Deployment Options

IronFlock supports three deployment models. Every model delivers the same platform capabilities — app management, dashboards, data collection, AI services, and remote access — but differs in where the infrastructure runs and who manages it.

	Cloud	On-Premises	Appliance
Hosting	IronFlock cloud	Your DMZ / VPC	Pre-configured box on-site
Target user	General	IT departments with Kubernetes expertise	Machine manufacturers / OEMs
Device connectivity	Internet required	Local network only	Local network only
Infrastructure setup	None	Customer provisions K8s cluster	None — ships ready to use
App Store	Full access	Synced from online store	Synced from online store
System updates	Automatic	Manual	Manual
AI services	Included	Requires LLM API access or custom model	Requires LLM API access or custom model
App development (AppStudio)	Multi-account	Multi-account	Single master account
Acts as edge device	No	No	Yes

Cloud

The default deployment model. IronFlock runs entirely in the cloud — there is nothing to install or maintain. Devices connect over the internet to the IronFlock platform, and all services (backend, database, App Store, AI) are managed for you.

This is the right choice when your devices have internet access and you have no regulatory or network restrictions that require on-premises data residency.

On-Premises

A full on-premises deployment runs the entire IronFlock system — including the WAMP router, backend services, database, and container registry — on your own infrastructure. Devices connect to the on-premises IronFlock instance instead of the cloud.

When to Deploy On-Premises

On-premises deployment is designed for scenarios where devices cannot or should not reach the public internet:

Classified environments — Government or military sites with strict network isolation
Industrial plants — Factories with air-gapped OT networks
Remote locations — Oil rigs, mining sites, or ships without reliable internet
Regulatory compliance — Industries requiring all data to remain on-premises

What You Need

A virtual private cloud setup with a cloud provider (AWS, Azure, Google, …) or bare metal hardware
A server or cluster running Kubernetes (or Docker Compose for smaller deployments)
Access to the IronFlock Helm charts

Network Architecture

A typical on-premises IronFlock deployment follows a DMZ architecture that separates the operational technology (OT) network from the IT network and, optionally, the internet.

Offline IronFlock architecture: App Distributor syncs apps to the online IronFlock Store, which then syncs to the offline Store in the customer's IT-DMZ. Apps run on Edge IPCs in the OT network. Service Partners access data and provide remote service via the DMZ boundary.

Network Zones

OT Network — Where your edge devices operate. Contains PLCs, sensors, gateways, and any hardware running the IronFlock agent. Devices only make outbound connections to the DMZ.
DMZ Network — Hosts the IronFlock services. Accessible from the OT network (for device connections) and from operator workstations (for the web UI). Does not need internet access for normal operation.
IT/Internet (optional) — Only required for syncing apps from the online IronFlock Store. Can be air-gapped with periodic manual imports.

Key Security Properties

Edge devices never accept inbound connections — all communication is initiated outbound from the device to the WAMP router in the DMZ.
The DMZ does not require internet access for day-to-day operations.
Operator access to the IronFlock UI happens within the DMZ or over a controlled network path.

Deployment Steps

On-premises deployments use the same Helm charts as the cloud deployment with modified configuration:

Provision infrastructure — Set up a Kubernetes cluster or Docker host in your DMZ network.
Load container images — Pull all IronFlock service images and push them to your local container registry.
Configure values — Adjust the Helm values file to point all services to local endpoints (database, WAMP router, registry).
Deploy — Install the Helm chart with your on-premises values file.
Flash devices — Use FlockFlasher to flash devices with a configuration pointing to your on-premises IronFlock instance in the DMZ.

AI Services

IronFlock’s AI features — including the AI assistant, multi-agent orchestration, and natural language queries — require access to a large language model provider. In cloud mode this is handled automatically. In on-premises deployments, the IronFlock AI service needs outbound access to at least one of the following LLM APIs:

Anthropic (Claude)
OpenAI (GPT)
Google (Gemini)

This can be a direct connection or routed through a proxy in your DMZ. If your environment does not permit any external API access, a custom large language model can be integrated on request — for example, a self-hosted open-source model running within your infrastructure. Contact the IronFlock team to discuss your requirements.

Appliance

The IronFlock Appliance is a pre-configured, self-contained box that ships with the complete IronFlock system ready to use. It is placed on-site next to the machines it manages — no DMZ, no VPC, no Kubernetes cluster required.

Who It’s For

The Appliance is designed for machine manufacturers and OEMs who want to deliver IronFlock capabilities together with their machines. Instead of asking the end customer to open their DMZ or provision cloud infrastructure, the manufacturer ships the Appliance as part of the machine delivery. The customer plugs it into the local network, and it works.

