Skip to main content

Self-hosted Retool requirements

Deploying Self-hosted Retool on your own infrastructure lets you build applications with data in your virtual private cloud (VPC) or behind your virtual private network (VPN). Businesses in the healthcare and finance industries often deploy Retool to remain compliant.

You can self-host Retool on a variety of platforms using a Docker image provided by Retool. The available deployment methods vary in complexity and scalability, so you should choose an option that lets you get started quickly, is provisioned appropriately, and sets you up for long-term success.

Choose between a single VM deployment or an orchestrated container deployment method based on your background and use case.


If you're evaluating a large production use case or need Enterprise plan features, book a demo to learn more.

Single VM deployments

Use a Docker Compose-based method to deploy Retool if you and your team:

  • Are currently evaluating Retool or deploying Retool for the first time
  • Have less experience with Docker or DevOps concepts
  • Need a lightweight, low cost, and low maintenance deployment method
  • Want to deploy Retool on a small-scale or single-server environment

Orchestrated deployments

More complex and scalable deployment methods, such as Kubernetes or Elastic Container Service (ECS), might be appropriate if you and your team:

  • Already use the chosen deployment method
  • Have experience with Docker or DevOps concepts
  • Require scalability, high availability, and resilience

Hardware requirements

Resource requirements vary depending on your usage.

Single VM deployments

Retool images run on Linux machines using x86 processors. arm64 is currently not supported. The following table shows the minimum recommended allocations for Retool deployments with and without Retool Workflows.

RetoolRetool with Workflows
Memory (GiB)812
Storage (GiB)6060

The 60 GiB of storage is required to support the PostgreSQL container included by default in Retool's deployment configuration files.

Orchestrated deployments

When deploying Retool using container orchestration tools such as Kubernetes, your cluster should contain at least one node that matches the specifications above. Refer to deployment guides and your provider's documentation for more detail.

Storage database

By default, all deployments include a containerized instance of PostgreSQL alongside Retool, but it is possible and recommended to externalize the database to support a stateless deployment.

The minimum recommended version for the PostgreSQL database is version 13. Your PostgreSQL database must also enable the uuid-ossp module and use the Read Committed isolation level.

Network requirements

Changes to Retool IP addresses (December 2022)

The following IP address information recently changed. If your Self-hosted Retool deployment makes use of outbound firewall rules, ensure they are up-to-date. Learn more about Retool's IP address changes.

Retool Self-hosted organizations must ensure that their deployments allow access to Retool's IP addresses or domains. If you make use of outbound firewall rules, include the following IP addresses or domains in its allowlist. These allow your deployment to connect to Retool's license check, user authentication, and usage reporting services.

CIDR IP addresses
Individual IP addresses

Test the connection

You can test your changes within Retool to make sure your deployment can reach the new IP addresses:

  1. Sign in to Retool and navigate to the Query Library.
  2. Click + New to create a new query.
  3. Select the REST resource and GET action type.
  4. Set the URL to
  5. Click Save to save the query, then click ▶ to run the query.
  6. If the query returns a 200 status and OK status text, your deployment can successfully reach the new IP addresses.

Query to test the connection

HTTP proxy connections

Retool supports connections to the internet through a HTTP proxy. Add HTTP_PROXY= to your deployment's docker.env file with the required URL and port number.

License checks

Retool uses HTTP to connect to on port 443 to verify your license. License checks are made at least once a day.

Inviting users

Retool connects to and on port 443 when inviting users. Retool verifies the users are authorized under your current billing plan, and then sends an invite to their email address.

Usage reporting

Retool sends application usage information to on port 443, which is used to inform product decisions. Some examples include:

  • Page views, along with the page URL.
  • Query saves, including the query name and type.
  • Component creation and the component type.
  • Query preview, including the query name and type.
  • Adding a resource, including the resource name and type.

Events are also sent with the hostname, public IP address, browser user-agent string, and the user's email address.