Skip to Content

Deploy Arcade on Azure

Arcade is available on the Azure Marketplace as a managed application. You deploy it into your own Azure subscription, and Arcade operates it for you across . Your data and the services that run Arcade stay in your subscription; Arcade handles upgrades and day-to-day operations.

The Azure Marketplace deployment is a full platform deployment — it stands up the complete Arcade platform in your cloud. If you’d rather manage the platform yourself on an existing Kubernetes cluster, see Self-host with Helm.

Outcomes

A production Arcade platform running in your own Azure subscription, deployed from the Azure Marketplace and operated by Arcade.

You will Learn

  • What the managed application deploys into your subscription
  • How to set up your identity provider
  • How to deploy the offer and verify it

Prerequisites

  • An Azure subscription with the Owner role
  • A Microsoft Entra tenant (personal Microsoft aren’t supported)
  • An OIDC identity provider

What gets deployed

The managed application provisions everything Arcade needs inside a managed resource group in your subscription:

Azure serviceRole
Azure Kubernetes Service (AKS)Private cluster that runs the Arcade services (Engine, Coordinator, Worker, Dashboard, Experience API)
Azure Key VaultStores database, cache, identity-provider, and encryption secrets
Azure Database for PostgreSQL Flexible ServerPrimary datastore
Azure Managed RedisCache and streams
Virtual network + private endpointsPrivate networking with NAT-gateway egress
Log Analytics, Container Insights, Microsoft DefenderMonitoring and security

Before you begin

  • Subscription and role. Deploy into a subscription where you hold the Owner role, with the spending limit turned off.
  • Microsoft Entra . The deployment federates sign-in to your Entra tenant. Personal Microsoft aren’t supported.
  • Region and quota. Confirm the offer is available in your target region and that the subscription has enough vCPU quota to run an AKS cluster. If you’re unsure, contact us.
  • DNS. You can bring your own custom domain or use an Arcade-managed hostname assigned at deploy time.
  • Identity provider. Have an OIDC identity provider ready — see the next section.

Set up your identity provider

Arcade signs users in through your OpenID Connect (OIDC) identity provider. The provider authenticates dashboard users and backs the tokens that MCP gateways validate, so you set it up before you deploy.

  1. Register an application with your identity provider. Arcade works with Microsoft Entra ID, Okta, Auth0, or Keycloak, or any standards-compliant OIDC provider.
  2. Copy the application's client ID, generate a client secret, and note the issuer URL. For Microsoft Entra ID, use the v2.0 issuer https://login.microsoftonline.com/<tenant-id>/v2.0.
  3. Provide the client ID, client secret, and issuer in the create form.
  4. After the deployment finishes, register the redirect URI from the deployment output — typically https://coordinator.<your-hostname>/signin/oidc/callback — as a redirect (reply) URI on the application, then sign in to the dashboard.
If sign-in fails with AADSTS500113: No reply address is registered for the application, the redirect URI has not been added to your identity provider application yet. Add it and try again.

Deploy from the Azure Marketplace

Find the Arcade offer

Open the Arcade offering in the Azure Marketplace  and select Get it now. Choose the standard plan for a production, single- deployment.

Complete the create form

Fill in the deployment form:

  • Region and resource group for the deployment
  • Your identity provider’s client ID, client secret, and issuer from the previous section
  • Optionally, a model provider (for example, Anthropic) to enable chat in the dashboard

Deploy

Start the deployment. It takes roughly 30–45 minutes to provision the cluster and supporting services. When it finishes, the deployment outputs your hostname, dashboard URL, and redirect URI.

Register the redirect URI

Add the redirect URI from the deployment output to your identity provider application, as described in Set up your identity provider.

Verify your deployment

Open the dashboard URL from the deployment output and sign in with your identity provider. A successful sign-in confirms the platform is running and your identity provider is wired up correctly.

Next steps

Last updated on