LogoLogo
Python SDKSlack
  • Documentation
  • Cookbooks
  • Self-Hosting
  • Release Notes
  • Reference
  • Architecture
  • Self-Hosting
    • On-Premise Overview
    • On-Premise Installation
      • Installation on GCP
      • Installation on AWS
      • Installation on Azure
      • Installation on OpenShift
      • Configuring Ingress Endpoints
      • Configuring SAML
  • On-Premise Integrations
  • On-Premise SDK Usage
Powered by GitBook

Support

  • Chat Us On Slack
  • support@arize.com

Get Started

  • Signup For Free
  • Book A Demo

Copyright © 2025 Arize AI, Inc

On this page

Was this helpful?

  1. Self-Hosting
  2. On-Premise Installation

Configuring Ingress Endpoints

The previous steps explain how to install Arize and access the UI with a local port-forward. However to expose Arize to the broader organization, a secure HTTPs endpoint must be created.

Host
Prefix
Service
Target Port

arize-app.<my-organization-domain>

/

internalendpoints-app

443

Ingress Endpoints with GCP

First review the Terraform documentation in ./terraform/README.md as it includes parameters required to create static IP addresses. Re-apply the Terraforms if necessary. Static IP addresses are preferred as they allow a future rebuild of the cluster without impacting DNS entries.

Make a copy of the example file below.

$ cp ./examples/endpoints/gcp/app-services.yaml my-app-services.yaml

Review the following annotation to confirm that they align with the desired static IPs. If using the provided terraforms, these names already align with the name specified in terraform.

annotations:
  kubernetes.io/ingress.global-static-ip-name: arize-app-services

Replace the placeholder hostname/domain name with the domain available in your organization. This domain name must be added to your DNS server and map to the static IP addresses mentioned above.

'{{CUSTOMER_APP_DOMAIN}}' --> 'arize-app.<my-organization-domain>'

If configured correctly, the DNS server will resolve the domain to the correct IP address. Use nslookup to verify.

$ nslookup arize-app.<my-organization-domain>'

Apply the manifest.

$ kubectl -n arize apply -f my-app-services.yaml

Wait for a few minutes and verify the state of the ingress.

$ kubectl -n arize describe ingress arize-app-services

The ingressMode parameter may need to be set correctly in values.yaml in order to work with certain ingress controllers or if a user desires to port-forward to the service for testing. Further details can be found in the Ingress Controllers section.

From a web browser enter https://arize-app.<my-organization-domain> to verify the access. Note that GCP may initially return an SSL error until the HTTPs certificate has been validated. If that is the case, check back 30 minutes later. Make sure to add these parameters tovalues.yaml and apply the changes.

appBaseUrl: "https://arize-app.<my-organization-domain>"
expBaseUrl: "arize-app.<my-organization-domain>"

Ingress Endpoints with AWS

Since TLS termination is required, a Layer 7 ALB is the recommended option for AWS. The ALB can be created automatically by AWS when a Kubernetes Ingress resource is created and the AWS Load Balancer Controller is deployed.

A few notes about the AWS Load Balancer Controller:

  • It requires public networks, Internet Gateway and routes in order to get an external IP.

  • Private subnets need the label "kubernetes.io/role/internal-elb" for subnet discovery

  • Public subnets need the label "kubernetes.io/role/elb" for subnet discovery

Make a copy of the example file below.

$ cp ./examples/endpoints/aws/app-services.yaml my-app-services.yaml

Edit the following annotations. For a public endpoint use "internet-facing". Change the certificate annotation to point to a valid certificate.

annotations:
  ...
  alb.ingress.kubernetes.io/scheme: "internal" # Use "internet-facing" for public endpoint
  alb.ingress.kubernetes.io/certificate-arn: "<certificate-arn>"

Apply the manifest.

$ kubectl -n arize apply -f my-app-services.yaml

Wait for a few minutes and verify the state of the ingress.

$ kubectl -n arize describe ingress arize-app-services

The ingressMode parameter may need to be set correctly in values.yaml in order to work with certain ingress controllers or if a user desires to port-forward to the service for testing. Further details can be found in the Ingress Controllers section.

In some environments the external-dns.alpha.kubernetes.io/hostname annotation can be used to automatically create a DNS entry in Route 53. If another DNS system is used, collect the elb address from the ingress resource and request a DNS entry to be added mapping arize-app.<my-organization-domain> to the elb address.

If configured correctly, the DNS server will resolve the domain to the correct IP address. Use nslookup to verify.

$ nslookup arize-app.<my-organization-domain>'

From a web browser enter https://arize-app.<my-organization-domain> to verify the access. Make sure to add these parameters to values.yaml and apply the changes.

appBaseUrl: "https://arize-app.<my-organization-domain>"
expBaseUrl: "arize-app.<my-organization-domain>"

Ingress Endpoints with Azure

The Azure AGIC does not currently support GRPC. For this reason Arize recommends using a Network Load Balancer and terminate TLS at the Arize pods.

