# How to *deploy* Conduktor? Conduktor is a self-hosted solution running inside your environment. From single-cluster teams to global deployments, Conduktor adapts to your infrastructure. Running at scale ## Why self-hosted matters Your sensitive data stays private, under your control, and compliant with your regional and corporate rules. You choose the architecture: cloud, hybrid, or on-prem. Conduktor connects to your stack and security tooling. ## Architecture Conduktor links your streaming applications, Kafka clusters, and security systems through a control and data plane architecture. - **Control Plane** — Runs the management, policies, and identity logic. Exposes APIs, CLI, and UI. Designed to integrate with GitOps and automation tools. - **Data Plane** — Handles live Kafka connections. Enforces access rules, masking, and encryption inline without altering payloads. - **Security & Automation Layer** — Connects to your identity providers, secret managers, and CI/CD systems. Supports SSO, LDAP, Vault, and custom certificate chains. - **Observability Layer** — Streams metrics and events to your monitoring stack. Exports to Prometheus, Grafana, or OpenTelemetry for real-time visibility. ## Deployment Scenarios - **Single Cluster** — Ideal for getting started or smaller teams. One Conduktor instance connects to one Kafka cluster. - **Multi-Cluster** — Manage multiple Kafka clusters from a single Conduktor deployment. Centralize governance and access control. - **Regulated Industries** — For finance, healthcare, or government. Deploy fully air-gapped with strict network segmentation and audit trails. ## FAQ **Can Conduktor run in air-gapped environments?** Yes. Conduktor supports full offline installations with local registries. You can install and update all components without external network access. **Which clouds are supported?** Conduktor runs on AWS, Azure, GCP, or on-prem. It integrates with managed Kafka services such as AWS MSK, Confluent Cloud, and Aiven, as well as open-source clusters. **How long does deployment take?** A simple setup is ready in minutes using Helm or Docker Compose. Production-grade installs, including HA, external identity providers, security managers, completes in multiple days. **Can we integrate with Vault or KMS?** Yes. Conduktor integrates natively with HashiCorp Vault and all major KMS providers (AWS, Azure, GCP). Secrets can be injected through environment variables, mounted volumes, or API calls. **Does Conduktor support SSO and granular access control?** Yes. Conduktor supports OIDC and LDAP synchronization. Access rules apply at the user, group, or application level and can be automated through APIs. ## Need help with your deployment? Whether you're planning a high-availability setup, optimizing for scale, or navigating compliance requirements, our team is here to guide you through architecture decisions and best practices. [Talk to an expert](https://www.conduktor.io/contact)