# Air-gapped This guide shows you how to install AxoConsole in an air-gapped environment on a virtual machine. To deploy an on-premises AxoConsole that has internet access, see [Deployment guide](../../docs/axoflow/deploy/onprem/deployment-guide/index.md). Since this is a single instance deployment, we don’t recommend using it in production environments. For additional steps and configurations needed in production environments, [contact our support team](). At a high level, the deployment consists of the following steps: 1. Preparing a virtual machine. 2. Running the installation script on the virtual machine that deploys: * Kubernetes * cert-manager and Traefik * AxoConsole Any of these components can be skipped if already installed. 3. Basic authentication with admin user and password is configured by default. You can also configure other common authentication methods like [LDAP](../../docs/axoflow/deploy/onprem/authentication/ldap/index.md), [Github](../../docs/axoflow/deploy/onprem/authentication/github/index.md) and [Google](../../docs/axoflow/deploy/onprem/authentication/google/index.md). 4. [Before deploying AxoRouter](../../docs/axoflow/deploy/onprem/prepare-axorouter-hosts/index.md) describes the steps you have to complete on a host before deploying AxoRouter on it. These steps are specific to on-premises AxoConsole deployments, and aren’t needed when using the SaaS AxoConsole. ## Prerequisites To install AxoConsole, you’ll need the following: * The URL for downloading the AxoConsole bundle. You’ll receive this URL from our team. You can request it using the [contact form](). **CAUTION:** Don’t start the [Install AxoConsole](../../docs/axoflow/index.md#install-console) process until you’ve received the bundle URL. * A license key for AxoConsole. You’ll receive this from our team. You can request it using the [contact form](). * A host that meets the [system requirements](../../docs/axoflow/deploy/airgapped/index.md#system-requirements). ### System requirements Supported operating system: Ubuntu 24.04, Red Hat 9 and compatible (tested with AlmaLinux 9) The virtual machine (VM) must have at least: Resource | Minimum | Production ---|---|--- CPU | 4 vCPU | 16 vCPU RAM | 8 GB | 16 GB Disk (`/`) | 100 GB | 250 GB * A Minimum setup with 4 vCPU (x86_64-based), 8 GB RAM, and 100 GB disk space can handle about 100 AxoRouter instances and 1000 data source hosts. * A real-life production scenario that handles 100 AxoRouter and 3000 data source hosts with 30-day metric retention would need: * 16 vCPU (x86_64-based) * 16 GB RAM * 250 GB disk space Note Note that AxoRouter and Axoflow agent collects detailed, real-time metrics about the data-flows – giving you observability over the health of the security data pipeline and its components. Your security data remains in your self-managed cloud or in your on-prem instance where your sources, destinations, Axoflow agents, and AxoRouters are running, only metrics are forwarded to AxoConsole. For details on sizing, [contact our support team](). You’ll need to have access to a user with `sudo` privileges. ## Install AxoConsole **CAUTION:** This procedure covers how to deploy a new AxoConsole instance. The installation script can’t upgrade existing deployments, [contact the Axoflow support team]() for detailed upgrade instructions. 1. Download the installation bundle file from the URL you’ve received from the Axoflow Support Team. 2. Transfer the file to the host where you want to install AxoConsole. 3. Extract the file and navigate into the directory. ``` tar -xf axoflow-all-in-one-0.81.1-linux-amd64.tar cd axoflow-all-in-one-0.81.1-linux-amd64 ``` 4. Run the installation script with your license key and the domain name for your AxoConsole deployment. Note ``` Re-running the installer will reuse any existing or modified manifests or user settings available on the host. ``` ``` sudo LICENSE_KEY= BASE_HOSTNAME= AXOFLOW_VERSION=0.81.1 ./axoflow-install.sh ``` You can use the following flags as needed for your environment. * `--step`: Prompt before each step * `--dry-run`: Show what would be done without executing anything * `--skip-k3s`: Skip k3s installation (already installed) * `--skip-cert-manager`: Skip cert-manager installation * `--disable-traefik`: Disable the built-in Traefik ingress controller of k3s. Use this option when using a custom ingress controller. 5. If needed, follow the on-screen instructions. 6. Wait a few minutes until everything is installed. In case of any errors, check [Troubleshooting](../../docs/axoflow/deploy/airgapped/index.md#troubleshooting) for tips. 7. The script prompts to display the password of the default `admin` user. Record it, you’ll need it to log in to AxoConsole. ``` ... [2026-06-02 20:44:28] [INFO ] All pods in axoflow are ready/complete [2026-06-02 20:44:28] [INFO ] Axoflow is healthy [2026-06-02 20:44:28] [INFO ] Access the UI at: https:// Show admin credentials? [y/N]: y Username: admin Password: MzGIjuWKjXOtiRs4 ``` Note When using AxoRouter with an on-premises AxoConsole deployment, you have to [prepare the hosts before deploying AxoRouter](../../docs/axoflow/deploy/onprem/prepare-axorouter-hosts/index.md). These steps are specific to on-premises AxoConsole deployments, and are not needed when using the SaaS AxoConsole. ## Login to AxoConsole 1. If the domain name of AxoConsole cannot be resolved from your desktop, add it to the `/etc/hosts` file in the following format. Use and IP address of AxoConsole that can be accessed from your desktop. ``` idp. authenticate. ``` 2. Open the `https://` URL in your browser. 3. The on-premise deployment of AxoConsole shows a self-signed certificate. If your browser complains about the related risks, accept it. 4. Use the email address and password you got or set in the installation step to log in to AxoConsole. ## Prepare AxoRouter hosts Note When using AxoRouter with an on-premises AxoConsole deployment, you have to [prepare the hosts before deploying AxoRouter](../../docs/axoflow/deploy/onprem/prepare-axorouter-hosts/index.md). These steps are specific to on-premises AxoConsole deployments, and are not needed when using the SaaS AxoConsole. ## AxoConsole service reference Service Name | Namespace | Purposes | Function ---|---|---|--- KCP | `axoflow` | Backend API | Kubernetes Like Service with built in database, that service manage all the settings that our system manage Chalco | `axoflow` | Frontend API | Serve the UI API Calls, implement business logic for the UI Controller-Manager | `axoflow` | Backend Service | Reacts to state changes in our business entities, manage business logic for the Backend Telemetry Proxy | `axoflow` | Backend API | Receives agents telemetries UI | `axoflow` | Dashboard | The frontend for AxoConsole Prometheus | `axoflow` | Backend API /Service | Monitoring component to store time series information and an API for query, manage alert rules Alertmanager | `axoflow` | Backend API /Service | Monitoring component to Send alert based on alerting rules Axoflow IDP | `axoflow` | Identity Connector/Proxy | Identity Connector/Proxy to allow the customer to use own identity (Google, LDAP, etc.) Axolet Dist | `axoflow` | Backend API | Static artifact store to contains agents binaries Cert Manager (kcp) | `axoflow` | Automated Certificate management tool | Manage certificates for Agents Cert Manager | `cert-manager` | Automated Certificate management tool | Manage certificates for Axoflow components (Backend API, HTTP Proxy) Traefik Ingress Controller | `ingress-traefik` | HTTP Proxy | Rout the HTTP traffic between multiple Frontend/Backend APIs ## Troubleshooting * If you get the `[ERROR] Timed out waiting for k3s node to be Ready` error message, increase the timeout limit by running `K3S_TIMEOUT=180`, then rerun the installation script. In case of other errors, [contact our support team]().