Skip to main content

Running Ory on Microsoft Azure

Reference pattern (deployment topology)

Not a vendor integration — Ory Network is reached over HTTPS like any SaaS, and self-hosted Ory products run on standard Kubernetes (AKS). This page documents the Azure-side glue. Reference: ory/integrates/cloud-infrastructure/azure.

For Microsoft Entra ID identity provider configuration (separate from Azure deployment), see social-sign-in/microsoft and enterprise-sso/microsoft-entra-id.

Two patterns

Pattern A: Azure application talking to Ory Network

  • Allow outbound HTTPS to *.oryapis.com from your VNet or subnet with an NSG rule, plus an Azure Firewall application rule if egress is locked down.
  • Store the Ory API key in Azure Key Vault and inject it via Workload Identity (AKS) or Container Apps secret references.
  • Use Azure DNS to map your custom auth domain to custom.oryapis.com with a CNAME.

Pattern B: Self-hosted Ory on AKS

  • Use AKS with Azure CNI and Workload Identity enabled.
  • Use Azure Database for PostgreSQL — Flexible Server for the Ory Identities, Ory OAuth2 & OpenID Connect, and Ory Permissions datastores. Pick the Zone-Redundant HA tier for production.
  • Optionally, use Azure Cache for Redis.
  • Deploy with the official Helm charts.
  • Use the Application Gateway Ingress Controller (AGIC) for HTTPS termination with a Key Vault-stored certificate.

Resources

Ory Network

The largest Identity and Access Management network in the world. So you can get back to building your business.

Sign up for free