Private Cloud on AWS
The Private Cloud on AWS deployment option is a dedicated, managed instance of the Auth0 identity platform running on Amazon Web Services. It provides isolation, higher performance, separate development instances, various add-ons, and more.
Operational differences
The table below compares each deployment option for Private Cloud on AWS.
| Feature | Public Cloud | Private Cloud Basic on AWS * | Private Cloud Performance on AWS * |
|---|---|---|---|
| Tenancy | Multi | Single | Single |
| Requests per second (Multiples of 100 RPS) | 100 RPS (1x) | 100 RPS (1x) | 500* RPS (5x) 1,500* RPS (15x) 3,000* RPS (30x) 3,000* RPS (30x Burst) 6,000* RPS (60x) 6,000* RPS (60x Burst) 10,000* RPS (100x) |
| Service level agreement (SLA) | 99.99% | 99.99% | 99.99% |
| Data residency | Public cloud regions only | Yes | Yes |
| Dev environment | No | No | 1 |
*The RPS capacity is provided as a general guideline. The actual performance could vary based on the types and volume of transactions processed within the customer's Private Cloud environment. The test transactions used for the stated capacity benchmarks might not match individual customer's unique transaction patterns and workloads. As an example, the following capacity is supported when using the Resource Owner Password Flow:
| Tier | RPS |
|---|---|
| Basic | 55 |
| Performance 5x | 180 |
| Performance 15x | 600 |
| Performance 30x | 1400 |
| Performance 30x Burst | 1400 |
| Performance 60x | 3000 |
| Performance 60x Burst | 3000 |
| Performance 100x | 5000 |
Data residency
With Private Cloud on AWS, you choose the region where your data is stored. Auth0 can provide a list of available regions that use multiple availability zones for the deployment. A list of current regions where we offer private cloud deployments can be found in our Sub-processor Information posted to our Trust & Compliance page. In most cases, Okta deploys backups in the same selected AWS region.
Maximum availability
Private Cloud on AWS instances have a 99.99% Service Level Agreement (SLA). Availability Commitments do not apply to Free Trials, sandbox, beta and other pre-production environments.
High demand apps
If your application requires a significantly high amount of requests per second (RPS), you may also wish to consider Private Cloud on AWS. See the rate limits policies for more information about the standard rate limits. The Private Cloud on AWS deployments have a rate limit of 100 RPS for Private Basic, and enhanced rate limits of 500 RPS, 1,500 RPS, 3,000 RPS, and 6,000 RPS for Private Performance options.
Additional dev environments
Private Cloud on AWS Performance deployments include a fully-isolated and independently-updated instance for development and testing. You can add additional pre-production environments to meet your business requirements.
Guaranteed requests per second (RPS) and SLA do not apply to non-production environments.
Limitations
Data Center Locations
Private Cloud on AWS is fully deployable in the following regions:
Australia
Bahrain
Brazil
Canada
France
Germany
Hong Kong
India
Indonesia
Ireland
Italy
Japan
Singapore
South Africa
South Korea
Sweden
United Arab Emirates (UAE)
United Kingdom
USA
Bursty Traffic
Okta provides rate limits for orgs based on the traffic that they expect to have, and subject to the RPS tier purchased. If your org experiences higher traffic than what is expected, this unplanned usage may potentially have an impact on end users.The Private Cloud offering is designed to handle gradual increases in transaction rate (e.g. an increase from 100 RPS to 1000 RPS over a period of 10 minutes) without any service impact. However, sudden and severe bursts in traffic (e.g. 100 RPS to 1000RPS increase in a matter of seconds) could lead to service instability and increased latency while the solution adjusts to handle the new load.
Onboarding
After choosing Private Cloud on AWS, an onboarding and deployment process will be followed to configure your environment(s).
Customer onboarding requirements
Upon contract signing, we will ask you to provide key information regarding your onboarding requirements, which we will then validate.
Kickoff meeting
Once we validate your onboarding requirements, we will host a kickoff meeting with you to begin the implementation process. We strongly recommend that this meeting occur no later than five (5) days after the contract signing.
Implementation
Immediately after the onboarding form validation, we will begin provisioning your environment.
At the end of this process, you're ready for the environment handover and your Private Cloud on AWS deployment is ready for use.
Secure Outbound Networking
Some Auth0 platform customizations—Actions, custom webhooks, and custom database action scripts, for example—let you make outbound connections from the Auth0 platform to your own services. With Private Cloud on AWS, you can establish network connectivity between your Private Cloud deployment and your own services without exposing your data to the Internet.
Secure outbound networking uses AWS PrivateLink. First, you share your service through PrivateLink by establishing an endpoint service in your AWS account. The underlying service can be an AWS-native service or a service running in a data center. The service must be in a VPC in the same AWS region as your Private Cloud deployment.
