Self-hosted, self-managed Retool quickstart
Learn about the fundamental concepts of a self-hosted, self-managed Retool deployment.
This guide serves as an introduction to self-hosted Retool. It covers many of the concepts and terminology you would come across when deploying and operating a self-hosted instance of Retool. After reading this page, you should have a good understanding of self-hosted, self-managed Retool.
Each instance uses a distributed set of containers with services for different functions. These work together to securely run the platform within your VPN or VPC.
Kubernetes with Helm is the officially supported production deployment configuration. For new deployments, Retool provides Terraform blueprints to provision all required infrastructure and deploy Retool via Helm automatically. Customers with existing Kubernetes infrastructure can also deploy directly using Helm.
| Deployment path | Production | Testing | Description |
|---|---|---|---|
| Kubernetes + Helm | Officially supported production configuration. Requires Amazon EKS. | ||
| Docker Compose | For non-production, development, and proof-of-concept deployments only. |
Network requirements
Deployments must be allowed access to Retool's IP addresses or domains. If you make use of outbound firewall rules, include the following IP addresses or domains in its allowlist. These allow your deployment to connect to Retool's license check, user authentication, and usage reporting services.
IP addresses
35.92.202.168/29
44.211.178.248/29
35.92.202.168
35.92.202.169
35.92.202.170
35.92.202.171
35.92.202.172
35.92.202.173
35.92.202.174
35.92.202.175
44.211.178.248
44.211.178.249
44.211.178.250
44.211.178.251
44.211.178.252
44.211.178.253
44.211.178.254
44.211.178.255
Domains
licensing.tryretool.com
invites.tryretool.com
email-service.retool.com
p.tryretool.com
specs.tryretool.com
pypi.org
Each data source you use with Retool is represented by a resource, such as APIs and external databases. Your deployment instance must have access to any of its resources to interact with data.
Temporal egress
If you use Temporal Cloud for workflow and sandbox orchestration, your deployment must allow outbound access on the following ports:
| Port | Domains |
|---|---|
| 443 | *.retool.com, *.tryretool.com, *.temporal.io |
| 7233 | Your Temporal namespace endpoint. Retool-managed clusters use the format org-[sid].atdwz.tmprl.cloud, where sid is your organization's ID. Use *.tmprl.cloud if you need a wildcard rule. |
Both the MAIN_BACKEND and WORKFLOW_TEMPORAL_WORKER containers require this egress. Temporal Cloud does not publish a static IP range to allowlist.
Architecture
The following diagram shows how the containers in a self-hosted deployment interact.
Containers and services
A standard deployment instance uses the following containers and services that interact with each other. The SERVICE_TYPE environment variable values determine the services certain containers run.
| Container | Image | Repository | Services |
|---|---|---|---|
| api | backend | tryretool/backend | MAIN_BACKENDDB_CONNECTORDB_SSH_CONNECTOR |
| jobs-runner | backend | tryretool/backend | JOBS_RUNNER |
| workflows-worker | backend | tryretool/backend | WORKFLOW_TEMPORAL_WORKER |
| workflows-backend | backend | tryretool/backend | WORKFLOW_BACKENDDB_CONNECTORDB_SSH_CONNECTOR |
| code-executor | code-executor-service | tryretool/code-executor-service | No service type. |
| js-executor | js-executor-service | tryretool/js-executor-service | No service type. |
| agent-sandbox | agent-sandbox-service | tryretool/agent-sandbox-service | No service type. |
api
The api container manages the core functionality for a Retool instance, such as:
- Frontend interactions (e.g., building apps and workflows).
- Hosting apps and workflows.
- Managing users and permissions.
- Services
- Network ingress and egress
- Replicas
MAIN_BACKEND
The core service for a Retool deployment instance. It handles most logic for frontend interactions.
DB_CONNECTOR
Handles query requests to resources (databases, APIs, etc.).
DB_SSH_CONNECTOR
Manages connections for DB_CONNECTOR.
api requires ingress from client interactions, such as loading an app in a browser. These are typically handled by a load balancer (e.g., nginx) which proxies the requests.
| Container | Network ingress | Network egress |
|---|---|---|
| code-executor | ||
| Platform database | ||
| retooldb-postgres | ||
| Temporal | ||
| Resources |
You can replicate api as you scale to manage higher volumes of workflow traffic.
jobs-runner
The jobs-runner container manages background tasks, runs database migrations for Retool version upgrades, and Source Control.
- Services
- Network ingress and egress
- Replicas
JOBS_RUNNER
Performs database migrations and manages Source Control.
| Container | Network ingress | Network egress |
|---|---|---|
| Platform database |
You must not replicate jobs-runner. It performs tasks and migrations that must be performed as a single container.
workflows-worker
The workflows-worker container continuously polls the Temporal Cluster for tasks required to either start or execute blocks within a workflow. It makes requests to code-executor to execute blocks and process results, then reports back to Temporal to continue or complete workflow execution.
