Air-Gapped Deployment

Air-Gapped Deployment

Deploy DB Audit in fully isolated networks with zero internet connectivity. Every component runs entirely within your network boundary — no telemetry, no callbacks, no external dependencies.

Zero Outbound Connections Guarantee

DB Audit in air-gapped mode makes absolutely zero outbound network connections. No telemetry, no license callbacks, no DNS lookups, no NTP queries to external servers. Every component runs entirely within your network boundary.

Prerequisites

  • Kubernetes 1.24+ or Docker 20.10+
  • Access to container images (transferred offline)
  • S3-compatible storage (MinIO recommended)
  • Internal TLS certificates (from your own CA)
  • Internal NTP server for time synchronization
  • Minimum 4 CPU cores, 8GB RAM for collector
  • 10GB+ disk for local buffering

Required Container Images

The following images must be transferred to your air-gapped environment. Always verify image digests match published values before deployment.

Image Digest
dbaudit/collector:2.4.1 @sha256:a3b1c9f8e2d74...
dbaudit/ui:2.4.1 @sha256:d4e5f6a7b8c91...
minio/minio:RELEASE.2025-01-01 @sha256:f7a8b9c0d1e23...
redis:7.2-alpine @sha256:c2d3e4f5a6b78...

Always verify image digests match published values before deployment. Digests are available at https://releases.dbaudit.ai/digests.

Image Transfer Methods

A

Docker Save/Load

The simplest method. Pull all images on an internet-connected machine, save them to a single tarball, and load them on the air-gapped host. 

# On internet-connected machine
docker pull dbaudit/collector:2.4.1
docker pull dbaudit/ui:2.4.1
docker pull minio/minio:RELEASE.2025-01-01
docker pull redis:7.2-alpine
docker save dbaudit/collector:2.4.1 dbaudit/ui:2.4.1 \
  minio/minio:RELEASE.2025-01-01 redis:7.2-alpine \
  | gzip > dbaudit-images-2.4.1.tar.gz

# Transfer to air-gapped environment via approved media

# On air-gapped machine
docker load < dbaudit-images-2.4.1.tar.gz
B

Skopeo + Local Registry

Ideal for Kubernetes environments with an internal registry like Harbor. Skopeo copies images without requiring a Docker daemon. 

# On internet-connected machine
skopeo copy docker://dbaudit/collector:2.4.1 \
  docker-archive:collector-2.4.1.tar
skopeo copy docker://dbaudit/ui:2.4.1 \
  docker-archive:ui-2.4.1.tar
skopeo copy docker://minio/minio:RELEASE.2025-01-01 \
  docker-archive:minio-RELEASE.2025-01-01.tar
skopeo copy docker://redis:7.2-alpine \
  docker-archive:redis-7.2-alpine.tar

# On air-gapped machine with local registry (e.g., Harbor)
skopeo copy docker-archive:collector-2.4.1.tar \
  docker://registry.internal:5000/dbaudit/collector:2.4.1
skopeo copy docker-archive:ui-2.4.1.tar \
  docker://registry.internal:5000/dbaudit/ui:2.4.1
skopeo copy docker-archive:minio-RELEASE.2025-01-01.tar \
  docker://registry.internal:5000/minio/minio:RELEASE.2025-01-01
skopeo copy docker-archive:redis-7.2-alpine.tar \
  docker://registry.internal:5000/redis:7.2-alpine
C

OCI Bundle for Kubernetes

Use crane or skopeo to create OCI layout directories. These can be version-controlled, checksummed, and pushed to any OCI-compliant registry. 

# Using crane to create OCI layout bundles
crane pull dbaudit/collector:2.4.1 --format=oci collector-2.4.1-oci/
crane pull dbaudit/ui:2.4.1 --format=oci ui-2.4.1-oci/

# Tar the OCI directories for transfer
tar -czf dbaudit-oci-bundles-2.4.1.tar.gz \
  collector-2.4.1-oci/ ui-2.4.1-oci/

# On air-gapped machine, push from OCI layout to registry
crane push collector-2.4.1-oci/ \
  registry.internal:5000/dbaudit/collector:2.4.1
crane push ui-2.4.1-oci/ \
  registry.internal:5000/dbaudit/ui:2.4.1

Helm Offline Installation

1

Pull and Transfer Chart

Download the Helm chart on an internet-connected machine, then transfer the chart archive to your air-gapped environment. 

# On internet-connected machine
helm repo add dbaudit https://charts.dbaudit.ai
helm pull dbaudit/on-premise --version 2.4.1

# Transfer dbaudit-on-premise-2.4.1.tgz to air-gapped environment

# On air-gapped machine
helm install dbaudit ./dbaudit-on-premise-2.4.1.tgz \
  --namespace dbaudit \
  --values values-airgapped.yaml \
  --set image.registry=registry.internal:5000 \
  --wait
2

Air-Gapped Values File

Use a dedicated values file that points all images to your internal registry and disables any external connectivity features. 

