Overview - Infisical

Infisical Relay is a secure routing layer that allows Infisical to connect to your private network resources, such as databases or internal APIs, without exposing them to the public internet. The relay acts as an intermediary, forwarding encrypted traffic between Infisical and your deployed gateways. This ensures that your sensitive data remains protected and never leaves your network unencrypted. With this architecture, you can achieve secure, firewall-friendly access across network boundaries, making it possible for Infisical to interact with resources even in highly restricted environments.

Before diving in, it's important to determine whether you actually need to deploy your own relay server or if you can use Infisical's managed infrastructure.

Do You Need to Deploy a Relay?

Not all users need to deploy their own relay servers. Infisical provides managed relay infrastructure in US/EU regions for Infisical Cloud users, which requires no setup or maintenance. You only need to deploy a relay if you:

Are self-hosting Infisical
Have a dedicated enterprise instance of Infisical (managed by Infisical)
Require closer geographic proximity to target resources than managed relays provide for lower latency and reduced network congestion when accessing resources through the relay
Need full control over relay infrastructure and traffic routing

If you are using Infisical Cloud and do not have specific requirements, you can use the managed relays provided by Infisical and skip the rest of this guide.

Deployment Steps

To successfully deploy an Infisical Relay for use, follow these steps in order.

<Steps> <Step title="Provision a Server"> Provision a server or virtual machine where you plan to deploy the relay. This server must have a static IP address or DNS name to be identifiable by the Infisical platform. </Step> <Step title="Create the Relay in the UI"> 1. Navigate to **Organization Settings > Networking > Relays**. 2. Click **Create Relay**. 3. Enter a name and host address (the static IP or DNS name of the server from Step 1). 4. (Optional) Open the new relay's detail page and click the edit icon next to **Authentication** to switch the auth method. Two methods are supported: - **Token** (default): a one-time enrollment token (1h expiry) bootstraps the relay. - **AWS**: the relay authenticates by signing an `sts:GetCallerIdentity` request with whatever AWS credentials it can resolve on the host (instance role, env vars, shared profile). Configure the allowed principal ARNs and/or account IDs that match your hosts. 5. Click **Show deploy command** and copy the generated CLI command. </Step> <Step title="Install the Infisical CLI"> Make sure the Infisical CLI is installed on the target machine. See the [CLI Installation Guide](/cli/overview) for instructions.

To view all available flags and equivalent environment variables for relay deployment, see the [Relay CLI Command Reference](/cli/commands/relay).

</Step> <Step title="Configure Network & Firewall"> Ensure your network and firewall settings allow the server to accept inbound connections and make outbound connections:

**Inbound Connections Rules:**
| Protocol | Source             | Port | Purpose                          |
| -------- | ------------------ | ---- | -------------------------------- |
| TCP      | Gateways           | 2222 | SSH reverse tunnel establishment |
| TCP      | Infisical instance host (US/EU, other) | 8443 | Platform-to-relay communication  |

**Outbound Connections Rules:**
| Protocol | Destination                          | Port | Purpose                                    |
| -------- | ------------------------------------ | ---- | ------------------------------------------ |
| TCP      | Infisical instance host (US/EU, other) | 443  | API communication and certificate requests |

</Step> <Step title="Run the CLI Command"> Run the command you copied from the UI on the target machine. This single command enrolls the relay and starts it immediately.

<AccordionGroup>
  <Accordion title="Token Auth">
    A one-time enrollment token (1h expiry) bootstraps the relay.

    <Tabs>
      <Tab title="Linux (Production)">
        ```bash
        sudo infisical relay systemd install \
          --name=<relay-name> \
          --enroll-method=token \
          --token=<enrollment-token> \
          --domain=<your-infisical-domain>
        sudo systemctl start infisical-relay
        ```
      </Tab>
      <Tab title="Foreground">
        ```bash
        infisical relay start \
          --name=<relay-name> \
          --enroll-method=token \
          --token=<enrollment-token> \
          --domain=<your-infisical-domain>
        ```
      </Tab>
    </Tabs>
  </Accordion>
  <Accordion title="AWS Auth">
    The host must have AWS credentials whose principal matches your allowlist. The relay re-authenticates via STS on every start.