Make a copy of the example files below and review its content.

$ cp ./examples/endpoints/azure/app-services.yaml my-app-services.yaml

Apply the manifest.

$ kubectl -n arize apply -f my-app-services.yaml

Wait for a few minutes and verify the state of the service.

$ kubectl -n arize describe service arize-app-services

Create a DNS entry pointing your desired domain/hostname (example: arize-app.<my-organization-domain>) to the IP address of the Network Load Balancer. If using self-signed certificates or a certificate is not available, create a certificate corresponding to your domain using:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
    -out app-tls.crt \
    -keyout app-tls.key \
    -subj "/CN=arize-app.<my-organization-domain>/O=<company-name>" -addext "subjectAltName = DNS:arize-app.<my-organization-domain>"

Load the signed or self-signed certificate into Arize by updating values.yaml:

internalEndpointsAppTlsCert: '<base64 encoded contents of TLS certificate file>'
internalEndpointsAppTlsKey: '<base64 encoded contents of TLS private key file>'

The ingressMode parameter may need to be set correctly in values.yaml in order to work with certain ingress controllers or if a user desires to port-forward to the service for testing. Further details can be found in the Ingress Controllers section.

From a web browser enter https://arize-app.<my-organization-domain> to verify the access. Make sure to add these parameters to values.yaml and apply the changes.

appBaseUrl: "https://arize-app.<my-organization-domain>"
expBaseUrl: "arize-app.<my-organization-domain>"

Ingress Endpoints with OpenShift

The OpenShift ingress controller configures an underlying HAProxy component. For proper GRPC operation certain settings on the OpenShift routes are required. Additionally, to enable HTTP/2 support, the following command should be executed for the target Ingress Controller (either a specific one or the default). This annotation can also be applied via the console UI's under Administration -> CustomResourceDefinitions -> IngressController -> Instances -> default. If HTTP/2 is not enabled, gRPC clients may encounter errors such as: Cannot check peer: missing selected ALPN property* or *Selected ALPN Protocol: None.

oc -n openshift-ingress-operator annotate ingresscontrollers/default ingress.operator.openshift.io/default-enable-http2=true

In the values.yaml file, the Arize ingressMode should be set to openshift. Important: This configuration must be applied before creating any routes, as OpenShift references the resulting appProtocol on the Arize ports during route creation. Specifically, for internal HTTP/2 ports, the appProtocol is set to h2c, indicating the use of HTTP/2 without TLS.

ingressMode: 'openshift'

From the OpenShift console UI as an Administrator use Create Route from the Networking/Routes panel and enter the following data in the arize namespace Project to create the endpoints. Use Secure Route enabled and TLS termination Edge on each route. OpenShift does not allow a wildcard certificate with GRPC/HTTP2 protocols and therefore it is recommend to create a non-wildcard certificate on the arize-app route or to create second arize-api for API functions.

Host
Prefix
Service
Target Port
Certificate

arize-app.<my-organization-domain>

/

internalendpoints-app

443

Wildcard or non-wildcard

arize-api.<my-organization-domain>

/

internalendpoints-app

443

Non-wildcard

openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
    -out app-tls.crt \
    -keyout app-tls.key \
    -subj "/CN=arize-app.<my-organization-domain>/O=<company-name>" -addext "subjectAltName = DNS:arize-app.<my-organization-domain>"

If using TLS termination Edge is not an option, a fallback method is to use a single passthrough route and mount the certificate at the pods using these parameters:

ingressMode: 'tls'
internalEndpointsAppTlsCert: '<base64 encoded contents of TLS certificate file>'
internalEndpointsAppTlsKey: '<base64 encoded contents of TLS private key file>'

Ingress Controllers

For GRPC protocols like OTLP and flightserver, the ingressMode parameter may need to be set correctly in values.yaml in order to work with certain ingress controllers or if a user desires to port-forward to the service for testing.

Here are the recommended settings:

Controller / Load Balancer

ingressMode

internalEndpointsAppTlsCert / internalEndpointsAppTlsKey

GCP

tls (default)

N/A

AWS ALB

tls (default)

N/A

Azure NLB

tls (default)

Custom certificate

Istio

istio

N/A

OpenShift - Edge

openshift

N/A

OpenShift - Pass-through

tls

Custom certificate

Local port-forward

notls

N/A

TLS Termination at Arize Pods (NLB)

tls

Custom certificate

More details on working with an OpenShift ingress controller are found in the OpenShift sections.

Last updated 18 days ago

Was this helpful?

If using the provided terraforms, review the terraform options to enable the Web Identity role and deploy the AWS Load Balancer Controller. Otherwise, refer to this page to manually deploy the AWS Load Balancer Controller:

The arize-app (or arize-api) route is then edited to add a non-wildcard Certificate and Key matching the Host field from the route. This per route certificate is mentioned in to allow GRPC traffic to transit the controller. The certificate can be created using openssl as shown below:

Installing the AWS Load Balancer Controller
Enabling HTTP/2