Skip to main content

Deploy Self-hosted Retool on Azure Virtual Machines

Learn how to deploy Self-hosted Retool on an Azure Virtual Machines with Docker Compose.

You can deploy an instance of Self-hosted Retool on Azure Virtual Machines with Docker Compose.

Requirements

To deploy Retool, you need:

VM configuration

Self-hosted Retool instances require a Linux-based virtual machine that meets the following requirements:

  • Ubuntu 22.04 or later.
  • 16GiB memory.
  • 8x vCPUs.
  • 60GiB storage.
  • curl and unzip software packages installed.

Retool recommends you allocate more resources than the minimum requirements so that your instance can more easily scale.

Temporal

Temporal is a distributed system used to schedule and run asynchronous tasks for Retool Workflows. A Self-hosted Retool instance uses a Temporal cluster to facilitate the execution of each workflow amongst a pool of self-hosted workers that make queries and execute code in your VPC. Temporal manages the queueing, scheduling, and orchestration of workflows to guarantee that each workflow block executes in the correct order of the control flow. It does not store any block results by default.

You can use a Retool-managed cluster on Temporal Cloud, which is recommended for most use cases. You can also use an existing self-managed cluster that is hosted on Temporal Cloud or in your own infrastructure. Alternatively, you can spin up a new self-hosted cluster alongside your Self-hosted Retool instance.

Recommended

You should use a Retool-managed cluster if:

  • Your organization is on the Enterprise plan.
  • You don't have an existing cluster which you prefer to use.
  • Your cluster only needs to be used for a Self-hosted Retool deployment.
  • You don't want to manage the cluster directly.
  • You have a single or multi-instance Retool deployment, where each instance requires its own namespace.

Retool admins can enable Retool-managed Temporal. To get started, navigate to the Retool Workflows page and click Enroll now. Once you update your configuration, return to the page and click Complete setup.

It can take a few minutes to initialize a namespace in Retool-managed Temporal.

Retool-managed Temporal clusters are hosted on Temporal Cloud. Your Self-hosted Retool deployment communicates with the cluster when building, deploying, and executing Retool Workflows. All orchestration data to Temporal is fully encrypted and uses the private encryption key set for your deployment.

System architecture

The following diagram shows the resulting system architecture for your deployment.

System architecture for a Retool instance on Azure VM

1. Create a Linux VM

Create a new Linux VM in the Azure Portal that meets the minimum requirements. Refer to the Azure documentation to learn how to create a new virtual machine.

VM SettingDescription
AuthenticationUse SSH public key authentication and provide a username. Generate a new key-pair and specify a name. Azure generates and stores the key in the Azure KeyVault to download later.
NetworkAllow SSH (22), HTTP (80), and HTTPS (443) inbound public ports. The VM must have a public IP address set for external access, or a private IP which allows egress traffic from Retool's IPs. Ensure Delete public IP and NIC when VM is deleted is enabled.
StorageSpecify Standard SSD with a size that meets or exceeds the minimum requirements. Ensure Delete with VM is enabled for the newly added data disk.

Once the VM is initialized, download the private key when prompted. Update the permissions of the key-pair to ensure it has the required permissions for your SSH client.

chmod 400 <path_to_pem_file>

2. Download Self-hosted Retool

Azure automatically runs the new virtual machine once created. Obtain the public IP address from the Azure Portal and connect to it using SSH.

ssh -i keypair.pem <username>@<public_ip>

Download or clone the retool-on-premise GitHub repository.

Download with curl
curl -L -O https://github.com/tryretool/retool-onpremise/archive/master.zip \
&& unzip master.zip \
&& cd retool-onpremise-master
Clone with git
git clone https://github.com/tryretool/retool-onpremise.git

3. Install dependencies

Run ./install.sh to prepare the Docker image. The script also installs Docker and Docker Compose if they are not already available.

