Skip to main content


The following section provides an overview of the Styra Self-Hosted DAS Installation Guide, Styra DAS, Styra DAS architecture, and the microservices used with Styra DAS.

Document Overview and Audience

The Self-Hosted Styra DAS Installation Guide contains information on configuring and installing Styra DAS on a wide selection of cloud infrastructure providers. The contents of the Infrastructure Configuration and the Cloud Agnostic Infrastructure sections are not, however, meant to be a comprehensive guide to cloud infrastructure. The infrastructure sections of this document are intended to provide guidance specific to configuring and instantiating infrastructure for use with Styra DAS. Accordingly, this document assumes the customer is familiar with managing their own infrastructure and defers to provider-specific documentation wherever possible.


Styra DAS can also run on self-managed or non-cloud infrastructure. Such setups, however, tend to require customized support and compatibility patterns. If you cannot utilize any of the providers described in this document, we recommend working with Styra’s Sales and Solutions Architecture teams to assess the viability of Styra DAS on your infrastructure.


The Styra DAS architecture splits the functionality across microservices which enables the Styra backend to scale individual components and adapt to varying workloads. The Styra DAS architecture consists of OPA and the Styra DAS UI.

  • OPA: Supported system-types act as clients of the Styra DAS API. When you create and install a system, the gateway provides the API for the OPA to operate. It also provides the bundle API to OPA containers running on the cluster, and the APIs for Styra DAS receive status updates and decisions from the OPAs. These interactions and APIs are designed based on the availability after OPA has successfully downloaded the initial bundle, it can continue serving authorization requests even if the Styra DAS becomes temporarily unavailable.

  • Styra DAS UI: All Styra DAS UI interactions go through the gateway. The Styra DAS UI frontend downloads both its JavaScript through the gateway from the Styra DAS UI microservice. It also interacts with the other APIs through the gateway, in order to implement and facilitate the actions on the Styra DAS UI. Internally, the Styra DAS system relies on controllers (for example, environment-configurator) to converge the platform to a desired state. These interactions between the microservices don't require the involvement of the gateway.

The following figure shows Styra microservices (in blue) that are made available by the Gateway API and how they relate to different entities talking to the Styra DAS over the network using OPA and the Styra DAS UI.

Architecture of Styra DAS with MicroservicesArchitecture of Styra DAS with Microservices

The communication between microservices occurs over the following protocols:

  • External communication towards (for example: bundle downloads) Styra DAS occurs over HTTPS. However, the TLS is terminated with the Kubernetes ingress.

  • Service to service communication occurs over HTTP, with the exception of the coordinator that uses gRPC with the other services.

  • Communication with storage subsystems uses their preferred protocols as follows:

    • Using PostgreSQL, the protocol is PostgreSQL.
    • Using Elasticsearch communication occurs using HTTP.

Styra DAS Microservices​

The following table describes the Styra DAS microservices used in Self-Hosted Styra DAS.

Styra DAS MicroserviceStyra Description
activityProvides user activity log APIs.
agentbundleConstructs and serves policy bundles.
agentloaderLoads decision logs from OPA to Elasticsearch for indexing.
agentstatusAPIs for OPAs to send status updates and decision logs.
agentstatusstoreCaches OPA status updates for quick retrieval.
analysis-apiAPIs to search decision logs.
blueprintsRequired to enable mock-opa sandbox environments.
coordinatorShards work across service replicas.
datasourcesExecutes Data Sources that require pulling data.
elasticsearchSearch engine for decision logs.
environment-configuratorManages storage resources for the environment.
fetchdbConfiguration management APIs.
gatewayAPI gateway. All API requests are routed through the gateway. It enforces authentication and authorization and records user activity.
gateway-secondaryOptional second API gateway.
logreplayAPIs to assess the impact of a policy change on previous decisions.
mock-opaDecision mocking for sandbox environments.
policiesAPIs for policy management.
stacksStack configuration and management APIs.
storagePostgreSQL for all internal, persisted states.
systemsSystem configuration and management APIs, OPA configuration bundle APIs used for discovery.
tenantsConfigures and manages the tenant's internal state.
timeseriesComputes metrics over decision log APIs
uiServes HTML and JavaScript for the Styra DAS UI.