# values-airgapped.yaml
# Air-gapped specific Helm values

image:
  registry: registry.internal:5000
  repository: dbaudit/collector
  tag: "2.4.1"
  pullPolicy: IfNotPresent

ui:
  image:
    registry: registry.internal:5000
    repository: dbaudit/ui
    tag: "2.4.1"

mode: on-premise
airgapped: true

# Disable any external lookups
telemetry:
  enabled: false
licenseCheck:
  online: false
  offlineKeyPath: /etc/dbaudit/license.key

# Internal NTP server
ntp:
  server: ntp.internal
  enabled: true

# Internal TLS from your own CA
tls:
  enabled: true
  certFile: /etc/dbaudit/certs/server.crt
  keyFile: /etc/dbaudit/certs/server.key
  caFile: /etc/dbaudit/certs/ca.crt

storage:
  type: minio
  endpoint: https://minio.internal:9000
  bucket: audit-logs
  existingSecret: dbaudit-storage-credentials

encryption:
  existingSecret: dbaudit-encryption-key

redis:
  enabled: true
  image:
    registry: registry.internal:5000
    repository: redis
    tag: "7.2-alpine"

minio:
  enabled: true
  image:
    registry: registry.internal:5000
    repository: minio/minio
    tag: "RELEASE.2025-01-01"

Network Requirements Matrix

All connections below are internal to your network. No external or internet connections are required.

Source Destination Port Protocol Direction Purpose
Collector Databases varies TCP Outbound Audit log collection
Collector MinIO 9000 TCP/TLS Outbound Audit storage
Collector Redis 6379 TCP Outbound Caching/queuing
UI Collector API 8080 TCP/TLS Outbound Management API
Users UI 443 HTTPS Inbound Web interface
Prometheus Collector 9090 HTTP Inbound Metrics scraping
Collector SMTP (internal) 587 TCP/TLS Outbound Alert emails
Collector SIEM (internal) varies TCP/TLS Outbound Event forwarding

All connections are internal to your network. No external/internet connections required.

Offline Licensing

DB Audit supports fully offline license activation. No internet connection is needed to activate or validate your license.

1
Generate license request

Run dbaudit license request --output license-request.json on the air-gapped machine. This produces a file containing your machine fingerprint.

2
Send to DB Audit sales

Transfer license-request.json to your sales contact via your approved secure channel (encrypted email, secure file transfer, etc.).

3
Import signed license

Receive a signed license.key file. Import via CLI: dbaudit license activate --file license.key or upload through the web UI.

4
Grace period for renewal

Licenses include a 30-day grace period after expiry, giving you time to complete the offline renewal process without service interruption.

Offline Updates

Update your air-gapped deployment using signed bundles downloaded from the DB Audit portal. Each bundle includes new container images, an updated Helm chart, and release notes. 

# On internet-connected machine
# Download the update bundle from DB Audit portal
curl -O https://releases.dbaudit.ai/bundles/dbaudit-update-2.5.0.tar.gz
curl -O https://releases.dbaudit.ai/bundles/dbaudit-update-2.5.0.tar.gz.sig

# Transfer bundle + signature to air-gapped environment

# On air-gapped machine
# Verify the bundle signature
dbaudit verify-bundle dbaudit-update-2.5.0.tar.gz

# Extract and load new images
tar -xzf dbaudit-update-2.5.0.tar.gz
docker load < dbaudit-update-2.5.0/images.tar.gz

# Push to internal registry
skopeo copy docker-archive:dbaudit-update-2.5.0/collector-2.5.0.tar \
  docker://registry.internal:5000/dbaudit/collector:2.5.0
skopeo copy docker-archive:dbaudit-update-2.5.0/ui-2.5.0.tar \
  docker://registry.internal:5000/dbaudit/ui:2.5.0

# Upgrade via Helm
helm upgrade dbaudit ./dbaudit-on-premise-2.5.0.tgz \
  --namespace dbaudit \
  --values values-airgapped.yaml \
  --set image.registry=registry.internal:5000 \
  --set image.tag=2.5.0 \
  --wait

# Rollback if needed
helm rollback dbaudit -n dbaudit

Always verify the bundle signature before applying updates. The verification key is included with your initial installation media.

Post-Deployment Verification Checklist

After deployment, run through this checklist to confirm your air-gapped installation is operating correctly. 

# Check collector health
curl http://collector:8080/health

# Verify zero outbound connections (should show nothing)
tcpdump -i eth0 'dst net not 10.0.0.0/8 and \
  dst net not 172.16.0.0/12 and \
  dst net not 192.168.0.0/16'

# Verify data flowing to MinIO
mc ls dbaudit-minio/audit-logs/ --recursive | tail -5

# Test alerting: trigger a test policy violation
dbaudit test-alert --policy privileged-access

# Verify license status
dbaudit license status
Check collector health: curl http://collector:8080/health returns 200 OK
Verify zero outbound connections: tcpdump for non-RFC1918 traffic should show nothing
Verify data flowing: confirm MinIO bucket has audit data arriving
Test alerting: trigger a test policy violation and confirm notification delivery
Verify license status: dbaudit license status shows active license

Related Documentation

On-Premise Deployment Guide
Security Hardening Guide
Network Requirements
Security & Trust Center

Need Help with Air-Gapped Deployment?

Our team specializes in deploying DB Audit in high-security, air-gapped environments. We offer professional services including on-site installation support and secure media preparation.

Start Free Trial Contact Sales