Sign in Subscribe
Concepts

Keycloak Behind a VPC Private Subnet with a Secure Proxy Deployment

Andrios Robert

1 min read

Understanding the Deployment Pattern
Keycloak needs public access for login flows, but placing the service directly on the public internet increases risk. A VPC private subnet keeps Keycloak hidden from direct exposure. The way in is through a proxy—Nginx, Envoy, or HAProxy—running in a public subnet while forwarding traffic securely into the private subnet. This proxy terminates TLS, applies routing rules, and passes only approved requests to Keycloak.

Network Architecture
The basic architecture has:

  • A public subnet for the proxy.
  • A private subnet for Keycloak nodes.
  • VPC routing tables configured to allow controlled traffic between them.

Security groups should restrict inbound traffic on the proxy to only necessary ports (443 for HTTPS), and outbound from proxy to private subnet to the Keycloak interface port (usually 8080 or 8443). No other direct inbound routes should reach Keycloak.

Keycloak Configuration
Set proxy-address-forwarding=true in Keycloak to handle X-Forwarded headers correctly. If using HTTPS internally, configure certificates on Keycloak and match them with the proxy settings. Update the Keycloak hostname and frontendUrl to reflect the proxy address to avoid mixed content issues or login callback errors.

Proxy Tuning
For Nginx, use proxy_set_header Host $host; and pass original client IPs with proxy_set_header X-Real-IP $remote_addr;. Ensure idle timeouts and max body sizes match Keycloak’s expected values. If using Envoy, define listeners on 443, route clusters to the private subnet targets, and enable health checks to drain failed nodes.

Scaling and Maintenance
Deploy multiple proxy instances across availability zones for high availability. Auto-scaling groups keep capacity up during traffic spikes. Monitor both proxy and Keycloak logs for latency, SSL handshake issues, and blocked requests—it’s often easier to catch early failures at the proxy layer.

Security Posture
Keep Keycloak patched and restrict admin console access to VPN-only. Log all proxy requests. Rotate TLS certificates proactively. A private subnet blocks casual scans, but targeted traffic can still reach the proxy; harden it accordingly.

A well-built Keycloak VPC private subnet proxy deployment gives you secure authentication without sacrificing reach. Streamline it, test it, monitor it—then deliver it to production.

See how this setup runs live in minutes at hoop.dev.