Back to Changelog
Feb 2, 2026

On-Premise & Air-Gapped Deployment

Deploy Kestrel in your own cloud environment with full data sovereignty. Standard deployment with internet access, or fully air-gapped using VPC/Private endpoints.

Raman Varma
Raman Varma

For organizations with strict data residency requirements, regulatory compliance needs, or air-gapped environments, running Kestrel in a SaaS model isn't an option. Today, we're launching On-Premise & Air-Gapped Deployment - deploy Kestrel in your own cloud environment with complete control and data sovereignty.

Two Deployment Models

Kestrel now supports two deployment models for on-premise installations:

  • Standard Deployment

    Your Kubernetes cluster has internet access. Pull images directly from our container registry, access LLM services via regional endpoints, and integrate with GitHub, Slack, and PagerDuty via public APIs. This is the simplest deployment model for organizations without strict network isolation requirements.

  • Air-Gapped Deployment

    No internet access required. All external services are accessed via VPC endpoints - Amazon Bedrock, Secrets Manager, and ECR. Integrate with GitHub Enterprise Server for IaC workflows. Used by customers in defense, financial services, and other highly regulated industries.

Multi-Cloud Support

Deploy Kestrel on AWS, GCP, Azure and OCI. Each cloud provider has native integrations:

  • AWS - EKS, ECR, Amazon Bedrock, Secrets Manager, RDS, ElastiCache
  • GCP - GKE, Artifact Registry, Vertex AI, Secret Manager, Cloud SQL, Memorystore
  • Azure - AKS, ACR, Azure OpenAI, Key Vault, Azure Database, Azure Cache
  • OCI - OKE, OCI Container Registry, OCI Generative AI Service, OCI Secret Management, OCI Managed Relational Databases, OCI Cache with Redis

Guided Deployment Wizard

Our new deployment wizard walks you through every step of the on-prem setup process:

  1. Cloud Provider Selection - Choose AWS, GCP, Azure, or OCI
  2. Deployment Type - Standard or air-gapped
  3. LLM Configuration - Select your LLM provider and model
  1. Infrastructure - Configure container registry, IAM roles, databases, and ingress
  1. GitHub Integration - Connect GitHub.com or GitHub Enterprise Server for IaC workflows
  2. Generate Config - Generate ready-to-apply Helm values with a single click
  1. Download & Deploy - Pull images, create secrets, and Helm install

Air-Gapped Private Endpoints

For air-gapped deployments, Kestrel guides you through creating the required private endpoints for your cloud provider:

  • LLM Service Access

    AWS VPC Endpoints for Bedrock, GCP Private Service Connect for Vertex AI, Azure Private Endpoints for Azure OpenAI, or OCI Service Gateway for OCI Generative AI

  • Container Registry

    Private access to ECR (AWS), Artifact Registry (GCP), Azure Container Registry, or OCI Container Registry without traversing the public internet

  • Secrets Management

    Private endpoints for AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, or OCI Secret Management to retrieve credentials at runtime

The wizard provides cloud-specific, step-by-step instructions for creating each endpoint, including security group configuration and private DNS settings.

GitHub Enterprise Server Integration

Air-gapped deployments can integrate with GitHub Enterprise Server for IaC workflows:

  • Create a GitHub App on your Enterprise Server with repository permissions
  • Configure network connectivity (same VPC or VPC peering)
  • Store credentials securely in AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, or OCI Secret Management
  • Enable PR creation for GitOps and IaC fixes directly from Kestrel

Unified Helm Chart

Deploy all Kestrel services with a single Helm chart. The wizard generates a customized kestrel-values.yaml based on your configuration:

helm install kestrel oci://ghcr.io/kestrelai/charts/kestrel \
  --version 1.0.0 \
  -f kestrel-values.yaml \
  -n kestrel --create-namespace

For air-gapped environments, download both the Helm chart and values file, then install from local files.

Native Workload Identity

Kestrel integrates with each cloud provider's native workload identity system for secure, keyless authentication:

  • AWS:IRSA (IAM Roles for Service Accounts), EKS Pod Identity, or Node IAM Role
  • GCP:Workload Identity Federation for GKE service accounts
  • Azure:Azure AD Workload Identity or Managed Identity for AKS pods
  • OCI:OKE Workload Identity or Instance Principal authentication

Database Setup

Use bundled databases (deployed with the Helm chart) for quick setup, or connect to your existing managed databases:

  • PostgreSQL - Bundled or external RDS/Cloud SQL/Azure SQL DB/OCI PostgreSQL DB
  • Redis - Bundled or external ElastiCache/Memorystore/Azure Cache/OCI Cache with Redis
  • Elasticsearch/OpenSearch - Optional, for advanced log search and analysis

Getting Started

On-premise deployment is available now for customers with the on-prem entitlement. Navigate to Integrations → On-Premise Deployment to launch the deployment wizard. The wizard will guide you through configuration, generate your Helm values, and provide step-by-step deployment instructions.

For questions or assistance with on-prem deployment, contact hello@usekestrel.ai.