How It Differs from On-Premises

Both the Appliance and the on-premises deployment run IronFlock locally. The key difference is scope and complexity:

On-Premises is a full IT installation — it runs in the customer’s DMZ or VPC, managed by the customer’s IT team, and can serve many accounts and projects across the organization.
Appliance is a compact, turnkey box — it arrives pre-configured, sits on the local network next to the machines, and requires no IT involvement from the customer. It is designed for a limited number of machines.

What’s in the Box

The Appliance ships with all IronFlock services pre-installed and pre-configured:

WAMP router, backend services, database, and container registry
IronFlock UI accessible from the local network
Local App Store for offline app distribution
All dashboard, alarm, and data collection capabilities

Edge Device and Server in One

The Appliance does not only run the IronFlock platform — it can simultaneously act as an edge device in the IronFlock context. This means it can run containerized apps just like any other managed device, while also serving as the central management node for other devices on the same network. This makes it a compact, complete solution: platform server and edge compute in a single box.

Architecture

Hardware

The Appliance hardware is negotiable and is typically provided by the OEM or machine manufacturer. IronFlock provides the software stack and pre-configures the system on the chosen hardware before shipment. Typically, a medium-sized industrial edge PC (4 cores, 8 GB RAM) is sufficient to run the entire stack along with additional applications. Contact the IronFlock team to discuss hardware requirements for your use case.

Limitations

Single master account for AppStudio — The Appliance can host an AppStudio environment for one master account only. App development is scoped to a single organization.

Syncing Apps from the Online Store

Both on-premises and Appliance deployments include a local App Store — a private app catalog and container registry that serves apps to devices within your network. You can populate this local store by syncing apps from the public online IronFlock Store, provided the instance has an internet connection available at sync time. No permanent internet connection is required; a temporary connection is sufficient to pull the apps you need.

Prerequisites

An account on the public ironflock.com platform.
A Store Access Key generated from your online IronFlock account settings.

How App Sync Works


┌────────────────────┐                       ┌────────────────────┐
│  Online IronFlock  │  ◄── Store Access ──► │  On-Premises /     │
│  Store (cloud)     │       Key auth        │  Appliance Store   │
└────────────────────┘                       └────────────────────┘
         │                                            │
   apps available                             sync button shown
   to key holder                              instead of install

Generate a Store Access Key — Log in to your account on the online IronFlock platform and generate a Store Access Key from your profile settings.
Enter the key in your profile — Open the IronFlock UI on your on-premises or Appliance instance, go to your profile, and paste the Store Access Key into the designated field.
Open the local App Store — When the instance has an active internet connection, the App Store will show all apps that are available to the holder of that Store Access Key on the online platform.
Sync the apps you need — Instead of an Install button, each app shows a Sync button. Clicking it downloads the app — including its container images and metadata — from the online store into the local store.
Add devices — Once synced, the app is fully available in your local store and you can add devices to it normally, with no internet connection required.

Update Workflow

When a new version of a synced app is published on the online store, a Sync button will appear again for that app. Connect the instance to the internet briefly, sync the updated release, and then roll it out to your devices through the standard app upgrade flow.

This design gives you full control over what enters your network — nothing is downloaded automatically, and the internet connection is needed only during the sync step.

Benefits for App Distributors

On-premises and Appliance deployments follow the same separation of concerns as the cloud model. IronFlock handles all infrastructure and IT complexity — app distributors focus exclusively on their domain expertise.

What IronFlock Handles

Even when deployed outside the cloud, IronFlock continues to take care of everything beneath the application layer:

App lifecycle management — install, update, and rollback across all devices from the IronFlock UI
Remote service and logs — access device logs and terminal sessions over the local secure tunnel
Data and message routing — the WAMP messaging layer works identically to cloud mode
Built-in standards — alarms, dashboards, and data storage are available out of the box
Compliance-ready infrastructure — keeping all data within your network satisfies requirements such as EU Data Act, NIS2, CRA, IT-SiG, and KRITIS

What App Distributors Focus On

Because IronFlock absorbs all IT complexity, app distributors only need to provide:

Edge logic — the application code that runs on the device (Dockerfile + your business logic)
Branded assets — your own name, logos, and product identity in the app UI
Domain expertise — laser calibration, predictive maintenance, quality inspection, or whatever your industry problem is

No IT infrastructure knowledge is required. The same app that works in the IronFlock cloud works in an on-premises or Appliance deployment without code changes.

Role of System Integrators

For complex industrial environments, system integrators may extend IronFlock deployments with:

Industry-specific OT protocol bridges (OPC-UA, Modbus, PROFINET)
Customer ecosystem integrations (MES, ERP, SCADA)
Custom network segmentation or hardware provisioning

The system integrator configures the IronFlock on-premises stack; the app distributor delivers apps into it — each role stays in its own lane.

Contact Us

On-premises deployments are configured in partnership with the IronFlock team. Contact us to discuss your requirements and get a deployment plan tailored to your environment.