Gatekeeper
Gatekeeper brokers all requests through a hardened, credential-free proxy that validates input before forwarding to an isolated trusted backend. It shrinks the attack surface and limits breach blast radius, adding a hop and a component to secure.
The Gatekeeper pattern places a dedicated, hardened instance between clients and the services that hold sensitive data or logic. The gatekeeper validates and sanitizes every request and only forwards safe ones to the trusted backend, which is not directly reachable by clients.
The problem is exposure: services that handle storage, secrets, or critical operations are attractive targets. If a public-facing component is compromised, an attacker should not gain direct access to those services.
How It Works
The gatekeeper runs in a less-trusted zone and exposes a limited public interface. It performs validation, sanitization, authentication, and request shaping, then passes vetted requests to the trusted host over a separate, restricted channel. The trusted host runs in an isolated network segment with no public endpoint and accepts traffic only from the gatekeeper, ideally with mutual authentication.
Crucially, the gatekeeper holds no credentials or keys for the protected resources; it cannot itself perform privileged operations. So even if it is breached, the attacker gains a validation proxy, not the keys to the kingdom. This separation of duties limits blast radius.
When to Use It
Use it to shield backends that manage sensitive data, secrets, or high-value operations, especially where clients are untrusted or the application is internet-facing. Use it when defense in depth and minimizing the attack surface of trusted hosts are priorities.
Avoid it for low-risk internal services where the added hop and operational cost are not justified.
Trade-offs
The gatekeeper adds latency and another component to deploy, scale, and secure. It can become a bottleneck or single point of failure if not made highly available. Validation logic must be kept thorough and current, since the whole model rests on it catching malformed or malicious input.
It is a defensive layer, not a complete security strategy; it complements but does not replace authentication, encryption, and least privilege elsewhere.
Related Patterns
It works with Federated Identity to authenticate clients and with Throttling to limit abusive traffic at the edge. When the backend issues Valet Keys, the gatekeeper can broker those requests without ever holding storage credentials.
Example
A financial service exposes only a gatekeeper in a DMZ subnet. The gatekeeper terminates TLS, authenticates the caller, validates the request schema, strips dangerous content, and forwards clean requests to an internal transaction service in a private subnet that accepts connections solely from the gatekeeper. The transaction service holds the database credentials; the gatekeeper holds none, so a compromise of the public host cannot directly reach customer data.