Choose Your Platform
Broch ships as a Docker image and runs on any platform that supports containers. The platform you choose determines how TLS is handled, which database options are available, and how much operational overhead you take on.
All deployment files live in broch-io/broch-deploy — Docker Compose variants under docker-compose/, Terraform modules under terraform/.
Platform Comparison
Section titled “Platform Comparison”| Platform | Database | TLS approach | Source | Status |
|---|---|---|---|---|
| Docker Compose | Embedded Postgres or external | Caddy auto (DNS-01) or BYO cert | docker-compose/ | Ready |
| DigitalOcean | Embedded Postgres on block storage | Caddy auto (DNS-01) | terraform/digitalocean/ | Ready |
| AWS | RDS Postgres (always external) | ACM (DNS-validated) | terraform/aws-ecs/ | Experimental (Terraform — not a supported path yet); Marketplace on roadmap |
| Azure | Postgres Flexible Server (always external) | Container Apps managed cert; wildcard needs Front Door or manual upload | terraform/azure-container-apps/ | Ready (Terraform); Marketplace listing on roadmap |
All four platforms use Terraform or Docker Compose for setup — there are no one-click Marketplace deployments today. AWS Marketplace (CloudFormation) and Azure Marketplace (Bicep) listings are on the roadmap; Docker Compose and the DigitalOcean / Azure Terraform modules are the supported path until then (the AWS Terraform module is still experimental — see its README).
Platforms that don’t work
Section titled “Platforms that don’t work”Broch needs control over TLS termination at a wildcard subdomain — every tunnel URL is a subdomain (*.your-hostname), so a wildcard certificate must terminate at an ingress you control.
Managed-TLS single-host PaaS — Heroku, Google Cloud Run, AWS App Runner, Fly.io, Render, Railway — are not supported. They terminate TLS for you, issue only single-hostname certificates, and don’t let you bring a wildcard. Run Broch on a container platform where you own the ingress (the four above), on a Kubernetes cluster, or on a VM.
Embedded PostgreSQL Availability
Section titled “Embedded PostgreSQL Availability”Embedded PostgreSQL (a Postgres sidecar running alongside Broch in the same deployment) is available on:
- Docker Compose —
single-host,with-postgres, andwith-postgres-byo-certvariants. Postgres runs as a compose service on the same host. - DigitalOcean — Postgres runs as a compose service on the Droplet, with its data directory on an attached block storage volume so resizes don’t lose data.
Embedded Postgres is not available on AWS or Azure — both Terraform modules provision managed external databases (RDS / Postgres Flexible Server) by default. For Docker Compose with an external DB, use the with-postgres-external variant.
Important: embedded Postgres does not encrypt data at rest. If encryption at rest is a requirement (e.g., SOC 2 or GDPR compliance), you must use an external managed database with encryption configured. See Database.
Scaling
Section titled “Scaling”The primary scaling strategy for Broch is vertical — allocate more CPU and memory to the container. A single instance handles a large number of concurrent users and tunnels, and most deployments will not need to go beyond this.
If one instance is not enough, the next step is to deploy a second independent instance — for example, one per region, one per team, or one per business unit. Each instance has its own database and license, and users connect to the instance assigned to them.
Horizontal clustering (multiple instances sharing a single database and load balancer) is not available in the current release. If this is a requirement for your deployment, contact [email protected] — it is on the roadmap and will be prioritized based on customer demand.
Choosing
Section titled “Choosing”- Starting out / on-premises: Docker Compose. Most portable, works anywhere Docker runs, full control.
- Simplest cloud, single VM: DigitalOcean Terraform.
- AWS shop: AWS Terraform. ECS Fargate + RDS + ALB. Experimental — not a supported path yet; see the module README.
- Azure shop: Azure Terraform. Container Apps + Postgres Flexible Server + Key Vault. Wildcard certs need extra setup — see TLS Certificates.