Set up Self-Hosted
Learn the prerequisites required to deploy Opal on your own infrastructure.
Opal's self-hosted offering allows you to deploy an Opal instance in your own environment. Organizations often deploy self-hosted Opal to remain compliant and meet requirements for HIPAA, FedRAMP, or other security standards.
With self-hosted Opal, you'll host Opal in your own VPC, host your own external Postgres database, and upgrade yourself Opal as needed.
Self-hosted Opal requires some knowledge of devops and networking. If you want to get started with Opal quickly, don't want to manage your own instance, and don't have strict security requirements, you may want to use cloud-hosted Opal instead.
Replicated
Self-hosted Opal images are hosted in Replicated. In the Replicated console, which lives in your Opal instance, you'll configure your Opal instance and manage upgrades, usually with KOTS.
No Opal customer data is shared with Replicated.
Release schedule
Opal releases new self-hosted versions to Replicated multiple times per week. View release notes on the changelog, and go to the Replicated portal to view all versions. See the upgrade guide to learn how to upgrade your instance.
Authentication
By default, self-hosted Opal instances use Auth0 for authenticating users, managing SAML connections, and providing MFA for Opal logins. Your organization will be registered with our Auth0 instance as part of the onboarding process.
If you run an airgapped Opal instance, you'll use your own OIDC credentials instead of Auth0.
Scaling self-hosted instances
In the setup guides for self-hosted Opal on AWS EKS and GKE, recommendations are provided for initial memory and CPU allocations, as well as recommended external database allocations.
Airgapped instances
If you must run Opal in an environment with heightened network restrictions and want to limit the systems Opal integrates with, you can run an airgapped version of Opal. For example, you'll provide your own OpenID Connect (OIDC) credentials to allow your users to authenticate to your Opal instance. Non-airgapped Opal instances also use LaunchDarkly to connect to feature flags, while airgapped instances do not.
See the airgapped guide for more detail.
Prerequisites
Obtain a license
An Opal team member will provide you with a license.
DNS configuration
Set up a DNS record with your DNS provider that will be used for Opal. You'll also need a TLS certificate that's valid for the configured DNS record.
Example: opal.acme.com is an A record pointing to the public IP address of the on-premise instance.
Networking configuration
Inbound ports (required)
| Port range | Protocol | Source | Description |
|---|---|---|---|
| 22 | TCP | Internet or VPC | SSH to connect to instance |
| 80 | TCP | Internet or VPC | Redirect to HTTPS |
| 443 | TCP | Internet or VPC | HTTPS to access Opal |
| 8800 | TCP | Internet or VPC | Opal On-Premise setup dashboard |
Outbound hosts (required)
| Port | Hostname | Description |
|---|---|---|
| 443 | app.opal.dev | Opal platform |
| 443 | proxy.replicated.com | Docker image registry |
| 443 | k8s.kurl.sh | Repository for pulling installer bundle |
| 443 | endpoint6.collection.us2.sumologic.com | Log forwarding for debugging purposes (Deprecated) |
| 443 | http-intake.logs.datadoghq.com | Log forwarding for debugging purposes |
| 443 | stream.launchdarkly.com events.launchdarkly.com clientstream.launchdarkly.com | Feature flag management, critical to how Opal safely deploys new features |
| 443 | auth.opal.dev | Auth0 tenant, required for authentication |
If you restrict outbound traffic to specific IPs, you'll also need to add IPs for the following services to your allowlist:
Outbound hosts (optional based on integrations)
| Port | Hostname | Description |
|---|---|---|
| 443 | iam.<REGION>.amazonaws.com ec2.<REGION>.amazonaws.com rds.<REGION>.amazonaws.com eks.<REGION>.amazonaws.com | AWS |
| 443 | cloudresourcemanager.googleapis.com | Google Cloud Platform |
| 443 | api.github.com | Github |
| 443 | api.pagerduty.com | PagerDuty |
Updated 5 days ago