Based on your specific use case and requirements, the possible connectivity schemes for private Security Gateways, public Managed Security Gateways, OneAgents, and Dynatrace Server are depicted below.
In general, a Security Gateway is preferred if it is considered to be "closer" to the sender (i.e., OneAgent or another Security Gateway) in terms of this hierarchy: Dynatrace Server < Public Managed Security Gateway < Private Security Gateway.
|Dynatrace Server||Low||This is the default setup and fallback option. Dynatrace server is considered to be "far away" from OneAgents and other Security Gateways.|
|Public Managed Security Gateway||Medium||These are typically used as an entry point because the cluster (and its public Security Gateways) aren't directly reachable. Therefore, this is preferred over Dynatrace Server.|
|Private Security Gateway||High||The idea behind a private Security Gateway is to install it as close to OneAgents as possible. Therefore, it is considered to be the "closest" Security Gateway.|
Security Gateways of higher priority can generally send data to Security Gateways that have lower priority, but not vice versa. Security Gateways can't send data to other Security Gateways of the same priority. A private Security Gateway will always connect to a public Managed Security Gateway, if the latter exists and is reachable.
If a Security Gateway isn't reachable, OneAgents will try to contact other Security Gateways. OneAgents will always prefer Security Gateways of the highest available priority as long as at least one of them is reachable. If more than one such Security Gateway is available, OneAgents will try to switch between the available Security Gateways on a regular basis to achieve proper load balancing.
If all Security Gateways of the highest priority are temporarily unreachable, OneAgents will switch to the next lower priority Security Gateways and continue checking in the background for availability of higher priority Security Gateways.