Infisical Relay is a secure routing layer that allows Infisical to connect to your private network resources, such as databases or internal APIs, without exposing them to the public internet. The relay acts as an intermediary, forwarding encrypted traffic between Infisical and your deployed gateways. This ensures that your sensitive data remains protected and never leaves your network unencrypted. With this architecture, you can achieve secure, firewall-friendly access across network boundaries, making it possible for Infisical to interact with resources even in highly restricted environments. Before diving in, it’s important to determine whether you actually need to deploy your own relay server or if you can use Infisical’s managed infrastructure.

Do You Need to Deploy a Relay?

Not all users need to deploy their own relay servers. Infisical provides managed relay infrastructure in US/EU regions for Infisical Cloud users, which requires no setup or maintenance. You only need to deploy a relay if you:
  • Are self-hosting Infisical
  • Have a dedicated enterprise instance of Infisical (managed by Infisical)
  • Require closer geographic proximity to target resources than managed relays provide for lower latency and reduced network congestion when accessing resources through the relay
  • Need full control over relay infrastructure and traffic routing
If you are using Infisical Cloud and do not have specific requirements, you can use the managed relays provided by Infisical and skip the rest of this guide.

Deployment Steps

To successfully deploy an Infisical Relay for use, follow these steps in order.
1

Provision a Machine Identity

Create a machine identity with the correct permissions to create and manage relays. This identity is used by the relay to authenticate with Infisical and should be provisioned in advance. The relay supports several machine identity auth methods for authentication, as listed below. Choose the one that best fits your environment and set the corresponding environment variables when deploying the relay.
2

Install the Infisical CLI

Install the Infisical CLI on the server where you plan to deploy the relay. The CLI is required for relay installation and management.See the CLI Installation Guide for instructions.This server must have a static IP address or DNS name to be identifiable by the Infisical platform.
3

Configure Network & Firewall

Ensure your network and firewall settings allow the server to accept inbound connections and make outbound connections:Inbound Connections Rules:
ProtocolSourcePortPurpose
TCPGateways2222SSH reverse tunnel establishment
TCPInfisical instance host (US/EU, other)8443Platform-to-relay communication
Outbound Connections Rules:
ProtocolDestinationPortPurpose
TCPInfisical instance host (US/EU, other)443API communication and certificate requests
4

Select a Deployment Method

The Infisical CLI is used to install and start the relay in your chosen environment. The CLI provides commands for both production and development scenarios, and supports a variety of options/flags to configure your deployment.To view all available flags and equivalent environment variables for relay deployment, see the Relay CLI Command Reference.
For production deployments on Linux servers, install the Relay as a systemd service. This installation method only supports Token Auth at the moment.Once you have a Token Auth token, set the following environment variables for relay authentication:
export INFISICAL_TOKEN=<your-machine-identity-token>
The systemd install command requires a Linux operating system with root/sudo privileges.
sudo infisical relay systemd install \
   --token <your-machine-identity-token> \
   --name <relay-name> \
   --domain <your-infisical-domain> \
   --host <static-ip-or-dns-of-the-server>

# Start the relay service
sudo systemctl start infisical-relay
sudo systemctl enable infisical-relay

Frequently Asked Questions