Self-Hosting

Self-hosted (on-prem) deployment allows you to run Confident AI entirely within your own infrastructure, giving you complete control over your data and security posture.

On-premise deployments are only available for customers with Enterprise lisences. Talk to us to inquire about one.

Overview

Confident AI supports self-hosted deployments on major cloud providers:

AWS

Deploy on Amazon Web Services using EKS, EC2, or other AWS services.

Azure logo
Azure

Deploy on Microsoft Azure using AKS or other Azure services.

GCP logo
GCP

Deploy on Google Cloud Platform using GKE or other GCP services.

Why self-host?

Self-hosting is beneficial mainly from a security and data standpoint:

  • Data sovereignty — All data stays within your infrastructure and chosen region. No data is ever sent to Confident AI systems.
  • Compliance requirements — Meet regulatory requirements (SOC 2, HIPAA, GDPR, FedRAMP) by keeping sensitive data in your controlled environment.
  • Network isolation — Run entirely within your private network with no public internet exposure.
  • Custom integrations — Connect to internal systems, self-hosted LLMs, and existing infrastructure without leaving your network.

Network security

All self-hosted deployments follow a fully private model with no inbound internet access:

  • All services run in private subnets with no direct internet exposure
  • Load balancer is internal-only, accessible via VPN or network peering to your corporate network
  • Authentication is entirely internal—user credentials and sessions never leave your network (except for SSO providers like Okta or Azure AD if configured)
  • Outbound internet access is limited to:
    • Pulling container images from your cloud provider’s container registry
    • LLM API calls for evaluations (depends on your setup)
    • Email/Slack notifications (optional)
LayerMethod
In transitTLS 1.2+ for all internal and external traffic
At restCloud-native encryption (KMS or equivalent)
SecretsCloud secrets manager with encryption

For fully air-gapped deployments without any outbound access, contact Confident AI for offline image delivery and self-hosted LLM evaluation options.

Deployment timeline

Typical enterprise deployment takes 2-4 weeks end-to-end:

PhaseDurationNotes
Security & Access Review3-7 daysApprovals for IAM roles, service accounts, and network access
DNS & Certificate Setup2-5 daysDomain delegation, certificate requests, DNS team coordination
Infrastructure Provisioning1-2 daysTerraform apply, troubleshooting quota limits or naming conflicts
Kubernetes Deployment1-2 daysSecrets configuration, image pull access, ingress setup
Testing & Validation2-3 daysEnd-to-end testing, security scans, load testing
Go-Live & Handoff1-2 daysDocumentation, runbook review, on-call setup

Common delays: permission requests stuck in approval queues, DNS changes requiring change tickets, security reviews for VPC peering or firewall rules.

Next steps

Self-hosted deployments are only available for Enterprise customers and are not self-served. To get started:

  1. Contact Confident AI here or, for existing users in your private support channel, to discuss your requirements and obtain an Enterprise license
  2. Once approved, we will provide container images for your chosen cloud provider’s registry (AWS ECR, Azure ACR, or GCP Artifact Registry)
  3. Follow the deployment guide for your cloud provider above

Our team will work with you throughout the deployment process to ensure a successful rollout.