    <Tabs>
      <Tab title="Linux (Production)">
        ```bash
        sudo infisical relay systemd install \
          --name=<relay-name> \
          --enroll-method=aws \
          --relay-id=<relay-id> \
          --domain=<your-infisical-domain>
        sudo systemctl start infisical-relay
        ```
      </Tab>
      <Tab title="Foreground">
        ```bash
        infisical relay start \
          --name=<relay-name> \
          --enroll-method=aws \
          --relay-id=<relay-id> \
          --domain=<your-infisical-domain>
        ```
      </Tab>
    </Tabs>
  </Accordion>
</AccordionGroup>

<Warning>
  The systemd install command requires Linux with root/sudo privileges.
</Warning>

<Info>
  Token-method enrollment tokens are single-use and expire after 1 hour. If the token expires before deployment, click **Show deploy command** again on the relay detail page to generate a new one.
</Info>

<Info>
  You can safely re-run the same command to restart the relay. The CLI detects the token has already been used locally and skips enrollment automatically.
</Info>

</Step> <Step title="Verify Your Relay Deployment"> After deployment, verify your relay is working: 1. **Check logs** for "Relay server started successfully" message. 2. **Verify registration** in the Infisical UI. Navigate to **Networking > Relays** and click on your relay to confirm it shows a "Healthy" status. 3. **Test connectivity** by deploying a gateway that routes through this relay. </Step> </Steps>

Frequently Asked Questions

<AccordionGroup> <Accordion title="Can the relay servers decrypt traffic going through them?"> No, relay servers cannot decrypt any traffic passing through them due to end-to-end encryption:

Client-to-Gateway mTLS (via TLS-pinned tunnel): Clients connect via a proxy that establishes a TLS-pinned tunnel to the gateway; mTLS between the client and gateway is negotiated inside this tunnel, encrypting all application traffic
SSH tunnel encryption: The mTLS-encrypted traffic is then transmitted through SSH reverse tunnels to relay servers
Double encryption: Traffic is encrypted twice - once by client mTLS and again by SSH tunnels
Relay only routes traffic: The relay server only routes the doubly-encrypted traffic without access to either encryption layer

The relay infrastructure is designed as a secure routing mechanism where only the client and gateway can decrypt the actual application traffic.

</Accordion> <Accordion title="What are the benefits of deploying my own relay?"> Deploying your own relay provides several advantages:

Dedicated resources: Full control over relay infrastructure and performance
Lower latency: Deploy closer to your gateways for optimal performance
Compliance: Meet specific data routing and compliance requirements
Custom network policies: Implement organization-specific network configurations
Geographic proximity: Reduce network congestion and improve response times to access resources
High availability: Deploy multiple relays for redundancy and load distribution

Organization-deployed relays give you complete control over your secure communication infrastructure.

</Accordion> <Accordion title="How do I troubleshoot connectivity issues?"> For detailed troubleshooting:

Platform cannot connect to relay:

Check firewall rules allow inbound TCP with TLS on port 8443
Test connectivity: openssl s_client -connect <relay-ip>:8443

Test network connectivity:

bash

# Test outbound API access from relay. Replace URL with your Infisical instance if self-hosted
curl -I https://app.infisical.com

# Test TCP with TLS port from platform
openssl s_client -connect <relay-ip>:8443

</Accordion> <Accordion title="What happens if my relay server goes down?"> Relay server outages affect gateway connectivity:

Gateway reconnection: Gateways will automatically attempt to reconnect when the relay comes back online
Service interruption: While the relay is down, the Infisical platform cannot reach gateways through that relay. As a result, any secrets or resources accessed via those gateways will be temporarily unavailable until connectivity is restored.
Multiple relays: Deploy multiple relay servers for redundancy and high availability
Automatic restart: Use systemd or container orchestration to automatically restart failed relay services

For production environments, consider deploying multiple relay servers to avoid single points of failure.

</Accordion> </AccordionGroup>