Keycloak can be deployed in a number of high-availability architectures, allowing system administrators to pick the deployment type most suitable for their needs. Ease of deployment, cost and fault-tolerance guarantees are important considerations when determining the correct architecture for your deployments.
This document describes two high availability architectures in which to deploy Keycloak: Single-cluster deployments and multi-cluster deployments.
Deploy Keycloak in a single cluster, optionally across multiple availability-zones or data centers with the required network latency and database configuration, using Single-cluster deployments.
No external dependencies
Deployment in a single Kubernetes cluster or a set of virtual machines with transparent networking
Tolerate availability-zone failure or data center failure, if deployed to multiple availability zones or data centers
Kubernetes cluster is a single point of failure:
Control-plane failures could impact all Keycloak pods
Connect two Keycloak clusters deployed for example in different Kubernetes clusters in two availability zones or data centers with the required network latency and database configuration using Multi-cluster deployments.
Tolerate availability-zone failure
Tolerate Kubernetes cluster failure
Bridge two networks that do not offer transparent networking
Regulatory compliance when distinct deployments are required
Complexity:
External load-balancer required
Separate Infinispan cluster required on each site
Cost:
Additional load-balancer required
Additional compute is required for external Infinispan clusters
Two Kubernetes control-planes must be provisioned
Not supported with three or more availability zones