Guides
Custom Domains Architecture

Custom Domains Architecture

When you configure a custom domain in Skycloak, you’re leveraging an enterprise-grade infrastructure that provides security, performance, and reliability without any complexity on your end. This page explains how it all works and why it benefits you.

Architecture Overview

Your custom domain traffic flows through multiple layers of sophisticated infrastructure:

┌─────────────┐     ┌──────────────┐     ┌─────────────┐     ┌──────────────┐     ┌───────────────┐
│             │     │              │     │             │     │              │     │               │
│  End User   │────▶│  Cloudflare  │────▶│  AWS NLB    │────▶│ Istio Gateway│────▶│   Keycloak    │
│             │     │    (CDN)     │     │(Load Balancer)   │  (Service Mesh)    │   Instance    │
│             │     │              │     │             │     │              │     │               │
└─────────────┘     └──────────────┘     └─────────────┘     └──────────────┘     └───────────────┘
     HTTPS              HTTPS                HTTPS              Proxy Protocol         Internal
    Request          DDoS Protection       TLS Termination      SNI Routing         Secure Network

How It Works

1. DNS Configuration

When you add a custom domain, you create a CNAME record pointing to our regional endpoints:

  • US Region: us.clusters.skycloak-dns.io
  • EU Region: eu.clusters.skycloak-dns.io
  • CA Region: ca.clusters.skycloak-dns.io
  • AU Region: au.clusters.skycloak-dns.io

For Enterprise customers with proxy domains, the CNAME target changes based on your proxy configuration:

  • With US Proxy: Your domain → Your US proxy → us.clusters.skycloak-dns.io
  • With EU Proxy: Your domain → Your EU proxy → eu.clusters.skycloak-dns.io
  • With CA Proxy: Your domain → Your CA proxy → ca.clusters.skycloak-dns.io
  • With AU Proxy: Your domain → Your AU proxy → au.clusters.skycloak-dns.io

2. Traffic Flow

Step 1: Cloudflare Edge (Global CDN)

  • Your users connect to the nearest Cloudflare edge location (200+ cities worldwide)
  • Cloudflare provides instant DDoS protection and filters malicious traffic
  • SSL/TLS encryption is established with Cloudflare’s edge servers
  • Static content can be cached for lightning-fast delivery

Step 2: Origin Connection

  • Cloudflare forwards legitimate traffic to our AWS infrastructure
  • Uses Cloudflare’s optimized backbone network for faster routing
  • Maintains persistent connections for improved performance

Step 3: AWS Network Load Balancer

  • Receives traffic at the regional AWS load balancer
  • TLS certificate for *.clusters.skycloak-dns.io validates the connection
  • Implements Proxy Protocol v2 to preserve original client information
  • Distributes traffic across multiple data centers for high availability

Step 4: Istio Service Mesh

  • Advanced traffic management using Istio’s intelligent routing
  • SNI (Server Name Indication) inspection to route based on hostname
  • Each custom domain is routed to the correct Keycloak instance
  • Automatic retries and circuit breaking for resilience

Step 5: Keycloak Instance

  • Your dedicated Keycloak instance receives the request
  • Processes authentication/authorization in your isolated environment
  • Returns response through the same secure path

Security Layers

Your custom domain benefits from multiple security layers:

1. Edge Security (Cloudflare)

  • DDoS Protection: Automatic mitigation of volumetric attacks
  • WAF Capabilities: Web Application Firewall rules to block common exploits
  • Rate Limiting: Prevents abuse and brute force attempts
  • SSL/TLS Encryption: Industry-standard encryption at the edge

2. Network Security (AWS)

  • Security Groups: Strict firewall rules limiting access
  • Private Networking: Backend infrastructure not directly exposed to internet
  • TLS 1.3: Modern encryption protocols with perfect forward secrecy
  • Certificate Validation: Only trusted certificates accepted

3. Application Security (Kubernetes/Istio)

  • Network Policies: Micro-segmentation between services
  • Service Mesh Security: mTLS between internal services
  • Pod Security: Containers run with minimal privileges
  • Secrets Management: Sensitive data encrypted at rest

4. Infrastructure Security

  • Multi-Data Center Deployment: Services spread across multiple data centers
  • Auto-scaling: Automatic capacity adjustment under load
  • Health Checks: Continuous monitoring and automatic recovery
  • Access Logs: Complete audit trail stored in S3

Performance Benefits

Global Performance Optimization

  • Anycast Routing: Users automatically routed to nearest endpoint
  • Edge Caching: Static resources served from Cloudflare’s edge
  • Connection Pooling: Persistent connections reduce latency
  • HTTP/2 & HTTP/3: Modern protocols for faster page loads

Regional Optimization

  • Geographic Distribution: Clusters deployed in multiple regions
  • Low Latency: Users connect to nearby infrastructure
  • Optimized Routing: Cloudflare’s backbone network bypasses internet congestion