Next, we will configure your Private Cloud deployment to make your endpoint service available. Once you provide Auth0 with your endpoint service information, we will integrate the service with your deployment and provide information on how to access it from your customization code.
For more info on setting up endpoint services with PrivateLink, contact AWS. To coordinate service onboarding with Auth0, file a request to the Support Center.
Updates
Private Cloud on AWS deployments are updated every week automatically. You can set a specific day and time during the week, if required.
Testing
Change freeze policy
Load tests and penetration tests are not allowed during change freeze periods.
To view the currently scheduled change freeze periods, read Change Freeze Policy.
Load testing
This policy outlines the necessary requirements for Auth0 to perform load testing for Private Cloud on AWS customers who submit a request. You can file a load testing request via the Support Center. Under the Issue field, select Private Cloud Support Incident.
If you purchased a dedicated load testing environment, there is no limit to the frequency of load tests you can run. Standard environments are limited to two (2) per year, given proper load testing procedures.
To be considered for approval, the request must:
Be filed at least two (2) weeks prior to the desired test date; in many cases, Auth0 encourages one (1) month of advance notice to ensure time for a thorough review and any required modifications.
Receive approval in writing before any testing is conducted.
Stay within our published production rate limits.
If changes to infrastructure are requested, the cost will be determined based on your specific requirements.
Testing capacity considerations
Environments purchased for dedicated load testing are not subject to any service level agreements. Issues reported in these environments will be prioritized lower than production issues.
You should start with a low load and slowly increase until the environment has reached its peak. Should you require a load greater than what the environment can handle, the environment size should be increased.
Private Cloud environments can be upsized via contract addendum; please contact your Account Executive and TAM to discuss this purchase.
| Subscription | Load Test Capacity | Ramp up |
|---|---|---|
| Private Cloud Performance 500 RPS (5x) | 325 RPS | 100 RPS/min |
| Private Cloud Performance 1500 RPS (15x) | 975 RPS | 100 RPS/min |
| Private Cloud Performance 3000 RPS (30x) | 1950 RPS | 100 RPS/min |
| Private Cloud Performance 3000 RPS (30x Burst) | 1950 RPS | 100 RPS/min |
| Private Cloud Performance 6000 RPS (60x) | 3900 RPS | 100 RPS/min |
| Private Cloud Performance 6000 RPS (60x Burst) | 3900 RPS | 100 RPS/min |
| Private Cloud Performance 10,000 RPS (100x) | 6500 RPS | 100 RPS/sec |
For more information on load testing in Private Cloud, see Environment request limits (Private Cloud Only).
High load notifications
For periods of anticipated high load, you must inform your account team no later than 14 days prior to the event. The notification provides the opportunity to adequately test scenarios (if possible) and aligns reactive support to the event.
Penetration testing
To conduct a security test, please notify us in advance via the Auth0 Support Center. Auth0 requires at least one week (seven days) notice prior to your test's planned start date.
If the test is isolated to your infrastructure (that is, there will be no testing of Auth0 services), you do not need to notify Auth0.
For the information that we require, see our Penetration Testing Policy.
Failover testing
This policy outlines the necessary requirements for Okta to perform failover testing for Private Cloud customers on either the AWS or Azure Auth0 platform with the required Geo Failover add-on. You may file a failover testing request via the Support Center. Under the Issue field, select Private Cloud Support Incident.
To be considered for approval, the request must:
Be filed at least two (2) weeks prior to the desired test date and time (in UTC). In many cases, Okta encourages one (1) month of advance notice to ensure time for a thorough review and any required modifications.
Fall under the limit of (2) failover tests per calendar year.
Receive approval in writing before any testing is conducted.
Specify windows (in UTC) for both the failover and the fallback to the primary region, with an understanding that both windows will result in downtime of up to 15 minutes.
Designated point-of-contact specified with whom Okta will coordinate all testing logistics
Please note that Okta reserves the right to suggest alternative windows for the failover and fallback to correspond to availability of Staff to perform the requested testing. Additionally, any service interruption that results as part of the failover or fallback procedures is exempt of any SLA provisions.
Certificate renewal process
Auth0-managed certificates (in the format *.auth0app.com) are the responsibility of Auth0 to both obtain and apply. Auth0 will manage the process end-to-end and will prompt you with any action required.
Renewal of Auth0-issued certificates for custom domains is managed by Auth0.
Renewal of customer-managed certificates for custom domains (in the format *.<CustomerName>.com) is the customer’s responsibility to manage and obtain.
Reporting and monitoring
Auth0 provides logs that are accessible via the Dashboard or the log streaming endpoint.
Support
You can reach out to the Auth0 Support team with any questions or concerns you might have. To help expedite your request, please provide as much information as possible in the Support ticket you open.