If you're looking for a secure and reliable way to manage user authentication, permissions, and more, you may have heard of Ory. But did you know that there are two ways to use Ory? In this article, we'll explore the differences between the Ory Network and self-hosting Ory open source, and help you decide which option is right for you.
Ory Network and Ory self-hosted
Before we dive into the differences, let's take a quick look at what the Ory Network and self-hosting Ory open source mean.
The Ory Network is a global infrastructure that uses Ory open source to deliver various services and APIs such as login, permission management, oauth2, and more. The Ory Network spans several geographical regions to deliver a fast service anywhere in the world. When you use the Ory Network, you can take advantage of all the features and benefits provided by the Ory team, including continuous updates, support, and security.
On the other hand, self-hosting Ory means you use the foundational building blocks of the Ory Network (Ory Kratos, Ory Hydra, Ory Keto) and run these services yourself. Some things are not available when self-hosting Ory and vice versa. Self-hosting Ory open source is a great way to explore security software, learn software development, and experiment and participate in open source technology.
Feature differences
When deciding between the Ory Network and self-hosting, it's essential to know what features are available in each option. The following table summarizes the feature differences:
| Feature | Ory Network | Self-Hosting |
|---|---|---|
| Regulations & compliance | ||
| GDPR-compliance | ✅ | ⚠️ |
| SOC2 T2 certification | 🔭 (coming 2023) | ⚠️ |
| ISO 27k certifiation | 🔭 (coming 2023) | ⚠️ |
| Automatically OpenID certified | ✅ | ❌ |
| Services and APIs | ||
| Ory edge sessions | ✅ | ❌ |
| Identity and user management APIs | ✅ | ✅ |
| Permission APIs | ✅ | ✅ |
| Passwordless login | ✅ | ✅ |
| SMS verification and login | 🔭 | 🔭 |
| Traditional login | ✅ | ✅ |
| Social sign in | ✅ | ✅ |
| Machine-to-machine auth | ✅ | ✅ |
| Multi-factor authentication | ✅ | ✅ |
| OAuth2 and OpenID Connect provider APIs | ✅ | ✅ |
| Search API | 🔭 | ❌ |
| User interfaces | ||
| User management UI | ✅ | ❌ |
| Configuration management UI | ✅ | ❌ |
| No-code account experience (login, sign up, …) with theming | ✅ | ❌ |
| Integration and SDKs | ||
| Ory CLI | ✅ | ❌ |
| Backwards compatibility guarantee | ✅ | ❌ |
| SDKs for popular programming languages | ✅ | ✅ |
| Operations and deployment | ||
| Multi-regional deployments | 🔭 | ❌ |
| Zero-downtime upgrades and migrations | ✅ | ❌ |
| Configuration management via API | ✅ | ❌ |
| Configuration management via files | ✅ | ✅ |
| Log access | 🔭 | ✅ |
| Organization and multi-tenancy | ||
| Multi-environment (for example staging, prod, …) | ✅ | ⚠️ |
| Team management | ✅ | ❌ |
| Organization management | 🔭 | ❌ |
| Customer-facing multi-tenancy | ✅ | ❌ |
Legend:
- ⚠️: your responsibility
- ✅: solved
- ❌: not available
- 🔭: planned
As can be seen from the table, there are several differences between the features available on the Ory Network and self-hosting Ory. For instance, the Ory Network provides GDPR compliance, SOC2 T2 certification (coming 2023), and ISO 27k certification (coming 2023). Similarly, while the Ory Network provides features like Ory edge sessions, user management UI, and no-code account experience with theming, these features are not available when self-hosting Ory.
Support
Ory does not offer a support service for self-hosted instances of its software. Here's why:
- Incident response: When self-hosting, Ory's incident response team has no access to the customer infrastructure. The time it takes to resolve incidents thus increases significantly if Ory Engineers need to be involved. What could be solved in minutes on our own infrastructure, has to go through several communication channels and back and forth when Ory runs on the customer's infrastructure. This delay can result in increased downtime and lost revenue for the customer.
