# Monitor Gateway

The Monitor Gateway is a read-only API service that provides secure access to engine data for monitoring and observability purposes. Unlike the Control Gateway, which requires administrative access and bidirectional communication, the Monitor Gateway exposes only read-only endpoints and operates with the engine initiating the connection.

• Read-Only Access: Exposes only safe, read-only API endpoints
• Outbound Engine Connection: Engine connects outward to the monitor gateway for enhanced security
• Separate Docker Image: Deployed independently from other gateway components
• Monitoring Focus: Designed specifically for observability and monitoring use cases

The Monitor Gateway uses a reverse connection pattern compared to the Control Gateway:

• Control Gateway: Connects inward to the engine (gateway → engine)
• Monitor Gateway: Engine connects outward to the gateway (engine → monitor gateway)

This design provides several security benefits:

• Monitor gateway can be placed in a less trusted network zone
• Engine maintains control over the connection lifecycle
• Reduces attack surface for administrative operations

flowchart LR
    subgraph "Trusted Zone"
        engine["Engine"]
    end
    
    subgraph "Monitoring Zone"
        monitor["Monitor Gateway"]
        grafana["Grafana"]
        prometheus["Prometheus"]
    end
    
    engine -->|Outbound TCP| monitor
    prometheus -->|HTTP| monitor
    grafana -->|HTTP| monitor
    
    style engine fill:#ff9999
    style monitor fill:#99ccff

To deploy the monitor gateway, both the engine and monitor gateway require the following environment variables:

environment:
  - MONITOR_GATEWAY_HOSTNAME=monitor-gateway
  - MONITOR_GATEWAY_ENGINE_PORT=8182
  - MONITOR_GATEWAY_REST_PORT=8081

Without these variables defined, the engine will not initiate a connection to the monitor gateway, and the monitor gateway itself will not start.

Minimum Requirements:

• 1 GB RAM
• 1 CPU core

Recommended for Production:

• 2-4 GB RAM
• 2 CPU cores