ZITADEL Production Checklist
To apply best practices to your production setup we created a step by step checklist you may wish to follow.
Infrastructure Configuration​
- Make use of configuration management tools such as Terraform to provision all of the below
- Use a secrets manager to store your confidential information
- Reduce the manual interaction with your platform to an absolute minimum
HA Setup​
- High Availability for ZITADEL containers
- Use a container orchestrator such as Kubernetes
- Use serverless platform such as Knative or a hyperscaler equivalent (e.g. CloudRun from Google)
- Split
zitadel init
andzitadel setup
for fast start-up times when scaling ZITADEL
- High Availability for database
- Follow the Production Checklist for CockroachDB if you selfhost the database or use CockroachDB cloud
- Configure backups on a regular basis for the database
- Test the restore scenarios before going live
- Secure database connections from outside your network and/or use an internal subnet for database connectivity
- High Availability for critical infrastructure components (depending on your setup)
- Loadbalancer
- Reverse Proxies
- Web Application Firewall
Networking​
- Use a Layer 7 Web Application Firewall to secure ZITADEL that supports HTTP/2
- Limit the access by IP addresses if needed
- Secure the access by rate limits for specific endpoints (e.g. API vs frontend) to secure availability on high load. See the ZITADEL Cloud rate limits for reference.
- Check that your firewall also filters IPv6 traffic
ZITADEL configuration​
- Configure a valid SMTP Server and test the email delivery
- Add Custom Branding if required
- Configure a valid SMS Service such as Twilio if needed
- Configure your privacy policy, terms of service and a help Link if needed
- Keep your masterkey in a secure storage
- Declare and apply zitadel configuration using the zitadel terraform provider
Security​
- Ensure that your ZITADEL does not use the default, example or easy-to-guess credentials
- Use a FQDN and a trusted valid certificate for external TLS connections
- Create service accounts for applications that interact with ZITADEL's APIs
- Make use of a CDN service to decrease the load for static assets served by ZITADEL
- Make use of a security scanner to test your application and deployment environment
Monitoring​
Use an appropriate monitoring solution to have an overview about your ZITADEL instance. In particular you may want to watch out for things like:
- CPU and memory of ZITADEL and the database
- Open database connections
- Running instances of ZITADEL and the database
- Latency of requests
- Requests per second
- Requests by URL/endpoint
- Lifetime of TLS certificates
- ZITADEL and database logs
- ZITADEL metrics