- Release process: Ory Network releases new features and updates on a daily basis, while open source releases are quarterly. This allows Ory to maintain the highest standards of security, reliability, and performance. With self-hosting, customers have to manage their own upgrades, which can be time-consuming and lead to software running on outdated versions, resulting in security vulnerabilities and performance issues.
- Upgrade fatigue: Based on open source telemetry data, less than 10% of all Ory open source deployments run on a recent and supported version, while 90% of deployments run on outdated versions that may have known vulnerabilities (e.g. Golang CVEs). This puts businesses and their customers at risk of security breaches and performance issues. Ory Network eliminates upgrade fatigue by providing automatic upgrades and ensuring that all deployments are running on the latest and most secure version of Ory open source.
- Expertise: Ory engineers are the experts when it comes to running Ory software. They have the experience and knowledge to manage and troubleshoot issues quickly and efficiently. With self-hosting, customers have to rely on their own expertise or hire additional staff to manage the software.
Time savings when using Ory Network
When you use the Ory Network, you can save a significant amount of time that would otherwise be spent on setting up, maintaining, and upgrading the software yourself. Our estimates are based on what we have observed since Ory open source was founded in 2015, but please note that these numbers are rough estimates and heavily dependent on the use case.
Why self-hosted takes longer
Self-hosting Ory open source typically takes longer than using the Ory Network for several reasons:
- Initial setup: Setting up the infrastructure and configuring the software can be time-consuming, especially if you're not familiar with the tools and technologies involved.
- Maintenance and monitoring: Once the software is up and running, you need to monitor it 24/7 to ensure that it is performing as expected and to deal with any issues that may arise. This can be a significant ongoing time commitment.
- Upgrades: Upgrading the software can be time-consuming, especially if there are breaking changes that require you to update your configuration and code. This is particularly true if you are running on an older version of the software and need to catch up with several releases at once.
- UI and API development: If you need to develop user interfaces or integrate with the software's APIs, this can add significant development time to your project.
Estimated time savings
The following table shows estimated time savings when using the Ory Network compared to setting up and maintaining the software yourself:
| Self-hosting | Ory Network | ||||
|---|---|---|---|---|---|
| Set-Up | Continuous effort | Set up | Continuous effort | ||
| Operations | |||||
| Monitoring and alerting | 1-14 days | 365 days / year | Available | None | |
| Disaster recovery | 1-8 hours | 1 week / year | Out of the box | None | |
| Configuration management and continuous deployment | 1-5 days | Not applicable | Out of the box in Ory Console | Not applicable | |
| Software upgrades | 0h | 2-4 weeks / year | Not needed | None | |
| Management | |||||
| User-facing UIs | 1-4 weeks | 2 weeks / year | Out of the box | None | |
| Administrative UIs | 2-4 weeks | 2 weeks / year | Out of the box | None | |
| Admin API access control | 1-2 days | 1 day / year | Out of the box | None | |
| Integration | |||||
| New site/service | ~1-2 days | None | ~1-10 hours | None | |
| Migration site/service to Ory | ~2-4 weeks | None | ~1-2 weeks | None | |
Cost Savings when Using the Ory Network
In addition to time savings, using the Ory Network can also provide cost savings compared to self-hosting.
When self-hosting, you would need to pay for infrastructure costs, such as EC2 instances and a Postgres AuroraDB. You would also need to pay for continuous monitoring and alerting, as well as traffic costs. Using the Ory Network, these costs are included in the subscription plans.
Keep in mind that these numbers are rough estimates and heavily dependent on the use case and cost optimization.
Use Case: 1-1,000 Daily Active Users/Machines
For a site with less than 1,000 active users/machines (regardless of what Ory service you use), two virtual machines for failover, each with 2 vCPUs and 4GB of RAM to run up to three Ory services, and one small sized PostgreSQL instance with 100GB would be needed.
According to the AWS price calculator, this sums up to about $2,080.76 per year.
