Question about air-gapped environment
Hi Windmill team 👋,
I’m Kyuesung Oh from LG CNS Korea IT Service company. We need to deploy Windmill completely air-gapped (no outbound internet) inside a high-security manufacturing network. Could you clarify a few things?
1. Offline installation path
Is there an official doc or script for importing all required Docker images, Hub templates, and dependencies without docker pull from public registries?
If not, is exporting from an online environment with windmill hub sync --export → moving the tarballs → --import the recommended approach?
2. Domain allow-list (if partial egress is possible)
Do you publish a list of FQDNs/ports Windmill components must reach (licensing, Telemetry, templates, AI features, etc.)?
For EE features such as SMTP and AI Assist, are separate endpoints involved?
3. SSL / certificate chain for hub sync
We hit x509: certificate signed by unknown authority when pointing hub sync at our internal registry.
Is adding our corporate root CA to the Windmill runner’s /usr/local/share/ca-certificates sufficient, or are additional parameters (--insecure, custom CA flags) supported?
4. Product limits in air-gapped mode
Are any features (AI Assist, template marketplace, updates) disabled or require work-arounds when there’s zero egress?
Any guidance, doc links, or community success stories would be greatly appreciated. Thanks a lot!
3 Replies
Hi, Kyuesung Oh. Yes we have several customers on fully air-gapped networks.
1: There are serveral options here.
- you can download all the required docker images (see the docker compose for a list of images)
- you can run the windmill binaries directly on the air-gapped hosts
- now if your scripts depend on external libraries (pip / npm etc) you will need to also create a mirror for them inside your airgapped environment.
- the initial hub windmill hub scripts and resource types are "pre-fetched" and cached at image build times and you would be able to upgrade them when you upgrade windmill versions of you could manually update them in the admins workspace if needed
2: for our billing telemetry you only need to open https://stats.windmill.dev , otherwise, a screenshot of your workerspage is usually sufficient for billing purposes. For AI features, you could deploy a model inside your airgapped environment and use it as a custom ai. You could also allow egress to the AI provider of choice (e.g OpenAi) and use your api keys.
3.: yes, it should work following the docs
I will add writing up a detailed guide to self-hosting in an air-gapped environment to my backlog.
Hi Alex,
Thank you so much for your detailed response and for confirming support for fully air-gapped environments — that’s very reassuring.
As we are currently preparing our own deployment in such an environment, I’d like to kindly ask if you could provide more specific guidance or examples on how to manually upload or update the initial hub resources and script types within the admin workspace. A brief walkthrough or documentation on this manual process would be greatly appreciated.
Looking forward to hearing from you, and thanks again for your support!
Best regards,
Kyuesung Oh
Hi Kyuesung, here some details on the private hub and how to keep it in sync on an air-gapped environment:
- https://www.npmjs.com/package/@windmill-labs/hub-cli
- https://www.windmill.dev/docs/core_concepts/private_hub#local-syncing-and-syncing-with-the-public-hub
in short: we provide a cli that allows you to pull from the public hub and push to the private hub, so for example on your laptop, you could first connect to the public internet, pull the hub from the the public repo, then connect your laptop (e.g via vpn etc.) to your private air-gapped network and run the cli hub push command .