ZuploZuplo
LoginStart for Free
  • Documentation
  • API Reference
Introduction
Getting Started
    Develop on the web portal
      1 - Setup Your Gateway2 - Rate Limiting3 - API Key Auth4 - Deploy5 - Dynamic Rate LimitingDynamic MCP Server - Quickstart
    Develop locally with the CLI
      1 - Setup Your Gateway2 - Rate Limiting3 - API Key Auth4 - Deploy5 - Dynamic Rate LimitingDynamic MCP Server - Quickstart
Concepts
Development
Policies
Handlers
API Keys
Rate Limiting
MCP Server
MCP Gateway
AI Gateway
Developer Portal
Monetization
GraphQL
Deploying & Source Control
Analytics
Observability
Networking & Infrastructure
    Overview
    Managed Dedicated
    Managed EdgeSelf Hosted
    Custom Domains
    Securing Your Backend
    Web Application Firewalls
    DDoS Protection
Account Management
Programming API
Build with AI
Zuplo CLI
Migration Guides
Platform LimitsSecuritySupportTrust & ComplianceChangelog
powered by Zudoku
Networking & Infrastructure

Zuplo Self-Hosted

Zuplo Self-Hosted (also known as on-prem) is a deployment model where you run the Zuplo API Gateway on your own infrastructure — any cloud or private data center. Zuplo Self-Hosted runs exclusively on Kubernetes and is installed with a single Helm chart into your cluster.

Self-hosted deployment might be the right choice for you if you need:

  • Complete control over your infrastructure and deployment environment
  • To run Zuplo in a private data center or on-premises environment
  • To meet data sovereignty or regulatory requirements that require API traffic and data to remain within your infrastructure
  • To integrate with existing on-premises systems and networks

How It Works

Your cluster runs two groups of workloads: a small Zuplo management plane that receives deployments, builds gateway images inside your cluster, and manages certificates and routing, and the gateway deployments themselves, which serve your API traffic. Developers deploy to your instance directly with the Zuplo CLI — the same Zuplo project format and deployment workflow used on every other Zuplo deployment model. Gateway images are built in-cluster and stored in your own container registry, and API traffic is served entirely from your infrastructure.

Deployment Models

Hybrid Deployment

You run the gateway and management plane on your infrastructure, while a small set of Zuplo cloud services provides supporting features such as deployment configuration and API key management. All API traffic to your gateways stays on your infrastructure. This is the standard deployment model.

Restricted-Egress Environments

For environments with strict egress restrictions or stronger isolation requirements, book a meeting to review your requirements with the Zuplo team.

Responsibilities

Self-hosting keeps you in control of your infrastructure while Zuplo supplies everything Zuplo-specific — the chart, the images, and the support to run them well:

PhaseYour teamZuplo
PrepareKubernetes cluster, DNS records, TLS certificates (optional), container registryRegistry credentials, account configuration, installation guide
InstallRun the Helm install in your clusterHelm chart, component images, starter configuration reviewed with your team
OperateCluster operations, applying updatesUpdated charts and images, support

If this division of responsibilities doesn't fit your organization, book a meeting with the Zuplo team. For teams that prefer Zuplo to run the infrastructure, Managed Dedicated offers the same gateway fully operated by Zuplo.

Requirements

This section lists what your team needs to prepare before installing Zuplo Self-Hosted. Use it to plan your platform and security review. Your Zuplo solutions architect walks through each item during onboarding.

Kubernetes Cluster

  • A conformant Kubernetes cluster — managed offerings such as EKS, AKS, and GKE, or your own distribution.
  • Support for Services of type LoadBalancer to expose the ingress.
  • Cluster administrator access for the initial install (the chart installs CRDs and cluster-scoped RBAC).
  • Zuplo builds gateway images inside your cluster. The build process runs privileged pods, so clusters that enforce a restricted Pod Security Standard cluster-wide need accommodations — discuss this with your Zuplo solutions architect during onboarding.
  • Helm 3 on the machine performing the install; supported versions are confirmed during onboarding.

DNS and TLS

You control DNS for two names, both pointing at the cluster's ingress load balancer:

  • A wildcard subdomain for your gateway environments, for example *.api.example.com — each deployed gateway environment receives a hostname under it.
  • A hostname for the management API, for example zuplo-admin.example.com — used by the Zuplo CLI and your CI/CD pipelines to deploy.

For TLS you can either:

  • Use the bundled cert-manager to issue certificates automatically from an ACME certificate authority (for example Let's Encrypt), which requires the hostnames to be reachable for HTTP-01 challenges, or
  • Bring your own wildcard certificate as a Kubernetes TLS secret — common in private-network deployments.

Container Registry

Gateway images are built inside your cluster and pushed to a container registry that you provide. You need:

  • A registry your cluster can push to and pull from (for example ACR, Google Artifact Registry, GitHub Container Registry, or a private Harbor).
  • Write credentials for that registry, supplied at install time.

Network Egress

In the hybrid deployment model, the cluster needs outbound HTTPS access to:

  • Zuplo's private container registry, to pull Zuplo's component images (credentials provided during onboarding).
  • Zuplo cloud services, used for deployment configuration and management API authentication.
  • Your ACME certificate authority, if using automatic certificates.

The exact hostnames for your egress allow-list are provided during onboarding. If your environment can't allow this egress, book a meeting to review options with the Zuplo team.

Provided by Zuplo During Onboarding

  • Credentials to pull Zuplo component images from Zuplo's private registry.
  • Your account configuration and an API key for the management API.
  • The Helm chart, an installation guide, and a starter configuration reviewed with your team.

Observability

The chart bundles a Prometheus-based metrics stack that Zuplo components use for autoscaling gateway deployments. You can integrate your own logging and monitoring stack alongside it; gateway and component logs are written to standard output for collection by your log shipper.

Getting Started

To learn more about self-hosting Zuplo or to discuss your specific requirements, book a meeting with the Zuplo team.

Edit this page
Last modified on July 2, 2026
Managed EdgeOverview
On this page
  • How It Works
  • Deployment Models
    • Hybrid Deployment
    • Restricted-Egress Environments
  • Responsibilities
  • Requirements
    • Kubernetes Cluster
    • DNS and TLS
    • Container Registry
    • Network Egress
    • Provided by Zuplo During Onboarding
    • Observability
  • Getting Started