.com` | N/A | 443 | S3 bucket to download and update Akeyless CLI versions |
 | Akeyless Binaries | `https://akeylessservices.s3.us-east-2.amazonaws.com` | N/A | 443 | S3 bucket to download and update Akeyless official binaries (for example, `Gateway`) |
+
+> ℹ️ **Note:** For SQS-based queue transport, the current documented fallback endpoint is `https://sqs.us-east-2.amazonaws.com`.

docs/Akeyless Gateway/gateway-network-connectivity/index.md

@@ -12,37 +12,104 @@ metadata:
 ---
 The Akeyless Gateway is a stateless Docker container, provided as a standalone or as a cluster. To function correctly, it requires public network connectivity to the Akeyless SaaS core services (see the table below).
 
-A basic Gateway deployment requires a server with a Docker Engine installed. You may download the latest Docker Engine on [Docker website](https://docs.docker.com/get-docker/). You'll need public network access enabled on port 443 to pull a Docker image from the `hub.docker.com`.
+A basic Gateway deployment requires a server with Docker Engine installed. Download the latest Docker Engine from the [Docker website](https://docs.docker.com/get-docker/).
+
+For deployment instructions, see [Deploy Gateway](https://docs.akeyless.io/docs/deploy-gateway).
 
 > ℹ️ **Note (Tenant Environments):**
 >
-> Accounts that were created on specific environments should modify the services endpoints according to the relevant environments, for example, `eu` would use `https://vault.eu.akeyless.io`.
+> Accounts created in a specific tenant environment must use the matching service endpoints. For example, the `eu` tenant uses `https://vault.eu.akeyless.io`.
+>
+> Available explicit tenants are `us` and `eu`.
 >
-> Available explicit tenants are: `us`, `eu`.
+> * [US SaaS Core Services](https://docs.akeyless.io/docs/akeyless-saas-core-services-us)
+> * [EU SaaS Core Services](https://docs.akeyless.io/docs/akeyless-saas-core-services-eu)
 
 The following table describes the main functionality of Akeyless microservices in the global environment:
 
-| Service | Endpoints | IP | Port | Description |
+| Service | Endpoint | IP | Port | Description |
 | --- | --- | --- | --- | --- |
-| Console | `https://console.akeyless.io` | 52.223.11.194, 35.71.185.167, 52.223.35.208, 35.71.147.131, 15.197.228.204, 3.33.247.128 | 443 | Akeyless SaaS platform |
+| Console | `https://console.akeyless.io` | 52.223.11.194, 35.71.185.167, 52.223.35.208, 35.71.147.131, 15.197.228.204, 3.33.247.128 | 443 | Akeyless SaaS Platform |
 | Vault | `https://vault.akeyless.io`, `https://vault-ro.akeyless.io` | 52.223.11.194, 35.71.185.167, 52.223.35.208, 35.71.147.131, 15.197.228.204, 3.33.247.128 | 443 | User Account Management (UAM), managing user accounts, items, and roles |
 | Auth | `https://auth.akeyless.io`, `https://auth-ro.akeyless.io` | 52.223.11.194, 35.71.185.167, 52.223.35.208, 35.71.147.131, 15.197.228.204, 3.33.247.128 | 443 | Akeyless Authentication service |
 | Certificate Auth | `https://auth-cert.akeyless.io` | 18.189.176.104 | 443 | Relevant only for certificate-based authentication |
-| Audit | `https://audit.akeyless.io`, `https://audit-ro.akeyless.io` | 52.223.11.194, 35.71.185.167, 52.223.35.208, 35.71.147.131, 15.197.228.204, 3.33.247.128 | 443 | Audit log main service, enables log forwarding from GW and Bastion |
+| Audit | `https://audit.akeyless.io`, `https://audit-ro.akeyless.io` | 52.223.11.194, 35.71.185.167, 52.223.35.208, 35.71.147.131, 15.197.228.204, 3.33.247.128 | 443 | Audit Log main service, enables log forwarding from Gateway and Bastion |
 | BIS | `https://bis.akeyless.io`, `https://bis-ro.akeyless.io` | 52.223.11.194, 35.71.185.167 | 443 | Billing Infrastructure Service (BIS) |
 | Gator | `https://gator.akeyless.io`, `https://gator-ro.akeyless.io` | 52.223.11.194, 35.71.185.167, 52.223.35.208, 35.71.147.131, 15.197.228.204, 3.33.247.128 | 443 | Main service to sync gateway instances and connections with Akeyless SaaS |
-| MQ | `amqps://mq.akeyless.io` | 52.223.11.194, 35.71.185.167 | 5671 | Message queue between Akeyless microservices |
+| MQ | `amqps://mq.akeyless.io` | 52.223.11.194, 35.71.185.167 | 5671 | Message queue (MQ) between Akeyless microservices |
 | KFM | `https://kfm1.akeyless.io`, `https://kfm1-ro.akeyless.io`, `https://kfm2.akeyless.io`, `https://kfm2-ro.akeyless.io`, `https://kfm3.akeyless.io`, `https://kfm3-ro.akeyless.io`, `https://kfm4.akeyless.io`, `https://kfm4-ro.akeyless.io` | 52.223.11.194, 35.71.185.167, 52.223.35.208, 35.71.147.131, 15.197.228.204, 3.33.247.128, 34.120.160.242 | 443 | Key Fragments Services, enabling full DFC encryption |
 | Public Gateway | `https://rest.akeyless.io`, `https://api.akeyless.io` | 15.197.223.248, 3.33.244.138 | 443 | _Optional:_ Public Gateway REST API v1/v2 |
 | Public HashiCorp Vault Proxy | `https://hvp.akeyless.io` | 15.197.223.248, 3.33.244.138 | 443 | _Optional:_ Public HashiCorp Vault Proxy endpoint |
-| Logs | `tcp://log.akeyless.io:9997`, `tcp://log.akeyless.io:9443` | 35.192.171.171 | 9997, 9443 | GW logs, mainly used during failure scenarios |
+| Logs | `tcp://log.akeyless.io:9443` | 35.192.171.171 | 9443 | Gateway logs over TLS-encrypted Splunk forwarding for global and US environments |
 | CLI S3 Bucket | `https://akeyless-cli.s3.us-east-2.amazonaws.com` | N/A | 443 | S3 bucket to download and update Akeyless CLI versions |
 | Services S3 Bucket | `https://akeylessservices.s3.us-east-2.amazonaws.com` | N/A | 443 | S3 bucket to download and update Akeyless official binaries (for example, Gateway) |
 | Artifacts Endpoint | `https://artifacts.site2.akeyless.io` | 34.149.100.205 | 443 | _Optional:_ Akeyless official artifacts endpoint. Relevant when working with whitelisted IP ranges |
 
