# Overview Welcome to the deployment strategies section of Defguard documentation. This guide covers the different ways you can deploy Defguard in your environment, from quick options using packages or Docker to more advanced setups with Kubernetes or Terraform. Whether you're running a small instance or preparing for a more complex production environment, this section will help you choose the deployment method that best fits your needs. ## Before you begin 1. Make sure you understand [Defguard's architecture](https://docs.defguard.net/2.0/in-depth/architecture), especially the division into the main components: Core, Proxy, Gateway. 2. Make sure your infrastructure is prepared by following our [recommendations](https://docs.defguard.net/2.0/deployment-strategies/hardware-os-network-and-firewall-recommendations). ## Initial deployment sequence Before deploying any Gateways, you must first install and configure the Core service. The Core acts as the central control plane - it manages configuration, authentication, and communication with all connected Gateways. Once the Core is running and accessible, log in to the admin interface and navigate to the Gateways section. Create a new Gateway entry to generate a unique registration token. This token will be used during the Gateway deployment process to securely link the Gateway instance with your Core. After obtaining the token, proceed with deploying the Gateway service. During its initial setup, provide the generated token so that the Gateway can authenticate and register itself with the Core. Once registration is complete, the Gateway will appear in the Core dashboard and start receiving configuration updates automatically. #### Long story short: {% stepper %} {% step %} **Deploy Defguard Core service.** {% endstep %} {% step %} **Add a new location in Core's web interface and obtain a token.** More on that [here](https://docs.defguard.net/2.0/deployment-strategies/gateway). {% endstep %} {% step %} **Deploy Gateway configured with the token.** {% endstep %} {% endstepper %} ## Choose your deployment strategy | Strategy name | Difficulty | Production readiness | Purpose | | ---------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------- | | [One-line script](https://docs.defguard.net/2.0/getting-started/one-line-install) | :green\_circle: Easy, single command installation | :x: Doesn't follow the [recommendations](https://docs.defguard.net/2.0/deployment-strategies/hardware-os-network-and-firewall-recommendations) | For testing purposes only | | [Standalone packages](https://docs.defguard.net/2.0/deployment-strategies/standalone-package-based-installation) | :green\_circle: Easy, using apt and dpkg | :white\_check\_mark: If you followed the [recommendations](https://docs.defguard.net/2.0/deployment-strategies/hardware-os-network-and-firewall-recommendations) | Small to medium deployment | | [Docker Compose](https://docs.defguard.net/2.0/deployment-strategies/docker-compose) | :yellow\_circle: Medium, Docker knowledge required | :white\_check\_mark: If you followed the [recommendations](https://docs.defguard.net/2.0/deployment-strategies/hardware-os-network-and-firewall-recommendations) | Small to medium deployment | | [Kubernetes](https://docs.defguard.net/2.0/deployment-strategies/kubernetes) | :red\_circle: Advanced, requires a k8s cluster and administrator | :white\_check\_mark: If you followed the [recommendations](https://docs.defguard.net/2.0/deployment-strategies/hardware-os-network-and-firewall-recommendations) | Large or enterprise deployments | | [Terraform](https://docs.defguard.net/2.0/deployment-strategies/terraform) | :red\_circle: Advanced, requires an AWS account and knowledge | :white\_check\_mark: | Large or enterprise deployments | | [AMI and AWS CloudFormation](https://docs.defguard.net/2.0/deployment-strategies/amis-and-aws-cloudformation) | :red\_circle: Advanced, requires an AWS account and knowledge | :white\_check\_mark: | Large or enterprise deployments | ## Configure to your needs See our [configuration documentation](https://docs.defguard.net/2.0/deployment-strategies/configuration) to learn about all the settings you can change in your deployment. ## Backup [Core service](https://github.com/DefGuard/defguard) is the only service which uses persistent data storage, which is PostgreSQL database. Every SQL migration is applied automatically while bringing up core server and we try our best not to break anything in the process. It's recommended to do database, configuration and Settings(SMTP, Branding) backup before every update in case of some unexpected failure. \ Example database backup: ```bash docker exec {container_name} pg_dump -U {user_name} > {backup_file_name} ``` ## Failover/HA/Clustering The [Gateway](https://docs.defguard.net/2.0/deployment-strategies/gateway) can be deployed on multiple servers, firewalls, or routers for failover and high availability (HA). Even if the connection to the Core is lost, gateways continue operating using their local cache and data, ensuring that the VPN remains functional. Conversely, if a gateway becomes unavailable, other Core features (such as OpenID) will continue to work normally. For details on deploying multiple Gateway to [High Availability and Failover](https://docs.defguard.net/2.0/deployment-strategies/high-availability-and-failover) documentation.