In principle, public Managed Security Gateway is an optional component. However, installing a public Managed Security Gateway is a prerequisite for the following cases:
Enabling synthetic monitoring
Your Dynatrace Managed deployment must be able to receive synthetic monitoring data from the Dynatrace Synthetics infrastructure, which is distributed across the world. Typically, you don't want to expose Dynatrace Cluster nodes to the outside world. It's recommended that you install a public Managed Security Gateway in a location that can be publicly accessed from the Internet so it can forward all synthetic test traffic to Dynatrace Server.
Enabling agentless Real User Monitoring
To use Real User Monitoring without OneAgent, you typically don't want to expose your Dynatrace Cluster nodes to the outside world. It's recommended that you install a public Managed Security Gateway in a location that can be publicly accessed from the Internet so that it can forward all monitoring traffic to the Dynatrace Server.
Enabling mobile Real User Monitoring
To allow instrumented mobile apps to report Real User Monitoring data to your Dynatrace Managed installation, you'll need to configure and open a publicly accessible Dynatrace Security Gateway. A public Managed Security Gateway provides a secure IP address where your mobile apps can safely send their monitoring data.
Accessing sealed networks
Dynatrace Clusters often run in protected environments that aren't directly accessible by OneAgents running outside. A public Managed Security Gateway can be used to serve as a single access point for such OneAgents. This approach greatly reduces the effort of managing and maintaining firewall and/or proxy configuration settings.
Controlling load distribution of AWS monitoring.
AWS service monitoring is a resource-intensive task. Therefore, to monitor more than 700 AWS services, you must install a Security Gateway to transfer the load to your own infrastructure.