On the other hand, with the Ory Network's Essentials Plan, these resources are included, along with continuous monitoring and alerting, traffic, and metrics and alerting continuous cost, for only $319 per year. This results in a cost savings of approximately 70-90%.
| Self-hosting | Essentials Plan | ||
|---|---|---|---|
| Compute | 2x AWS EC2 2vCPU, 4GB RAM, 50GB SSD | $918.72 / year | $0 / year |
| Database | 1x AWS RDS Postgres 2vCPU, 4GB RAM, 100GB SDD | $879.96 / year | $0 / year |
| API Gateway | AWS API Gateway | $44.52 / year | $0 / year |
| Load Balancer | AWS Load Balancer | $237.48 / year | $0 / year |
| Operations | Monitoring, logs, alerting (e.g. Datadog) | Depends on solution | $0 / year |
| Total | > $2,080.76 / year | $319 / year | |
| Cost savings | > 70% |
Use Case: 1,000-20,000 Daily Active Users/Machines
For a site or application with 1,000 to 20,000 daily active (machine) users, self-hosting Ory open source becomes more expensive. Self-hosting at this scale requires more virtual machines for failover and a larger database instance, resulting in higher costs. With the Ory Business Plan, you get a cost-effective solution that is easier to set up, manage, and scale.
According to the AWS price calculator, this sums up to about $14,167.78 per year.
For businesses with 1,000-20,000 daily active users/machines, we recommend the Ory Business Plan for $7590 per year as the cheaper and better option. This plan includes everything in the Essentials Plan, plus additional features such as enterprise-grade support, a dedicated account manager, and priority bug fixes.
| Self-hosting | Essentials Plan | ||
|---|---|---|---|
| Compute | 4x AWS EC2 4vCPU, 8GB RAM, 50GB SSD | $4,695.48 / year | $0 / year |
| Database | 2x AWS RDS Postgres 4vCPU, 16GB RAM, 500GB SDD | $8,780.76 / year | $0 / year |
| Traffic | In- and egress | $445.44 / year | $0 / year |
| Operations | Monitoring, logs, alerting (e.g. Datadog) | $246.12 / year | $0 / year |
| Total | $14,167.78 / year | $7590 / year | |
| Cost savings | > 45% |
Use Case: Over 100,000 Daily Active Users/Machines
When dealing with a website or application that has over 100,000 daily active users, self-hosting becomes even more complicated and expensive. Here are some reasons why:
- The cost of compute and self-hosting explodes further because you need one highly available deployment (at least 4 nodes) in every region. This means that you will need a lot more virtual machines to run your application, increasing your costs significantly.
- You need a multi-region capable database. A multi-region capable database such as Spanner is needed to ensure that data is consistent and available in every region.
- Ory multi-region technology is only available in the Ory Network due to the software and architecture complexity and reliance on third-party service providers such as Cloudflare Enterprise.
- In this scenario, we recommend reaching out to us directly and negotiate custom pricing which starts at 3000$ per month. Our Ory Network platform can provide you with the resources and support you need to handle such a large user base.
By self-hosting in this scenario, you will likely encounter significant issues with scalability and availability. On the other hand, the Ory Network can provide you with the necessary infrastructure and resources to handle the demands of such a large user base.
How Ory achieves these savings
The Ory Network can provide cost savings for several reasons. Firstly, it benefits from economies of scale by serving a large number of customers, allowing it to spread infrastructure costs across many users. Secondly, the Ory Network leverages proprietary code that makes multi-tenancy more efficient, allowing it to run more efficiently on shared resources. Thirdly, the Ory Network is designed and optimized for running Ory services, so it can operate more efficiently than a self-hosted solution.
When self-hosting, businesses have to purchase their own hardware and set up their own infrastructure, which can be expensive and time-consuming. Self-hosting also requires a dedicated team to manage the infrastructure and ensure the systems are always up to date and secure. This can be a significant ongoing cost for a business.
In contrast, the Ory Network provides a turnkey solution that eliminates the need for businesses to manage their own infrastructure. The Ory Network takes care of the hardware, software, security, and maintenance, allowing businesses to focus on their core competencies instead of worrying about IT operations. This can result in significant cost savings for businesses, especially for smaller businesses or those that don't have dedicated IT resources.