Set Up Self-Hosted

Opal fully supports deployment on your own infrastructure.

Opal fully supports deployment on your own infrastructure and is built to support the most complex environments and regulatory requirements.

We recommend that you deploy Opal Self-Hosted on a managed Kubernetes service:

Prerequisites

Obtaining a license

An Opal team member will provide you with a license.

DNS configuration

Set up a DNS record with your DNS provider that will be used for Opal. You'll also need a TLS certificate that's valid for the configured DNS record.

Example: opal.acme.com is an A record pointing to the public IP address of the on-premise instance.

Networking configuration

Inbound ports (required)

Port rangeProtocolSourceDescription
22TCPInternet or VPCSSH to connect to instance
80TCPInternet or VPCRedirect to HTTPS
443TCPInternet or VPCHTTPS to access Opal
8800TCPInternet or VPCOpal On-Premise setup dashboard

Outbound hosts (required)

PortHostnameDescription
443app.opal.devOpal platform
443proxy.replicated.comDocker image registry
443k8s.kurl.shRepository for pulling installer bundle
443endpoint6.collection.us2.sumologic.comLog forwarding for debugging purposes (Deprecated)
443http-intake.logs.datadoghq.comLog forwarding for debugging purposes
443stream.launchdarkly.com
events.launchdarkly.com
clientstream.launchdarkly.com
Feature flag management, critical to how Opal safely deploys new features
443auth.opal.devAuth0 tenant, required for authentication

If you restrict outbound traffic to specific IPs, you'll also need to whitelist IPs for the following services:


Outbound hosts (optional based on integrations)

PortHostnameDescription
443iam.<REGION>.amazonaws.com
ec2.<REGION>.amazonaws.com
rds.<REGION>.amazonaws.com
eks.<REGION>.amazonaws.com
AWS
443cloudresourcemanager.googleapis.comGoogle Cloud Platform
443api.github.comGithub
443api.pagerduty.comPagerDuty