Okta Privileged Access gateway capacity planning
The processing and storage requirements for your gateways depends on your expected workload. You can use the following guidelines to plan the resources to allocate to your gateways.
Processing and memory
The type of server or instance that you use to host an Okta Privileged Access gateway depends on which provider you use.
A set of benchmark tests were created and run on a single gateway with 120 concurrent SSH sessions. These tests found that an Amazon Web Services (AWS) t2.medium instance (two vCPU, 4-GB RAM, EBS volume) had the sufficient resources necessary to handle this workload. The server had an approximate average CPU utilization of roughly 40%, with spikes of up to 50%, which scaled up and down with the number of sessions. Memory utilization never exceeded seven percent of available memory.
Storage
Carefully consider both the type and amount of storage you need when deploying SSH session capture with Okta Privileged Access gateways.
The ideal storage solution is solid-state drives (SSDs), which can be a dedicated SSD that's attached to the gateway or SSD-based storage like Amazon Elastic Block Stores.
How much storage you require depends on the workloads of your users. For example, a 30-minute interactive session that consists of performing a directory listing every 5 seconds is captured and stored in a binary file about 150 kilobytes in size.
If users copy files with the scp command during their session, the copied files are also included with the session capture recording. See Session capture.
If session recording is enabled and a gateway has insufficient storage available to store session logs, the gateway prevents connections for security reasons. To avoid this situation, Okta recommends that you monitor the storage utilization of your gateways to ensure that they have sufficient available storage for logs.
One method you can use to ensure sufficient storage capacity for session logs is to use an available cloud storage destination. To use this method, make sure the temporary directory where in-progress sessions are stored (/tmp on most systems) has enough space to store logs for your expected sessions.