Portainer Documentation
Official Website
Search…
BE 2.7
Welcome
Release Notes
Getting Started
Introduction
Portainer architecture
Requirements and prerequisites
Install Portainer BE
Upgrading Portainer
Using Portainer
Docker/Swarm
Kubernetes
Azure ACI
Edge Compute
Administering Portainer
Users
Endpoints
Registries
Licenses
Authentication logs
Settings
Frequently Asked Questions
Portainer Concepts
Installing
Upgrading
Troubleshooting
Contributing
Advanced Topics
CLI configuration options
App templates
The Portainer Edge Agent
Access control
Reset the admin user's password
Security and compliance
Using SSL with Portainer
Using Portainer with reverse proxies
Helm chart configuration options
Kubernetes roles and bindings
Deprecated and removed features
API
API documentation
API usage examples
Get More Help
YouTube
Open a support request
Contribute to Portainer
Contribute
Powered By GitBook
Portainer architecture

Overview of Portainer architecture

Portainer consists of two elements: the Portainer Server and the Portainer Agent. Both run as lightweight containers on your existing containerized infrastructure. The Portainer Agent should be deployed to each node in your cluster and configured to report back to the Portainer Server container.
A single Portainer Server will accept connections from any number of Portainer Agents, providing the ability to manage multiple clusters from one centralized interface. To do this, the Portainer Server container requires data persistence. The Portainer Agents are stateless, with data being shipped back to the Portainer Server container.
The Portainer Architecture
We don't currently support running multiple instances of the Portainer Server container to manage the same clusters. We recommend running the Portainer Server on a specific management node, with Portainer Agents deployed across the remaining nodes.

Agent vs Edge Agent

In standard deployments, the central Portainer Server instance and any endpoints it manages are assumed to be on the same network, that is, Portainer Server and the Portainer Agents are able to seamlessly communicate with one another. However, in environments where the remote endpoints are on a completely separate network to Portainer Server, say, across the internet, historically we would have been unable to centrally manage these devices.
With the new Edge Agent, we altered the architecture. Rather than the Portainer Server needing seamless access to the remote endpoint, only the remote endpoints need to be able to access the Portainer Server. This communication is performed over an encrypted TLS tunnel. This is important in Internet-connected environments where there is no desire to expose the Portainer Agent to the internet.

Security and compliance

Portainer runs exclusively on your servers, within your network, behind your own firewalls. As a result, we do not currently hold any SOC or PCI/DSS compliance because we do not host any of your infrastructure. You can even run Portainer completely disconnected (air-gapped) without any impact on functionality.
While we do (optionally) collect anonymous usage analytics from Portainer installations, we remain compliant with GDPR. Data collection can be disabled when you install the product, or at any time after that. If your installation is air-gapped, collection will silently fail without any adverse effects.
Getting Started - Previous
Introduction
Next - Getting Started
Requirements and prerequisites
Last modified 9d ago
Copy link
Contents
Overview of Portainer architecture
Agent vs Edge Agent
Security and compliance