Skip to main content

Retool-managed deployment quickstart

Learn about the fundamental concepts of Retool-managed, self-hosted deployments.

Retool-managed, self-hosted deployments are available for invoiced customers. Contact your Retool account manager to learn more.

A Retool-managed, self-hosted deployment is a customer-owned VPC hosted on Amazon Web Services (AWS) that contains a Retool-managed self-hosted instance. This provides your organization with a fully self-hosted deployment but without the overhead of setup and maintenance. You retain full ownership of, and control over, your data, encryption keys, access, and network infrastructure.

Retool-managed, self-hosted deployments are best suited for organizations that:

  • Are unable to use Retool Cloud (e.g., compliance restrictions)
  • Do not have the resources to maintain a self-hosted deployment (e.g., a limited DevOps team)

Retool uses an Infrastructure as Code approach to programmatically configure Retool-managed, self-hosted deployments. This ensures your deployment is created exactly as needed and with as little intervention as possible.

Overview

A Retool-managed, self-hosted deployment consists of two infrastructure layers:

  • The support layer represents the foundation of a deployment.
  • The services layer represents the resources for the self-hosted instance.

You have full ownership and control over every aspect of a deployment. Retool only has access to what's required for managing the self-hosted instance.

Loading diagram...

Support layer

The support layer represents the core resources needed for a deployment, such as:

  • The VPC on which the instance runs.
  • Secrets used by the instance, such as encryption keys and environment variables.
  • Access management configuration that governs what Retool has access to, such as IAM policies.
  • External network configuration for users to access the instance, such as DNS and VPN networking.

This layer is configured in such a way that Retool can securely access the VPC to manage the self-hosted instance without access to the rest of your infrastructure or data.

Retool does not create or configure the support layer directly. This is by design to ensure that Retool has no access to your external infrastructure and data. Instead, Retool works with you to create this layer automatically with a 1-click CloudFormation template.

The VPC includes the Runner VM: a dedicated service that receives instructions from Retool—such as performing an update—and then executes them on the Retool-managed, self-hosted instance.

Services layer

The services layer reresents the resources for the self-hosted instance, such as the Kubernetes cluster, databases, and internal network configuration. Retool manages most of these resources for you.

Retool can only interact with your instance via the Runner VM, which operates in the support layer.

Deployment process

Retool works with you throughout the entire deployment process. In general, there are four steps to deploy the instance:

  1. Prepare for the deployment. Retool works with you to prepare the right configuration for the deployment.
  2. Create the support layer. You set up the deployment's service layer on AWS using resources and guidance from Retool.
  3. Create the services layer. Retool creates the services layer and configures the instance.
  4. Enable access. You update the DNS configuration so network traffic can route to the instance, giving users access and completing the deployment.

A Retool-managed, self-hosted deployment can be completed within 24 hours if all information is provided and tasks completed as soon as they're needed.

1. Prepare for the deployment

At the beginning of the process, Retool asks you about your deployment preferences, such as:

  • The AWS region in which to deploy.
  • The instance domain.
  • If you need to migrate from an existing instance.
  • Whether you need to make any custom configuration changes.

As part of the preparation, you create a new AWS account that's solely used for the deployment.

2. Create the support layer

Once preparation is complete, Retool produces a CloudFormation template for you. This is shared with your AWS admin as a 1-click install link that starts the CloudFormation stack setup on AWS.

Once your admin populates AWS Secrets Manager with encryption keys and environment variables, they use the template to perform the setup process. Once complete, the services layer can then be created.

3. Deploy the services layer

The Runner VM automatically creates the resources that make up the service layer, such as the EKS cluster and PostgreSQL databases. This process is fully automated using instructions provided by Retool.

4. Enable access

With the instance deployed and running, the final step is to configure the deployment's DNS records using the information provided by Retool so that it can be accessed by users. If you've requested additional network options for use with the instance, Retool can also provide guidance but cannot configure them directly.

Patch updates and release upgrades

For deployments with multiple environments (e.g., staging), Retool may update these a few days prior to the production environment to avoid disruption.

Retool manages all updates and upgrades for your deployment. Your instance runs the latest stable release by default and kept up-to-date with security patches.

All services used by the instance, such as Amazon RDS for PostgreSQL, follow the officially maintained or long-term support (LTS) release cycle and are kept up-to-date. This includes updating to a newer LTS release once the current one reaches its end-of-life.

Migrate from an existing instance

Retool can help customers migrate from an existing Retool Cloud or self-hosted instance to a Retool-managed, self-hosted deployment.

Customers on the Enterprise plan with a Retool Cloud organization can request a migration to a Retool-managed, self-hosted deployment. To arrange a migration, contact your Retool account manager.