- Services
- Network ingress and egress
- Replicas
WORKFLOW_TEMPORAL_WORKER
Polls the Temporal Cluster for tasks required to start or execute workflow blocks.
| Container | Network ingress | Network egress |
|---|---|---|
| code-executor | ||
| Platform database | ||
| retooldb-postgres | ||
| Temporal | ||
| Resources |
You can replicate workflows-worker as you scale to manage higher volumes of workflow traffic.
workflows-backend
The workflows-backend container receives and processes requests from code-executor to process workflows. It also handles the upload of workflows logs, block results, and run status updates.
- Services
- Network ingress and egress
- Replicas
WORKFLOW_BACKEND
Handles query, retry, and asynchronous logic.
DB_CONNECTOR
Handles query requests to resources (databases, APIs, etc.).
DB_SSH_CONNECTOR
Manages connections for DB_CONNECTOR.
| Container | Network ingress | Network egress |
|---|---|---|
| code-executor | ||
| Platform database | ||
| retooldb-postgres | ||
| Temporal | ||
| Resources |
You can replicate workflows-backend as you scale to manage higher volumes of workflow traffic.
code-executor
The code-executor container executes single block runs from the Workflows IDE, multiple blocks as part of a workflow execution, and any arbitrary user code written in a workflow. It executes JavaScript and Python code directly, or makes requests to workflows-backend to run resource queries against databases, APIs, etc.
- Services
- Network ingress and egress
- Replicas
By default, the code-executor uses nsjail to sandbox code execution. nsjail requires privileged container access. If your deployment does not support privileged access, the code executor automatically detects this and runs code without sandboxing.
| Container | Network ingress | Network egress |
|---|---|---|
| api | ||
| workflows-backend | ||
| workflows-worker |
You can replicate code-executor as you scale to manage higher volumes of workflow traffic.
js-executor
The js-executor container provides a sandboxed JavaScript execution environment for backend functions. It does not require privileged container access.
- Services
- Network ingress and egress
- Replicas
js-executor does not use a SERVICE_TYPE environment variable.
| Container | Network ingress | Network egress |
|---|---|---|
| api |
You can replicate js-executor to handle higher volumes of traffic.
agent-sandbox
The agent-sandbox manages the app editing experience. Each active builder session runs in an isolated sandbox pod with a web server for app previews and a WebSocket connection to the builder's browser. Uses gVisor for secure isolation without requiring root access.
Internally, the agent sandbox consists of:
- A controller that creates and destroys sandbox pods
- A proxy that routes browser connections to the correct sandbox
- A device plugin DaemonSet that manages sandbox resources on each node
- An r2-worker that handles sandbox coordination
- Per-session job pods that run the sandbox workload
A prewarm pool of idle sandbox pods (default: 5) reduces startup latency for new editing sessions. This is configurable down to 0 if cost is a higher priority than session readiness.
- Services
- Network ingress and egress
- Replicas
agent-sandbox does not use a SERVICE_TYPE environment variable. It runs as multiple cooperating pods managed by the sandbox controller.
The agent-sandbox-proxy requires a dedicated subdomain (e.g., agent-proxy.yourdomain.com), separate from the main Retool domain. Wildcard DNS and a wildcard TLS certificate (e.g., *.yourdomain.com) are required — a single-hostname certificate will not cover the proxy subdomain and will cause TLS failures.
| Container | Network ingress | Network egress |
|---|---|---|
| Browser (via proxy subdomain) | ||
| api | ||
| Kubernetes API (controller) |
Sandbox job pods auto-scale based on active builder sessions — each open editing session requires approximately one pod. The controller, proxy, and r2-worker do not need to be replicated. Prewarm pool size is configurable (default: 5).
retooldb-postgres
You can optionally configure your deployment to use Retool Database with a separate PostgreSQL database. You can use retooldb-postgres to get started but Retool recommends you migrate to an externally hosted database for use in production.
Other dependencies
Self-hosted deployment instances have additional dependencies.
Platform database
Your deployment must be able to connect to the externalized platform database and have access to it.
Blob storage
Object storage is required for app storage, Git repository storage, and agent sandbox snapshots. This is the only stateful dependency that is not automatically provisioned — you must configure it via environment variables or an in-product setup flow.
Supported providers:
- Amazon S3 (IAM keys or IAM roles)
- Azure Blob Storage
- Google Cloud Storage (service account keys)
For Docker Compose deployments, a bundled MinIO container provides local blob storage suitable for development and POC environments.
Resources
Each data source you use with Retool is represented by a resource, such as APIs and external databases. Your deployment instance must have access to any of its resources to interact with data.
