Keycloak Keycloak in Production: On-Prem, IaaS, Marketplace, PaaS, or SaaS Admin User April 8, 2026 How Much Complexity Do You Actually Need? You picked Keycloak. Solid choice. Now the harder question: who’s going to keep it running? Deploying Keycloak is a weekend project. Operating it in production is a full-time job. Behind every running Keycloak instance there’s a database that needs connection pooling and failover. A cache layer that needs to stay in sync across nodes. Upgrades that touch the database schema and break extensions you forgot about. Monitoring that goes beyond “is the container alive?” to “why did the JVM just eat 4GB of heap at 3 AM on a Saturday?” The way you deploy Keycloak determines who on your team has to deal with all of that. And the size of that team changes more than you’d expect. On-Premises: You Own Everything On-prem Keycloak means you own the entire stack. From the rack to the realm configuration, it’s all yours. What you need to handle: - Provision and maintain physical or virtual servers - Set up and manage a production-grade database (PostgreSQL, MySQL...) - Configure connection pooling, backups, failover - Deploy and tune Infinispan / JGroups for clustering and cache - Handle TLS certificates, load balancers, reverse proxies - Plan and execute Keycloak version upgrades (and the database migrations that come with them) - Manage custom themes, SPIs, and extensions - Monitor everything: JVM metrics, database performance, cache hit rates, HTTP errors, logs - Capacity planning and scaling Who you need on the team: Infrastructure engineers. A DBA. At least one person who understands Keycloak internals deeply enough to troubleshoot a failed rolling upgrade at 2 AM. And a DevOps/SRE to keep it all glued together. This isn’t a side project, it’s a dedicated team. When it makes sense: If you already have an infrastructure team, a DBA, and people who know Keycloak inside out, on-prem works. Full stop. These teams exist in large organizations, and if you’ve built one, there’s no reason to walk away from it. On-prem also makes sense when regulators require physical control of your infrastructure, or when you need a level of customization that only full stack ownership can give you. IaaS (AWS, Exoscale, GCP...): The Hardware Is Gone, the Ops Aren’t Moving to IaaS takes the hardware off your plate. You get VMs or managed Kubernetes, managed databases (RDS, Cloud SQL, etc.), and managed load balancers. The cloud handles the physical layer. But Keycloak? Still your problem. What you need to handle: Choose and configure VMs or Kubernetes clusters Deploy Keycloak (Helm charts, Docker Compose, ECS tasks...) Configure the managed database (sizing, backups, connection limits, failover) Set up and tune Infinispan clustering across nodes Handle Keycloak upgrades and database migrations Build and maintain custom extensions and themes Set up monitoring and alerting for Keycloak-specific metrics Manage scaling policies and high availability Who you need on the team: Nobody’s racking servers anymore, but you still need people who understand Keycloak’s operational side at depth. What happens to Infinispan sessions during a rolling upgrade? How does the connection pool behave when your managed database hits its max connections? How do you migrate from Keycloak 24 to 26 without locking out half your users? You need a Keycloak infrastructure specialist, someone who knows the product from the JVM flags and the Quarkus configuration, not just the admin console. When it makes sense: If your team already lives in AWS, GCP, or Exoscale and they know how to operate services there, this is a natural fit. You use the cloud’s building blocks, managed databases, load balancers, monitoring, and your team fills in the Keycloak-specific gaps. Many organizations run Keycloak this way and run it well. The question is straightforward: do you have (or want to build) a team that can own Keycloak operations for the long haul? Cloud Marketplace (Exoscale, AWS Marketplace...): One-Click Deploy, Long-Term Maintain Some cloud providers offer Keycloak as a marketplace image. Exoscale, for instance, lets you spin up a Keycloak instance in minutes. Day one feels effortless. Day thirty is a different story. The provider deploys it. You maintain it. That marketplace image won’t auto-update. The cloud provider isn’t going to upgrade Keycloak for you, run the database migrations, tune the cache, or figure out why your custom theme broke after a version bump. What you need to handle: Keycloak upgrades and version migrations Database management, backups, and connection tuning Infinispan / cache configuration as you scale beyond a single node Extension and theme management across upgrades Monitoring, security patching, and incident response High availability setup if you need more than one instance What the provider handles: The initial VM and deployment Basic infrastructure (networking, storage, compute) Sometimes a managed database ...