Skip to main content
Portkey is also available on the Azure Marketplace. You can deploy Portkey directly through your Azure console, which streamlines procurement and deployment processes.Deploy via Azure Marketplace →

Components and Sizing Recommendations

Prerequisites

Ensure the following tools and resources are installed and available:

Create a Portkey Account

  • Go to the Portkey website.
  • Sign up for a Portkey account.
  • Once logged in, locate and save your Organisation ID for future reference. It can be found in the browser URL: https://app.portkey.ai/organisation/<organisation_id>/
  • Contact the Portkey AI team and provide your Organisation ID and the email address used during signup.
  • The Portkey team will share the following information with you:
    • Docker credentials for the Gateway images (username and password).
    • License: Client Auth Key.

Setup Project Environment

Image Credentials Configuration

Configure Components

Based on the choice of components and their configuration update the values.yaml.

MCP Gateway (Optional)

By default, only the AI Gateway is enabled in the deployment. To enable the MCP Gateway, add the following configuration to values.yaml:
Note:
  • MCP_GATEWAY_BASE_URL must include the protocol prefix — either http:// or https://.
  • This value is not required for the initial deployment. After the first deployment, once the MCP Load Balancer is provisioned and a hostname is mapped to the MCP Service, set this value and redeploy.
Server Modes
  1. "" (empty or not provided): Deploys only the AI Gateway. This is the default configuration.
  2. "mcp": Deploys only the MCP Gateway.
  3. "all": Deploys both the AI Gateway and MCP Gateway.

Cache Store

The Portkey Gateway deployment includes a Redis instance pre-installed by default. You can either use this built-in Redis or connect to an external cache like Azure Managed Redis.

Built-in Redis

No additional permissions or network configurations are required.

Azure Managed Redis

To enable the gateway to work with an Azure Managed cache, ensure connectivity from AKS cluster. Set up access to the Redis instance based on your chosen authentication method and update values.yaml with the following configuration.

Log Store

Azure Blob Storage

  1. (Optional) If not already done, create an Azure Storage Account and a Blob Container to store LLM logs.
  2. Set up access to the log store. The Gateway supports the following methods for connecting to the Blob Storage:
    • Workload Identity
    • Managed Identity
    • Entra ID
    Depending on the chosen Blob Storage access method, update values.yaml with the following configuration.
    To set up Workload Identity authentication for the Portkey Gateway, follow the steps and add the following configuration to values.yaml.
  3. (Optional) Configure log path format using LOG_STORE_FILE_PATH_FORMAT. See Log Object Path Format for details.

Network Configuration

Set Up External Access

To make the Gateway service accessible externally, you can set up either of the following:
  • Azure Load Balancer with NGINX Ingress controller
  • Azure Load Balancer with Kubernetes Service

Azure Load Balancer with NGINX Ingress Controller

Recommended if SERVER_MODE is set to all
  1. Enable application routing add-on.
  1. Create NGINX Ingress Controller
External LB with Static IP
Internal LB with Private IPv4 IP
  1. Update values.yaml with following configuration
  1. Retrieve IP address of Azure Load Balancer.
Notes:
  • If SERVER_MODE is set to all (i.e., both AI Gateway and MCP Gateway are enabled), you must enable host-based routing by setting hostBased: true and specify the hostname through which the AI Gateway and MCP Gateway will be accessed.
  • After the Load Balancer is provisioned, create a DNS record in your public or private hosted zone that points to the Load Balancer’s static public or private IPv4 address. If SERVER_MODE is set to all, you must create two separate DNS records—one for the AI Gateway hostname and one for the MCP Gateway hostname—each pointing to the Load Balancer IP.
  • The Azure Load Balancer NGINX Controller supports additional annotations—such as TLS configuration, custom health checks, and more—for managing the Ingress load balancer. For a complete list of supported annotations, refer to the Azure NGINX Load Balancer ingress.

Azure Load Balancer with Kubernetes Service

Azure Load Balancer supports various annotations to fine-tune its configuration. For a complete list of supported annotations, see the Azure Load Balancer annotations. Note:service.containerPort must be same as environment.data.PORT.

Deploying Portkey Gateway

Verify the deployment

To confirm that the deployment was successful, follow these steps:
  • Verify that all pods are running correctly.
Note: If pods are in a Pending, CrashLoopBackOff, or other error state, inspect the pod logs and events to diagnose potential issues.
  • Test Gateway by sending a cURL request.
    1. Port-forward the Gateway pod
    1. Once port forwarding is active, open a new terminal window or tab and send a test request by running:
    1. Test gateway service integration with Load Balancer.