Temporal
Temporal is a distributed system used to schedule and run asynchronous tasks for Retool Workflows and Retool Agents. A self-hosted Retool instance uses a Temporal cluster to facilitate the execution of each workflow amongst a pool of self-hosted workers that make queries and execute code in your VPC. Temporal manages the queueing, scheduling, and orchestration of workflows to guarantee that each workflow block executes in the correct order of the control flow. It does not store any block results by default.
You can use a Retool-managed cluster on Temporal Cloud, which is recommended for most use cases. You can also use an existing self-managed cluster that is hosted on Temporal Cloud or in your own infrastructure. Alternatively, you can spin up a new self-hosted cluster alongside your self-hosted Retool instance.
In general, Retool recommends using a Retool-managed Temporal Cluster. You can also use either:
- A self-managed external cluster: Either Temporal Cloud or self-hosted within your infrastructure.
- A local cluster: A self-hosted cluster within your self-hosted Retool instance.
| Retool-managed | self-managed external | Local | |
|---|---|---|---|
| Hosting | Externally on Temporal Cloud | Either externally on Temporal Cloud or self-hosted internally within your own VPC | Locally as part of the self-hosted Retool instance |
| Availability | All self-hosted Retool instances (3.6.14+) on an Enterprise plan | All self-hosted Retool instances and for purposes outside of Retool. | Only to the self-hosted Retool instance |
| Management | Managed by Retool | self-managed on Temporal Cloud, self-managed and self-hosted if within your own VPC | self-managed and self-hosted |
| Scale and performance | At least 4 AWS regions are available to choose from | If using Temporal Cloud, at least 10 AWS regions are available to choose from; if self-hosted, low latency due to hosting within your infrastructure | Low latency due to local deployment alongside self-hosted Retool |
| Uptime | 99.99% uptime | 99.99% uptime | Dependent on DevOps |
| Configuration | Minimal | Moderate | High |
| Cost | No minimum contract | See Temporal Cloud pricing | No contract |
| Security | Resource-isolated namespace in a Temporal Cloud cluster, in which only orchestration data (workflow IDs and block names) is stored; all data encrypted with private key | Only orchestration data (internal Workflow IDs, and encrypted Workflow block names, user IDs, Workflow name, host name, and base domain), is stored in Temporal Cloud. All other data remains internal on VPC for self-hosted. | All data remains local to the self-hosted Retool instance |
Temporal is also required for agent sandbox lifecycle orchestration. Two options are supported:
- Temporal Cloud (recommended) — stores only encrypted job coordination metadata; no customer data leaves your deployment's encryption boundary
- BYO Temporal — customer-managed; Retool does not provide support for this option
Configure Temporal via the in-product setup in the Workflows section after deploying.
Docker images
Retool uses Docker images that configure the containers and their respective services. Each container runs one or more services to distribute functionality. This approach allows for efficient scaling of a Retool deployment instance as needs grow.
Retool maintains image repositories on Docker Hub:
- The backend image is used for most containers and services.
- The code-executor-service image is used to execute blocks of code in Retool Workflows.
- The js-executor-service image is used for backend function execution.
- The agent-sandbox-service image is used for the agent sandbox.
Each Docker Hub repository tag corresponds to a particular version of Retool. You specify the version to use when deploying or upgrading a release. For instance:
-
tryretool/backend: X.Y.Z-stable
-
tryretool/code-executor-service: X.Y.Z-stable
Always use the same version number across every image.
Releases
Retool maintains two release channels for self-managed Retool: Stable and Edge.
- Stable
- Edge
Retool releases a version on the stable channel each quarter. A stable release is generally four versions behind the cloud-hosted version at the time.
Preparation and testing of a stable version occurs approximately four weeks prior to its release. Stable releases are rigorously tested before they are published. As the release cycle is less frequent, administrators can more easily maintain and upgrade deployments.
Retool supports each stable release for six months. During this time, Retool will release patch updates that contain bug fixes or security updates. Patch updates do not contain functionality changes and can be applied more quickly than performing a full version upgrade.
Retool provides versioned product documentation for supported stable releases. When browsing Retool Docs, use the version dropdown menu in the navbar to switch to a relevant version.
After six months, a stable release is considered deprecated. You can continue using a deprecated release but it will no longer receive updates. At this time, you should upgrade to the latest stable release.
Releases on the Edge channel occur weekly. Each release occurs one week after the equivalent release for cloud-hosted Retool.
Edge releases are available for organizations that want the latest features or to use closed beta functionality. Retool recommends most organizations use Stable releases unless you have a specific need for Edge releases and can keep your deployment up-to-date.
Retool supports only the most recent release on the Edge channel. As Edge releases are weekly, bug fixes and improvements are included in the next release. All previous releases are then considered deprecated.