 > ℹ️ **Note:**
 >
-> When using proxy services, you can use `sqs.us-east-2.amazonaws.com` instead of classic MQ services. If you are not working with a proxy service and still want to use SQS instead of classic MQ, set your **Gateway** deployment with the `SQS_NO_PROXY="true"` environment variable.
+> When using proxy services, you can use `https://sqs.us-east-2.amazonaws.com` instead of classic MQ services. If you are not working with a proxy service and still want to use SQS instead of classic MQ, set your **Gateway** deployment with the `SQS_NO_PROXY="true"` environment variable.
+>
+> The artifacts endpoint `https://artifacts.site2.akeyless.io` is the documented default repository endpoint in current Gateway chart and CLI references.
+
+## Gateway Inbound Ports
+
+The table below describes common inbound ports on the Gateway service itself.
+
+| Port | Name | Purpose | Required |
+| --- | --- | --- | --- |
+| 18888 | Web UI | Gateway Web UI | Optional |
+| 8000 | Configure App (deprecated) | Redirects to Console app (DOCS-309, Gateway v4.47.0) | Optional |
+| 8080 | Legacy API | Akeyless REST API v1 | Optional |
+| 8081 | API | Akeyless REST API v2 | Optional |
+| 8200 | HashiCorp Vault Proxy | HashiCorp Vault Proxy endpoint | Optional |
+| 5696 | KMIP | KMIP service endpoint | Optional |
+
+> ℹ️ **Note:**
+> The Helm chart values include a `grpc` service port (`8085`). Validate deployment-level listener configuration for your release before exposing this port.
+
+## Proxy Settings and Queue Transport
+
+The Gateway supports outbound proxy settings through the following environment variables:
+
+* `HTTP_PROXY`
+* `HTTPS_PROXY`
+* `NO_PROXY`
+
+When `HTTP_PROXY` or `HTTPS_PROXY` is set, Gateway queue transport is switched to SQS mode.
+
+If no proxy is configured and you still want to use SQS queue transport, set `SQS_NO_PROXY="true"`.
+
+### Helm Configuration for Queue and Proxy Settings
+
+When deploying with Helm, set `SQS_NO_PROXY` using `env` in your Gateway values file:
+
+```yaml values.yaml
+env:
+  - name: SQS_NO_PROXY
+    value: "true"
+```
+
+To configure outbound proxy variables with Helm, set `httpProxySettings` in your values file:
+
+```yaml values.yaml
+httpProxySettings:
+  http_proxy: "http://proxy.example.internal:3128"
+  https_proxy: "http://proxy.example.internal:3128"
+  no_proxy: "localhost,127.0.0.1,.svc,.cluster.local"
+```
+
+If you set `httpProxySettings.http_proxy` or `httpProxySettings.https_proxy` in Helm values, Gateway queue transport is also switched to SQS mode.
+
+## DNS and Endpoint Resolution
+
+Gateway hosts and pods must be able to resolve all required service hostnames listed on this page.
+For Akeyless API host resolution, Gateway routes `GET` requests to `-ro` hostnames and keeps non-`GET` requests on primary hostnames.
+
+If the configured API hostname already includes `-ro`, Gateway does not add the suffix again.
+
+If internal DNS is configured for Akeyless API communication, Gateway skips `-ro` hostname rewriting.
+
+When `AKEYLESS_URL` and `akeyless_url` are not explicitly set, Gateway builds the fallback API URL from the configured protocol and `akeyless_server_dns` (`<protocol>://<akeyless_server_dns>`).
 
 ## Working Without MQ Connection