Skip to main content

ZITADEL Production Checklist

To apply best practices to your production setup we created a step by step checklist you may wish to follow.

Infrastructure Configuration

  • Make use of configuration management tools such as Terraform to provision all of the below
  • Use a secrets manager to store your confidential information
  • Reduce the manual interaction with your platform to an absolute minimum

HA Setup

  • High Availability for ZITADEL containers
    • Use a container orchestrator such as Kubernetes
    • Use serverless platform such as Knative or a hyperscaler equivalent (e.g. CloudRun from Google)
    • Split zitadel init and zitadel setup for fast start-up times when scaling ZITADEL
  • High Availability for database
    • Follow the Production Checklist for CockroachDB if you selfhost the database or use CockroachDB cloud
    • Configure backups on a regular basis for the database
    • Test the restore scenarios before going live
    • Secure database connections from outside your network and/or use an internal subnet for database connectivity
  • High Availability for critical infrastructure components (depending on your setup)

Networking

  • Use a Layer 7 Web Application Firewall to secure ZITADEL that supports HTTP/2
    • Limit the access by IP addresses if needed
    • Secure the access by rate limits for specific endpoints (e.g. API vs frontend) to secure availability on high load. See the ZITADEL Cloud rate limits for reference.
    • Check that your firewall also filters IPv6 traffic

ZITADEL configuration

  • Configure a valid SMTP Server and test the email delivery
  • Add Custom Branding if required
  • Configure a valid SMS Service such as Twilio if needed
  • Configure your privacy policy, terms of service and a help Link if needed
  • Keep your masterkey in a secure storage
  • Declare and apply zitadel configuration using the zitadel terraform provider

Security

  • Ensure that your ZITADEL does not use the default, example or easy-to-guess credentials
  • Use a FQDN and a trusted valid certificate for external TLS connections
  • Create service accounts for applications that interact with ZITADEL's APIs
  • Make use of a CDN service to decrease the load for static assets served by ZITADEL
  • Make use of a security scanner to test your application and deployment environment

Monitoring

Use an appropriate monitoring solution to have an overview about your ZITADEL instance. In particular you may want to watch out for things like:

  • CPU and memory of ZITADEL and the database
  • Open database connections
  • Running instances of ZITADEL and the database
  • Latency of requests
  • Requests per second
  • Requests by URL/endpoint
  • Lifetime of TLS certificates
  • ZITADEL and database logs
  • ZITADEL metrics