Roboflow Enterprise

Secure inference on the edge.

Secure Gateway proxies all traffic between your inference servers and Roboflow Cloud. It caches model weights, enforces access policies, and ships audit logs to your SIEM.

Get Started View Docs
terminal 
$ docker run -d \
    --name secure-gateway \
    -p 443:443 \
    -e ROBOFLOW_API_KEY=rf_... \
    -e CACHE_DIR=/var/cache/gw \
    -e SIEM_ENDPOINT=https://splunk:8088 \
    -v gw-cache:/var/cache/gw \
    roboflow/secure-gateway:latest

Container started: a3f8c...
$ curl -k https://localhost/health
{"status":"ok","cached_models":0}

How it works

One egress point. Everything else stays on your network.

OT NETWORK Inference Server 1 Inference Server 2 Inference Server 3 ... Inference Server N HTTPS SECURE GATEWAY Rule Engine Allow / Deny Cache Layer Model Weights Audit Logger Structured Logs SIEM Target Packet Inspection DPI / IDS (optional) HTTPS INTERNET Roboflow Cloud
Single controlled egress point
Local model weight caching
Allow / deny policy rules
SIEM audit log streaming
Custom CA for packet inspection
Single Docker container
End-to-end TLS encryption
Drop-in License Server upgrade

Model weight caching

First download gets cached. Every server after that pulls from the gateway's local store. Cut bandwidth costs and eliminate cold-start delays when scaling your fleet.

# Cache hit — served in 38ms

GET /my-workspace/yolov8n/3

200 — 104 MB — cache:HIT

mode: deny-all

allow:

- model: "ws/safety-model"

  versions: ["3","4"]

- model: "ws/counter"

  versions: ["*"]

Allow / deny rules

Lock down exactly which models and endpoints your servers can reach. Rules live in a YAML file, hot-reloaded on change — no restart needed.

SIEM log streaming

Every request through the gateway produces a structured JSON log entry. Ship to Splunk, Datadog, Sentinel, or any syslog target. Know who downloaded what, when, and whether it was served from cache.

{"source_ip":"10.0.1.42",

 "path":"/ws/yolov8n/3",

 "action":"allowed",

 "cache_hit":true,

 "duration_ms":38}

# Just swap the image

docker stop license-server

docker run -d \

--name secure-gateway \

-p 443:443 \

roboflow/secure-gateway

Drop-in License Server upgrade

Same port, same API key, same inference server config. Replace the container image and you get caching, policy enforcement, and audit logging on top of what you already had.

Ready to lock it down?

Secure Gateway is available with a Roboflow Enterprise license. Talk to us about deploying in your environment, or dive into the docs.

Talk to Sales Read the Docs