Running Authorization On-Prem and Inside Your Own VPC
Authorization so modern you can run it on-prem
Security, compliance, and operational control have always come first at Permit.io. From day one our enterprise customers pushed us to support their security models - whether fully managed, hybrid, or entirely self-hosted inside private environments. Many security teams still want authorization inside their walls, sometimes in traditional data centers, increasingly inside private cloud accounts and VPCs.
Today we’re making that path dramatically simpler. We’ve released a new, comprehensive on-premise deployment guide that shows exactly how to run the full Permit.io Platform on your own infrastructure - with your data, your keys, and your networking boundaries, all under your control.
What “on-prem” means in 2025
For modern enterprises, “on-prem” rarely means racks and colo cages anymore — it means your cloud, your VPC, your clusters. Our new documentation covers:
A full platform installation for Kubernetes
A dedicated path for deploying PDPs (policy decision points) close to your services
Clear boundaries so data paths, secrets, and logs remain inside your environment
And critically, you still use the same APIs, SDKs, Git-based workflows, and policy editor your teams already rely on.
Compliance, without compromise
Our Enterprise plan includes our SOC 2 Type II certification alongside HIPAA, GDPR, and CCPA compliance. For organizations that need to prove data locality or satisfy strict regulatory boundaries, running Permit.io inside your VPC offers maximum assurance.
Kubernetes-native by design
Permit.io ships as containerized microservices with a Helm-first operational model. Installation, upgrades, and rollback are predictable, auditable, and CI-friendly.
Air-gapped ready
Installer bundles include Docker images as .tar archives — no public registry access required.
Choose your deployment model
Full cloud: Permit.io runs as a managed service while your apps call PDPs as usual.
Hybrid: run PDPs close to your services while using the managed control plane. This is still our default, and most recommended option, removing the high setup costs of full on-prem setups, but providing most (if not all) of the security and compliance requirements.
Full on-prem: run the full Permit.io Platform and PDPs inside your environment. (See the docs overview and on-prem install guides.)
What is available right now
We have opened a full On-Premises section in the docs that includes:
Installation Guide with a unified Helm installer for the platform
Deploying PDP with a dedicated Helm chart, including OpenShift options
Management, prerequisites, quick start, reference, and troubleshooting
You can browse the category index and the specific how-to pages in the docs preview linked from the public pull request.
How it works at a glance
1) Install the Permit.io Platform in your cluster.
The on-prem installer deploys three Helm charts in sequence: third-party services like Postgres and Redis, migrations, then the Permit.io services layer. Secrets are generated and stored in Kubernetes, and the package contains all needed images for air-gapped installs.
2) Add PDPs for enforcement close to your apps.
After the platform is up, deploy PDPs with the official Helm chart. You can target standard Kubernetes or OpenShift, scale replicas for high availability, and point PDPs at your local control plane service.
3) Keep policy and configuration in Git.
Use the same Permit.io policy workflows you already use in the cloud. The on-prem docs show how the platform syncs policy from your repo, and how PDPs consume updates.
Architecture highlights for platform teams
PDP as a horizontal scale unit
Run a cluster of PDPs behind your load balancer. Keep evaluation near services to reduce latency, and scale out when traffic grows.Helm-first operations
The platform and PDPs are managed by Helm, which makes upgrades and rollbacks predictable. The docs include exact commands, values, and health checks you can automate in CI.Works with OpenShift
The PDP chart has OpenShift flags and guidance for SCCs. The deployment page covers the required values and verification steps.
Why this matters to security and compliance
Security teams want clear boundaries and repeatable installs. With the on-prem path:
Data, secrets, and logs stay inside your VPC.
You can meet contractual needs that require private networking or air-gapped environments.
Enterprise compliance is supported by plan, and deployment options now include full on-prem in addition to cloud and hybrid.
Quick start checklist
Check prerequisites for the on-prem install, then run the unified installer in your Kubernetes cluster.
Deploy PDPs with the Helm chart and verify health using the steps in the guide.
Point your apps at the in-cluster PDP service and start authorizing requests.
FAQ
Is this only for traditional(physical) data centers?
No. Most customers deploy inside their own cloud accounts and private clusters. The docs and examples are written with that in mind.
Can I run in an air-gapped network?
Yes. The installer package includes images as tar files so you can load them into a private registry, then install without egress.
How do I scale?
Permit is cloud-native and K8s first.
PDPS easily scale, Increase PDP replicas and place them near services. The Helm chart supports replicaCount and resource limits, and the PDP overview explains clustered topologies behind a load balancer. Same is true for all the backend components of the
Who can use the Permit.io on-prem?
The on-prem offering is available for customers under Permit’s enterprise tier.
Is the tagline here inspired by FusionAuth’s ?
Yes, 100% - FusionAuth have been an inspiration for me thinking of on-prem, and their tagline was too good not to reference in this context.
Until next time,
Or