Integrating Gateway with Control Plane

Outbound Connectivity (Data Plane to Control Plane) Portkey supports the following methods for integrating the Data Plane with the Control Plane for outbound connectivity:
  • Azure Private Link
  • Over the Internet
Ensure Outbound Network Access By default, Kubernetes allows full outbound access, but if your cluster has NetworkPolicies that restrict egress, configure them to allow outbound traffic. Example NetworkPolicy for Outbound Access:
This allows the gateway to access LLMs hosted both within your VPC and externally. This also enables connection for the sync service to the Portkey Control Plane. Establishes a secure, private connection between the Control Plane and Data Plane within the Azure network. Steps to establish Azure Private Link connectivity:
  1. Contact Portkey and provide your Azure Subscription Id so it can be whitelisted in Portkey’s Control Plane.
  2. Once you get confirmation from Portkey that your Azure account is whitelisted, create Azure Private Endpoint connection to Portkey Control Plane.
  1. Retrieve Private IP of created endpoint.
  1. Contact the Portkey team and share the endpoint name with them.
  2. Once the connection request is approved, create Private Hosted Zone and link it to Gateway VNet.
  1. Create a record in the PHZ pointing to Portkey’s Private Endpoint IP.
  1. Update the values.yaml file with the following environment variables.
  1. Re-deploy the gateway.

Over the Internet

Ensure Gateway has access to the following endpoints over the internet.
  • https://api.portkey.ai
  • https://albus.portkey.ai

Inbound Connectivity (Control Plane to Data Plane)

  • Azure Private Link
  • IP Whitelisting
Establishes a secure, private connection between the Control Plane and Data Plane within the Azure network. Steps to establish Azure Private Link connectivity:
  1. Create a dedicated subnet for Azure Private Link Service.
  2. On the Azure Portal, navigate to Private Link services and click + Create to create a new Private Link Service (PLS).
  3. Select the Subscription and Resource Group, provide a name for the PLS, and click Next.
  4. Under Outbound settings, select the Load Balancer created for the gateway. Then choose the appropriate frontend IP configuration of that Load Balancer.
  5. In the Source NAT subnet field, select the dedicated PLS subnet created earlier, and click Next.
  6. Under Access security, select Restricted by subscription and whitelist the Portkey Control Plane subscription ID (4bec865f-23ea-4d04-be20-3e883cbb3eb1).
  7. Leave all other settings as default and click Create to provision the Private Link Service.
  8. Contact the Portkey team and share the alias of the created Private Link Service, along with the Gateway URL.
  9. Once the Portkey team has raised the connection request from their end, approve it by navigating to the PLS in the Azure Portal, then go to Private Endpoint connections and click Approve.

IP Whitelisting

Allows control plane to access the Data Plane over the internet by restricting inbound traffic to specific IP address of Control Plane. This method requires the Data Plane to have a publicly accessible endpoint. To whitelist, add an inbound rule to the Azure NSG or Firewall allowing connections from the Portkey Control Plane’s IPs (54.81.226.149, 34.200.113.35, 44.221.117.129) on required port. To integrate the Control Plane with the Data Plane, contact the Portkey team and provide the Public Endpoint of the Data Plane.

Verifying Gateway Integration with the Control Plane

  • Send a test request to Gateway using curl.
  • Go to Portkey website -> Logs.
  • Verify that the test request appears in the logs and that you can view its full details by selecting the log entry.

Uninstalling Portkey Gateway

Setting up Permission

Azure Blob Storage

To allow the Portkey Gateway to access Azure Blob Storage for log storage, permissions must be granted. Follow the steps below to set up these permissions according to your selected access method.
Prerequisites: Ensure OIDC issuer and Workload Identity are enabled on your AKS cluster.
  1. Specify the details:
  1. Create a User-Assigned Managed Identity.
Make a note of MANAGED_IDENTITY_CLIENT_ID, as it is required in values.yaml.
  1. Create a federated identity credential to link the Kubernetes service account to the managed identity.
  1. Grant the managed identity a role that allows it to access Blob Storage.

Azure Managed Redis

To allow the Portkey Gateway to authenticate with Azure Managed Redis using Microsoft Entra ID, permissions must be granted. Prerequisites: Microsoft Entra Authentication must be enabled on the Azure Managed Redis instance. Follow the steps below to set up these permissions according to your selected access method.
Complete steps 1 to 3 from the Azure Blob Storage > Workload Identity section if not already done.
  1. Assign a data access policy to the managed identity on the Redis instance.

Azure OpenAI and Azure AI Foundry (Optional)

If the Portkey Gateway routes requests to Azure OpenAI or Azure AI Foundry models, the identity used by the gateway must be granted the Cognitive Services OpenAI User role on the respective resource.
This is only required when using Managed Identity or Workload Identity to authenticate with Azure OpenAI or Azure AI Foundry. If you are using API keys, no additional role assignment is needed.
Complete steps 1 to 3 from the Azure Blob Storage > Workload Identity section if not already done.

Examples

Built-in Redis The following sample values.yaml below shows how to configure the built-in Redis cache and Azure Blob Storage for log store using Entra ID.
Azure Managed Redis with Workload Identity The following sample values.yaml shows how to configure Azure Managed Redis (Workload Identity) and Azure Blob Storage (Workload Identity) using a shared User-Assigned Managed Identity, with Private Link for outbound connectivity to the Control Plane.
Azure Managed Redis (Access Key) with Managed Identity for Blob Storage The following sample values.yaml shows how to configure Azure Managed Redis with an access key and Azure Blob Storage using the AKS Managed Identity.
AI Gateway + MCP Gateway with NGINX Ingress The following sample values.yaml shows how to deploy both AI Gateway and MCP Gateway with host-based routing using the NGINX Ingress controller, built-in Redis, and Workload Identity for Blob Storage.
Last modified on May 12, 2026