Customer-Hosted Managed Private Cloud Infrastructure Requirements

If you are a Managed Private Cloud customer hosting Auth0 using Amazon Web Services (AWS), the following are the requirements you should be aware of when setting up your cloud environment

Choose AWS regions

The AWS Region(s) in which your deployments are hosted must support:

  • At least three (3) availability zones

  • Cross-LAN availability zones

  • M4 or M4 instance types

  • RDS for PostgreSQL

AWS instance types

The size of your AWS instance must be, at minimum, M4.2xlarge, though the M5.2xlarge size is preferred.

We ask that the individual volumes have the following resource allocation:

System/Operating System Database User Search Backup
a0-1 (PROD) 60 GB 100 GB 100 GB --
a0-2 (PROD) 60 GB 100 GB 100 GB --
a0-3 (PROD) 60 GB 100 GB 100 GB 100 GB
DEV (non-PROD) 60 GB 50 GB 50 GB 50 GB

Please note that you may have a different number of instances based on your specific deployment type.

Network

All servers in the cluster must:

  • Have outbound access

  • Be on the same subnet

  • Be able to communicate over ports 7777, 27017, 8721, and 8701

  • Listen for and accept traffic from the load balancer over ports 443 and 4443

For a complete listing of IP addresses and ports used, see the IP/Domain and Port List.

Internet connectivity

Internet connectivity is required for all servers in the cluster.

All servers in the cluster require outbound access to:

  • docker.it.auth0.com (52.9.124.234) on port 443.

  • cdn.auth0.com on port 443.

  • Social providers and third-party APIs (as needed)

DNS records

Each environment (e.g., Development, Staging, Production), which are represented by <env-name>, requires a separate namespace when it comes to DNS records.

You will need DNS records for the following namespaces:

Namespace/Environment Notes
Auth0 environment Namespace (e.g., *..customer.com) You can choose to use a catch-all CNAME record that represents all of your tenants and Dashboard endpoints or individual CNAME records for each tenant. The following env-names cannot be used: manage (reserved for the Dashboard), config (reserved for the root tenant authority), webtask (reserved for extensibility)
Auth0 Webtask with Dedicated Domains Namespace (e.g., *.wt..customer.com) You can choose to use a catch-all CNAME record to represent all of your tenants or you can use an individual CNAME record for each tenant pointing to the balanced endpoint
Custom Domains Namespace Requires a catch-all CNAME record redirecting custom domains to the custom domains balanced endpoint and an alias record using edge..customer.com that points to the custom domains balanced endpoint

Load balancers

You must use either an ALB or ELB.

Software load balancers

You can use either NGINX or HA Proxy as the software load balancer in front of the Auth0 environment or for IP AllowListing and/or endpoint filtering (only Authentication endpoints are publicly available). If you are using NGINX or HA Proxy as the software load balancer, you must:

  • Use TCP mode with Proxy Protocol or HTTPS mode (SSL offloading). In HTTPS mode the connector will not work.

  • Forward the incoming hostname to the nodes

SSL certificates

Your SSL certificates must:

  • Be signed by a public certificate authority

  • Contain all of the required DNS names (if the certificate is not a wildcard certificate)

  • Be in the PFX or PKCS12 formats

  • Contain the full chain

TLS

Auth0 requires TLS 1.1 or later.

SMTP

You must set up and configure a SMTP provider (or a global default email provider) to send emails. Optionally, you can set up transactional email providers (e.g., SendGrid, Amazon SES, Mandrill) for individual tenants.

STARTTLS is supported by Auth0, but is not required.

Amazon RDS for PostgreSQL

Amazon RDS for PostgreSQL is currently used to support the Authorization Roles-Based Access Control functionality, but it will be used to support other functionality in the future.

We ask that, at minimum, you use postgres10, db.r3.xlarge with 10 GB of storage. You should also allow automated snapshots with seven-day snapshot retention and multi-AZ deployments with automated failover.

Remote access

See Private Cloud Remote Access Options for details.