Architecture insight β
Cloud-IAMβs architecture is built for high availability, security, and robustness, utilizing a multi-layered approach. While certain architectural details are proprietary and cannot be disclosed for security reasons, here is an overview of Cloud-IAMβs key architectural components and principles.
Cloud-IAM architecture insight β
Cloud-IAM architecture is designed to ensure isolated and dedicated deployments, minimizing the risk of cross-tenant interferences and preserving performance integrity across environments.

Control plane β
Cloud-IAM's ** Control Plane** consists of the Cloud-IAM Console, API, and a centralized database. This database securely stores customer information, organizational configurations, and associated deployment data. The Control Plane coordinates global settings and manages the Cloud-IAM resources across all customer deployments.
Data plane β
Each Data Plane represents an individual customer deployment managed by Cloud-IAM. Data Planes operate autonomously, ensuring that customer environments remain functional even if there are issues within the Control Plane. This self-sufficiency allows for uninterrupted service and greater resilience.
Job execution and worker pool β
The Control Plane initiates tasks by leveraging a distributed worker pool to execute operations within the Data Planes. This asynchronous job model ensures scalable and efficient interactions across multiple deployments while maintaining secure and isolated access.
Deployment architectures insight β
Single region deployment β
Cloud-IAM's single-region deployments are designed for reliability and are hosted within their own dedicated isolated network infrastructure. This deployment architecture provide a highly available Keycloak setup that is optimized for production-grade performance, ensuring robust and dependable identity management for mission-critical applications.
Key features of this architecture include:
- Dedicated VPC: Deployed across all availability zones in the chosen region.
- Fixed public gateway ip address: Outbound traffic is made through a single IP address. This IP is attached to the deployment and can be whitelisted in your infrastructure.
- Zone-Specific Network Restrictions: Ensuring secure and optimized traffic management.
This architecture is built to eliminate single points of failure. Every component is replicated at least once, ensuring seamless operation during failures or maintenance activities.
Highly available architecture:
- Load Balancing: Inbound traffic is distributed using DNS-based load balancers with integrated health checks.
- Self-Sufficient Nodes: Each Keycloak node operates independently, ensuring robust service availability.
- Multi-AZ Architecture: The deployment spans multiple availability zones, ensuring high availability and fault tolerance across the region.
- Database Replication: Databases are synchronized with failover capabilities for maximum resilience.
- Backups: Regular backups are stored in another region and cloud-provider, ensuring data durability and rapid recovery in case of a regional failure.

Multi-region Deployment β
Cloud-IAMβs multi-region deployments are designed to enhance availability, resilience, and disaster recovery capabilities. This active-passive architecture, powered by AWS Cloud and leveraging Aurora technology for cross-region database replication, ensures that your identity management system remains highly available, even during regional outages.
In a multi-region Keycloak deployment, Keycloak clusters are deployed in separate regions, with one acting as the active cluster and the others as passive. These clusters are connected to synchronized databases, enabling real-time data exchange and maintaining data consistency and minimizing downtime.
State-of-art Architecture:
- Enhanced redundancy: By deploying clusters across multiple regions, this architecture ensures physical redundancy of your Keycloak and is data regional in case of outages or major incidents.
- Seamless failover: In the event of an incident, this architecture allows to switch in few minutes to the secondary Keycloak cluster, without having to recreate a new cluster from the previous backup.
- Optimized user experience: With real-time data synchronization and active session persistence, users experience minimal downtime, even during a failover.
- Centralized management: One Keycloak instance is used to configure and manage all regions, providing a unified interface for seamless administration and monitoring of multiple clusters.
