Self-Hosted Control Plane
You can run the AISIX Cloud control plane on your own infrastructure instead of using the managed service. A self-hosted control plane gives you the same resource management, gateway certificate issuance, and usage reporting as AISIX Cloud, while keeping all control-plane data inside your environment — including fully air-gapped networks.
This page covers two install methods:
- Online — for hosts with internet access. Container images are pulled from Docker Hub at start.
- Offline (air-gapped) — for hosts with no registry access. All images ship inside the package.
What Gets Deployed
The control plane is a self-contained stack:
| Service | Role |
|---|---|
cp-api | Core API: organizations, environments, resources, billing |
dp-manager | Data-plane manager: mTLS certificate issuance and config delivery |
dashboard | Web console |
| PostgreSQL | Shared datastore |
Your AISIX gateways (the data plane) run separately and connect outbound to dp-manager over mTLS. The control plane never needs inbound access to your gateways. After the control plane is up, follow Connect a Managed Gateway to attach a gateway.
All download URLs below use the rolling latest build, so the same commands always fetch the current release.
Online Deployment
One-Line Quickstart (Docker Compose)
On a host with Docker and Docker Compose:
curl -sL "https://run.api7.ai/aisix-ee/quickstart" | bash
The script downloads the latest package into ./aisix-ee, generates a .env with fresh secrets, and starts the stack (images are pulled from Docker Hub). When it finishes it prints the dashboard URL (default http://localhost:8080). Open it and create the first admin account.
Manage the stack from ./aisix-ee:
./aisix-ee/run.sh logs # tail logs
./aisix-ee/run.sh stop # stop containers
./aisix-ee/run.sh down # remove containers (keeps the data volume)
Kubernetes (Helm)
For a production deployment on Kubernetes, install the chart from the API7 Helm repository:
helm repo add api7 https://charts.api7.ai
helm repo update
helm install aisix-cp api7/aisix-cp \
--set secrets.masterKey="$(openssl rand -base64 32)" \
--set secrets.betterAuthSecret="$(openssl rand -base64 48)" \
--set postgresql.auth.password="$(openssl rand -hex 24)" \
--set postgresql.auth.postgresPassword="$(openssl rand -hex 24)"
The chart deploys cp-api, dp-manager, the dashboard, and (by default) a bundled PostgreSQL instance. To use an existing database, set postgresql.builtin=false and configure externalDatabase. See the chart's values.yaml for the full set of options.
Use URL-safe secrets for the database password (for example openssl rand -hex 24). The password is embedded in a postgres:// connection URL, so characters such as +, /, and = (as produced by openssl rand -base64) can break it.
Offline (Air-Gapped) Deployment
For a host with no registry access, use the offline package — it bundles every container image.
# On a machine with internet access, download the package:
curl -fSL "https://run.api7.ai/aisix-ee/aisix-ee-offline-latest.tar.gz" \
-o aisix-ee-offline-latest.tar.gz
# Transfer it to the air-gapped host, then:
tar -xzf aisix-ee-offline-latest.tar.gz
cd aisix-ee
./run.sh
run.sh loads the bundled images with docker load, generates a .env with fresh secrets, and starts the stack — no internet required. When it finishes it prints the dashboard URL (default http://localhost:8080).
The offline package also runs the control plane in offline pricing mode: the model-pricing catalog is seeded on first boot from a models.dev snapshot baked into the cp-api image, so pricing works with no outbound access. To run online pricing instead, remove AISIX_CLOUD_PRICESYNC_SNAPSHOT_PATH from the api service in docker-compose.yaml.
Before Exposing Externally
Edit .env (Docker Compose) or your Helm values and set:
AISIX_CLOUD_PUBLIC_BASE_URL— the browser-facing origin (for examplehttps://aisix.example.com). Login validates the session issuer against this value.AISIX_CLOUD_DPMGR_BASE_URL— thedp-managermTLS endpoint your data-plane hosts connect to.
Then recreate the affected services (docker compose up -d, or helm upgrade).
Next Steps
- Connect a Managed Gateway — issue a gateway certificate and attach an AISIX gateway.
- Organizations and Environments — model your teams and runtime environments.
- Deployment Modes — compare self-hosted and managed operating models.