High Availability Features

  • Automatic Failover: Traffic rerouted if an instance fails
  • Zero-downtime Updates: Rolling updates without service interruption
  • Load Distribution: Requests spread across healthy instances
  • Self-healing: Automatic recovery from failures

Enterprise-Grade Features

Location-Aware Proxy Routing (Enterprise)

For Enterprise customers, the system supports location-specific proxy configurations:

How Location-Aware Routing Works

  1. Cluster Creation: When a cluster is created, it’s assigned to a specific location (US, EU, CA, AU)
  2. Proxy Selection: The system checks if a proxy is configured for that location
  3. Automatic Routing: Domains created for that cluster automatically use the location’s proxy
  4. Fallback Logic: If no location proxy exists, defaults to standard Skycloak DNS

Benefits of Multi-Location Proxies

  • Regional Compliance: Different proxy domains for different jurisdictions
  • Performance Optimization: Traffic routes through geographically closer infrastructure
  • Independent Management: Each region can have different security policies
  • Disaster Recovery: Regional isolation prevents cascading failures

Example Configuration 

US Clusters → auth.us.company.com → us.clusters.skycloak-dns.io
EU Clusters → auth.eu.company.com → eu.clusters.skycloak-dns.io
CA Clusters → auth.ca.company.com → ca.clusters.skycloak-dns.io
AU Clusters → auth.au.company.com → au.clusters.skycloak-dns.io

Certificate Management

  • Automatic SSL: Certificates provisioned and renewed automatically
  • No Manual Work: No need to generate CSRs or manage renewals
  • Universal SSL: Works with any domain you own
  • Full Encryption: End-to-end encryption from user to application
  • Multi-Domain Support: Each proxy domain gets its own certificates

Monitoring & Observability

  • Real-time Metrics: Performance and availability monitoring
  • Access Logs: Detailed logs for security and compliance
  • Health Dashboards: Visual representation of system status
  • Alerting: Proactive notification of any issues

Compliance & Standards

  • Industry Standards: TLS 1.3, strong cipher suites
  • Data Sovereignty: Your data stays in your selected region
  • Audit Trails: Complete logs for compliance requirements
  • Security Updates: Infrastructure continuously updated

Why This Architecture?

For Your Security

  • Multiple defense layers protect against various attack vectors
  • Your Keycloak instance is never directly exposed to the internet
  • All communication is encrypted with modern protocols
  • Automatic security updates without downtime

For Your Performance

  • Global CDN ensures fast response times worldwide
  • Intelligent routing minimizes latency
  • Caching and optimization reduce load times
  • Auto-scaling handles traffic spikes seamlessly

For Your Reliability

  • 99.99% uptime SLA backed by redundant infrastructure
  • Automatic failover prevents single points of failure
  • Multi-data center deployment ensures availability
  • Self-healing systems recover from failures automatically

For Your Simplicity

  • Just add one CNAME record - we handle everything else
  • No infrastructure to manage or maintain
  • Automatic updates and security patches
  • Focus on your application, not infrastructure

Technical Specifications

Supported Protocols

  • TLS Versions: 1.2, 1.3
  • HTTP Versions: HTTP/1.1, HTTP/2, HTTP/3
  • Cipher Suites: Modern, secure cipher suites only

Infrastructure Details

  • Load Balancer: AWS Network Load Balancer (NLB)
  • Service Mesh: Istio 1.25+ with Ambient mesh
  • Kubernetes: EKS with auto-scaling node groups
  • Monitoring: Prometheus, Grafana, CloudWatch

Security Compliance

  • Encryption: AES-256 for data at rest
  • Protocols: TLS 1.3 preferred, TLS 1.2 minimum
  • Certificates: Managed by Cloudflare, validated by AWS Certificate Manager
  • Network: Private VPC with strict security groups

Realm-Specific Domain Mapping

For advanced use cases, you can map different domains to specific Keycloak realms, allowing:

  • Multi-tenant Applications: Different domains for different customers
  • Brand Separation: Unique domains per brand or product
  • Geographic Routing: Regional domains for compliance

Summary

When you use custom domains with Skycloak, you’re not just pointing a domain to a server. You’re leveraging a sophisticated, enterprise-grade infrastructure that provides:

  • World-class Security: Multiple layers of protection against modern threats
  • Global Performance: CDN and intelligent routing for fast access worldwide
  • High Reliability: Redundant systems with automatic failover
  • Zero Maintenance: We handle all infrastructure updates and scaling
  • Simple Setup: Just one CNAME record to configure

This infrastructure would typically cost thousands of dollars per month to build and maintain independently. With Skycloak, it’s all included, managed, and continuously improved for you.

Last updated on
Invitation Lifecycle and Account LinkingMigrating from Auth0