Air-gapped environments

Outbound connections

By default, authentik creates outbound connections to the following URLs:

https://version.goauthentik.io: Periodic update check
https://goauthentik.io: Anonymous analytics on startup
https://secure.gravatar.com: Avatars for users
https://authentik.error-reporting.a7k.io: Error reporting
https://tile.openstreetmap.org: Map tiles for event logs Enterprise authentik: 2025.8.0+

Configuration

To disable these outbound connections, adjust the following settings:

docker-compose
Kubernetes

Add the following block to your .env file:

AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
AUTHENTIK_DISABLE_UPDATE_CHECK=true
AUTHENTIK_ERROR_REPORTING__ENABLED=false

Afterwards, run the upgrade commands from the latest release notes.

Add the following block to your values.yml file:

authentik:
    error_reporting:
        enabled: false
    disable_update_check: true
    disable_startup_analytics: true

Afterwards, run the upgrade commands from the latest release notes.

Additionally, adjust the following System settings:

Avatars: By default this setting connects to Gravatar. To avoid outgoing connections, set this to a combination of other options, such as initials.

Required resources

Container images

authentik deployments require access to the following container images. In an air-gapped environment, this can be achieved by mirroring the images to an internal registry, or using other methods appropriate for your environment.

Main image

ghcr.io/goauthentik/server or authentik/server

Outpost images

ghcr.io/goauthentik/ldap or authentik/ldap
ghcr.io/goauthentik/proxy or authentik/proxy
ghcr.io/goauthentik/rac or authentik/rac
ghcr.io/goauthentik/radius or authentik/radius

Supporting services

PostgreSQL
Redis

Helm repositories

For Helm deployments, ensure access to the following repository. In an air-gapped environment, this can be achieved by mirroring the chart to an internal registry, or using other methods appropriate for your environment.

https://charts.goauthentik.io

Network requirements

Required ports

9000/9443: Default authentik server ports for HTTP/HTTPS access.
80/443: For reverse proxy setups (if using a load balancer or ingress controller).
SMTP ports: Connectivity to your configured SMTP server (typically 25, 465, or 587).
S3/object storage: If configured, connectivity to your S3-compatible storage.

Outpost-specific ports

Each outpost container, in order to communicate with authentik, requires access to the authentik server via whichever protocol is specified in the URL set in the AUTHENTIK_HOST environment variable (preferably HTTPS).

The outpost containers also need certain ports exposed:

LDAP Outpost: Ports 389/636 (LDAP/LDAPS) exposed to ports 3389/6636 of the container.
Proxy Outpost: Ports 9000/9443 (HTTP/HTTPS) exposed to ports 9000/9443 of the container.
RAC Outpost: Exposed ports not required.
RADIUS Outpost: Port 1812 (RADIUS Authentication) exposed to port 1812/udp of the container.

For more detailed information about outpost configuration in air-gapped environments, see the Outposts documentation.

Outbound connections​

Configuration​

Required resources​

Container images​

Main image​

Outpost images​

Supporting services​

Helm repositories​

Network requirements​

Required ports​

Outpost-specific ports​