4. Back up encryption key

The install script generates a value for ENCRYPTION_KEY and stores it within docker.env. This key encrypts secrets for your Retool resources. Save this key in a secure location outside of Retool.

You will need to reconfigure all resources if the encryption key is lost.

5. Configure the instance

There are four files to configure for your deployment:

FileDescription
docker.envEnvironment variables to control or override certain deployment options.
docker-compose.ymlThe Docker Compose configuration to use for the deployment.
DockerfileThe standard configuration file for Retool's Docker image.
CodeExecutor.DockerfileThe Dockerfile for the code executor Docker image.

Specify the version of Retool to use

In the Dockerfile, specify the Docker tag for the version of Retool to install, such as tryretool/backend:3.114.3-stable.

In CodeExecutor.Dockerfile, specify the Docker tag for the version of the code executor service to install. This should be the same as the version you specify in the Dockerfile.

Specify the exact version to use, such as 3.114.3-stable. This ensures you know exactly which version will be deployed.

Prepare Compose file

Retool provides two Docker Compose files from which to choose, depending on the Temporal cluster you will use:

Compose fileTemporal cluster typeConfiguration
docker-compose.ymlRetool-managed or self-managedPreconfigured for use with a Retool-managed cluster and ready to use.
docker-compose-with-temporal.ymlLocalDelete docker-compose.yml and rename docker-compose-with-temporal.yml to docker-compose.yml. You must also copy the dynamicconfig directory in retool-onpremise onto your deployment instance.

Allow your deployment to connect to Temporal

Open up egress to the public internet on ports 443 and 7233 to allow outbound-only connections to Temporal Cloud from your deployment. This is so services can enqueue work to, and poll work out, of Temporal.

Temporal Cloud does not have a static IP range to allow list. If more specificity is required, egress is required on ports on the following domains:

PortDomains
443*.retool.com, *.tryretool.com, *.temporal.io
7233*.tmprl.cloud

Set license key and disable SSL

Configure the following environment variables in docker.env:

VariableValueDescription
LICENSE_KEYYour Self-hosted Retool license key.The license key obtained from the Self-hosted Portal.
COOKIE_INSECUREtrueAllows you to use Self-hosted Retool without SSL. This variable is included in docker.env for you to uncomment.

Once you configure SSL, set COOKIE_INSECURE to false.

6. Start the instance

Run sudo docker-compose up -d to start Self-hosted Retool. This can take several minutes as the instance performs the initial setup and starts its services for the first time.

Once running, Self-hosted Retool is available at http://<your-azurevm-ip-address>/auth/signup. When you first visit the page, you must create an admin account.

You can check whether Docker containers are running with sudo docker-compose ps.

Additional configuration

When deploying a production instance of Self-hosted Retool, you should:

For ease of use and as a proof of concept, the default docker-compose configuration includes a PostgreSQL container, and it does not set up SSL. This is not suitable for production use cases, and you should host the Retool storage database on an external, managed database. Managed databases are more maintainable, scalable, and reliable than containerized PostgreSQL instances. Follow the instructions in the external storage database guide to configure your database.

Setting environment variables is also often necessary to configure SSO, source control, and other self-hosted features. See the environment variable reference for additional configuration options.

Update your Azure VM instance

Follow these instructions to update your Retool instance to a newer release version.

Retool strongly recommends that you back up the VM before performing an update. If you cannot complete a full backup, you should at least:

  • Create a snapshot of your PostgreSQL database.
  • Copy the environment variables in docker.env to a secure location outside of Retool.

To update your deployment to a newer version of Self-hosted Retool:

  1. Update the Dockerfile and CodeExecutor.Dockerfile with the newer version number. For example:
    • tryretool/backend:3.114.3-stable
    • tryretool/code-executor-service:3.114.3-stable
  2. Run ./update_retool.sh to perform the update.

The Retool instance is temporarily stopped while the update takes place and restarts automatically. Retool recommends performing the upgrade during off-peak hours to minimize downtime for users.