Skip to main content

ZITADEL Production Checklist

To apply best practices to your production setup we created a step by step checklist you may wish to follow.

Infrastructure Configuration​

  • Make use of configuration management tools such as Terraform to provision all of the below
  • Use a secrets manager to store your confidential information
  • Reduce the manual interaction with your platform to an absolute minimum

HA Setup​

  • High Availability for ZITADEL containers
    • Use a container orchestrator such as Kubernetes
    • Use serverless platform such as Knative or a hyperscaler equivalent (e.g. CloudRun from Google)
    • Split zitadel init and zitadel setup for fast start-up times when scaling ZITADEL
  • High Availability for database
    • Follow the Production Checklist for CockroachDB if you selfhost the database or use CockroachDB cloud
    • Configure backups on a regular basis for the database
    • Test the restore scenarios before going live
    • Secure database connections from outside your network and/or use an internal subnet for database connectivity
  • High Availability for critical infrastructure components (depending on your setup)

Networking​

  • Use a Layer 7 Web Application Firewall to secure ZITADEL that supports HTTP/2
    • Limit the access by IP addresses if needed
    • Secure the access by rate limits for specific endpoints (e.g. API vs frontend) to secure availability on high load. See the ZITADEL Cloud rate limits for reference.
    • Check that your firewall also filters IPv6 traffic

ZITADEL configuration​

  • Configure a valid SMTP Server and test the email delivery
  • Add Custom Branding if required
  • Configure a valid SMS Service such as Twilio if needed
  • Configure your privacy policy, terms of service and a help Link if needed
  • Keep your masterkey in a secure storage
  • Declare and apply zitadel configuration using the zitadel terraform provider

Security​

  • Ensure that your ZITADEL does not use the default, example or easy-to-guess credentials
  • Use a FQDN and a trusted valid certificate for external TLS connections
  • Create service accounts for applications that interact with ZITADEL's APIs
  • Make use of a CDN service to decrease the load for static assets served by ZITADEL
  • Make use of a security scanner to test your application and deployment environment

Monitoring​

Use an appropriate monitoring solution to have an overview about your ZITADEL instance. In particular you may want to watch out for things like:

  • CPU and memory of ZITADEL and the database
  • Open database connections
  • Running instances of ZITADEL and the database
  • Latency of requests
  • Requests per second
  • Requests by URL/endpoint
  • Lifetime of TLS certificates
  • ZITADEL and database logs
  • ZITADEL metrics