Requirements¶
EnforceGate vX runs on any x86-64 platform and requires no proprietary hardware.
The vX edition of EnforceGate is designed to be deployed and operated as a container or as a virtual appliance on commodity hardware. Systems with Intel® Streaming SIMD Extensions (SSE) are recommended for optimal evaluation throughput.
EnforceGate vX scales up to 10 Gbps of concurrent HTTP traffic and beyond. Actual performance varies with the underlying hardware resources — particularly CPU processing power, memory bandwidth, and the active SSL inspection mode. 1
Hardware¶
EnforceGate vX can be deployed on any x86-64 host that meets these minimum requirements:
- 64-bit x86 processor 2
- At least 2 CPU cores
- 4 GB of RAM (8 GB recommended for
bumpmode) - 12 GB of available disk space
- One or more network interfaces
The default container resource limits in the shipped docker-compose.yml target a small/medium deployment:
| Resource | Default | .env override |
|---|---|---|
| CPUs | 2.0 |
ENFORCEGATE_CPUS |
| Memory (limit) | 1g |
ENFORCEGATE_MEMORY |
| Memory (reservation) | 256m |
ENFORCEGATE_MEMORY_RESERVATION |
ulimits.nofile |
65536 |
(compose-pinned) |
| Log driver | json-file 50 MB × 5 files |
ENFORCEGATE_LOG_MAX_SIZE / _FILES |
Without these limits a runaway proxy can saturate the host on a policy-compile loop or a connection flood.
Software¶
The software requirements vary by deployment method:
- Virtual appliance: VMware ESXi 8.0+, KVM with QEMU 7.0+, or Hyper-V Server 2019+. The OVA includes the host OS, Docker, and the pre-pulled standalone bundle — no extra host preparation required.
- Docker: Docker Engine 27+ and Docker Compose v2.x on a Linux kernel 6.x or newer.
License¶
EnforceGate vX licenses are per-engine and carry a bundled count of concurrent connector sessions, with the count set by the edition you purchase. A high-availability pair or a horizontally scaled deployment is one license per engine; the bundled sessions apply per engine, not pooled across them.
Bundled connector sessions per edition: Lite = 10, Pro = 25, Enterprise = 50. The Lite edition is the only one shipping today; see editions for the schedule, the full feature mapping, and the optional capacity add-on (5-pack of additional connector sessions, available per engine on the editions that allow it).
To size a new deployment, estimate the maximum number of concurrent connector sessions you expect over a one-year horizon and add at least a 20 % buffer for traffic growth. Most small deployments fit comfortably in Lite's 10 bundled sessions.
Unlike industry solutions that price by bandwidth consumed or by endpoint count, EnforceGate licenses scale with the deployment footprint you actually run — number of engines and the connector sessions you connect to them. There is no per-byte, per-user, or per-decision metering: the price you sign at is the price you pay.
-
EnforceGate performance is affected by a wide range of factors including the volume and distribution of active connectors, allocated computational resources, available CPU cores, memory latency, the active inspection mode (
off/peek/bump—bumpadds full TLS termination overhead per connection), the size of the compiled policy set, and operational features enabled. ↩ -
While the Intel® Streaming SIMD Extensions (SSE) instruction set is not mandatory, its support is highly recommended for optimal performance. ↩