Customer-Hosted Managed Private Cloud Infrastructure Requirements
If you are a Managed Private Cloud customer hosting Auth0 using Amazon Web Services (AWS), the following are the requirements you should be aware of when setting up your cloud environment
Choose AWS regions
The AWS Region(s) in which your deployments are hosted must support:
At least three (3) availability zones
Cross-LAN availability zones
M4 or M4 instance types
RDS for PostgreSQL
AWS instance types
The size of your AWS instance must be, at minimum, M4.2xlarge, though the M5.2xlarge size is preferred.
We ask that the individual volumes have the following resource allocation:
|System/Operating System||Database||User Search||Backup|
|a0-1 (PROD)||60 GB||100 GB||100 GB||--|
|a0-2 (PROD)||60 GB||100 GB||100 GB||--|
|a0-3 (PROD)||60 GB||100 GB||100 GB||100 GB|
|DEV (non-PROD)||60 GB||50 GB||50 GB||50 GB|
Please note that you may have a different number of instances based on your specific deployment type.
All servers in the cluster must:
Have outbound access
Be on the same subnet
Be able to communicate over ports 7777, 27017, 8721, and 8701
Listen for and accept traffic from the load balancer over ports 443 and 4443
For a complete listing of IP addresses and ports used, see the IP/Domain and Port List.
Internet connectivity is required for all servers in the cluster.
All servers in the cluster require outbound access to:
docker.it.auth0.com (188.8.131.52) on port 443.
cdn.auth0.com on port 443.
Social providers and third-party APIs (as needed)
Each environment (e.g., Development, Staging, Production), which are represented by
<env-name>, requires a separate namespace when it comes to DNS records.
You will need DNS records for the following namespaces:
|Auth0 environment Namespace (e.g., *.
||You can choose to use a catch-all CNAME record that represents all of your tenants and Dashboard endpoints or individual CNAME records for each tenant. The following env-names cannot be used: manage (reserved for the Dashboard), config (reserved for the root tenant authority), webtask (reserved for extensibility)|
|Auth0 Webtask with Dedicated Domains Namespace (e.g., *.wt.
||You can choose to use a catch-all CNAME record to represent all of your tenants or you can use an individual CNAME record for each tenant pointing to the balanced endpoint|
|Custom Domains Namespace||Requires a catch-all CNAME record redirecting custom domains to the custom domains balanced endpoint and an alias record using edge.
You must use either an ALB or ELB.
Software load balancers
You can use either NGINX or HA Proxy as the software load balancer in front of the Auth0 environment or for IP AllowListing and/or endpoint filtering (only Authentication endpoints are publicly available). If you are using NGINX or HA Proxy as the software load balancer, you must:
Use TCP mode with Proxy Protocol or HTTPS mode (SSL offloading). In HTTPS mode the connector will not work.
Forward the incoming hostname to the nodes
Your SSL certificates must:
Be signed by a public certificate authority
Contain all of the required DNS names (if the certificate is not a wildcard certificate)
Be in the PFX or PKCS12 formats
Contain the full chain
Auth0 requires TLS 1.1 or later.
You must set up and configure a SMTP provider (or a global default email provider) to send emails. Optionally, you can set up transactional email providers (e.g., SendGrid, Amazon SES, Mandrill) for individual tenants.
STARTTLS is supported by Auth0, but is not required.
Amazon RDS for PostgreSQL
Amazon RDS for PostgreSQL is currently used to support the Authorization Roles-Based Access Control functionality, but it will be used to support other functionality in the future.
We ask that, at minimum, you use postgres10, db.r3.xlarge with 10 GB of storage. You should also allow automated snapshots with seven-day snapshot retention and multi-AZ deployments with automated failover.
See Private Cloud Remote Access Options for details.