Full on-prem install
Native installer for Windows, bash installer for Linux distros, docker-compose script for Docker. Kubernetes is not built in, but customers run it manually. Air-gapped deployments supported.
On-premise & hybrid ETL
Run Etlworks where your data lives.
Full on-premise installation across every major OS. Or hybrid agents inside your firewall, managed from a SaaS control plane. Either way: your data never leaves your network without your say-so.
- 3
- Deployment models
- 5
- Supported OSes
- 1,000+
- Agents in production
- 443
- Outbound port only
The problem
Cloud isn't always the answer.
Modern ETL platforms assume your data lives in a public cloud. Healthcare, defense, finance, manufacturing — entire industries operate on networks where data can't leave for security, regulatory, or sovereignty reasons. Most “self-hosted” ETL options are a Docker image, a Linux box, and a prayer.
Where cloud-only ETL fails
“Just put it in the cloud” isn't a strategy.
Banks, hospitals, defense contractors, manufacturers — buyers in regulated industries can't and won't migrate sensitive data to public cloud just to please a SaaS vendor. They need ETL that runs where their data already lives. Etlworks ships full on-prem installers for every major OS, plus hybrid agents that bridge SaaS convenience with on-prem data sovereignty. Same engine, same UX, same connectors. Different deployment, same outcome.
Capabilities
Built for real networks.
Hybrid agents
Lightweight agents run inside your firewall. SaaS control plane manages flows; agents handle data locally. No inbound ports.
Outbound-only HTTPS
Hybrid agents connect out via 443. No inbound firewall rules, no VPN, no tunneling. Plays nicely with your security team.
Fleet management
Deploy, monitor, and update hundreds of agents from one control plane. Auto-update with rollback. Scaled to 1,000+ in production.
Autonomous operation
Agents run unattended at remote sites with no IT staff. Self-recover from network blips, disk pressure, and process restarts.
Same security model
SOC 2, HIPAA, GDPR — same compliance posture as cloud. Encryption in transit and at rest. Customer-managed keys on Enterprise.
Deployment models
Three ways to run it.
Pick the deployment that fits your security posture and operational maturity. Migrate between them later — same engine, same flows, no rewrites.
Your network
Etlworks
Your DBs
Air-gapped or isolated
Entire platform installed inside your network. No outbound traffic, no calls home. Defense, classified, banking-isolated.
SaaS UI
Agent
DBs
Best of both worlds
SaaS-managed control plane, on-prem agents. Outbound HTTPS only. The pattern most regulated enterprises actually want.
Etlworks
Cloud DBs
Pure SaaS
Cloud-hosted platform, cloud data sources. Fastest to start, simplest to operate. Still here when you need it.
Installers
Native packages, every major OS.
Both the full platform and the hybrid agent ship as native installers. No “build from source,” no Linux-only assumptions, no Docker-as-a-workaround. Pick your OS, run the installer, done.
Self-hosted Etlworks
- Windows Server native installer · 2016, 2019, 2022
- Linux bash installer · RHEL, Rocky, Ubuntu, Debian, others
- Docker docker-compose script · multi-arch
- Kubernetes customer-managed · no built-in chart
Lightweight, behind firewall
- Windows .exe · service or interactive
- Linux bash installer · systemd unit included
- macOS .pkg · 12+, Apple Silicon native
- Docker image · multi-arch
Security & operations
What your security team will ask.
The questions security and infrastructure teams ask before any on-prem or hybrid deployment. Answers up front, no calls required.
Network & connectivity
Inbound ports
Hybrid: none. Full on-prem: configurable, default disabled.
Outbound traffic
Hybrid agent: HTTPS to control plane (443) + your data sources. Full on-prem: zero outbound, fully air-gappable.
Proxy support
HTTP/HTTPS proxy · NTLM auth · custom CA bundles · TLS interception
Security & compliance
Encryption
TLS 1.2+ in transit · AES-256 at rest · per-tenant encryption keys
Customer-managed keys
CMK / BYOK supported on Enterprise · AWS KMS, Azure Key Vault, HashiCorp Vault
Compliance
SOC 2 Type II · HIPAA · GDPR · same posture across all deployment models
Operations
Updates
Hybrid agent: auto-update with rollback. Full on-prem: customer-controlled, signed packages.
Monitoring
Built-in dashboard · audit logs · email + webhook alerts · APIs
High availability
Full on-prem app supports HA (active-passive, automatic failover). Agents are not HA — redeploy on failure.
Support
Same response times across all models · 24×7 on Enterprise · dedicated TAM available
Comparing on-prem ETL? See Etlworks vs Talend, SSIS, Informatica, and Pentaho
Proof
Hundreds of agents, in production.
“Our previous vendor — a name you'd recognize — was failing at scale. Etlworks gave us templates, autonomous on-prem agents, and a stable engine in one platform. We have hundreds of locations with no IT staff, and the agents just run.”
OG
OpenGov
GovTech · hybrid agent fleet
FAQ
Common questions.
What's the difference between full on-prem and hybrid?
Full on-prem: the entire Etlworks platform — control plane, scheduler, UI, agents — runs inside your network. No traffic leaves your firewall. Air-gappable. Hybrid: Etlworks SaaS hosts the control plane; lightweight agents run inside your network and reach data sources locally. Agents connect outbound on 443 only — no inbound ports needed. Most regulated enterprises pick hybrid because it gives them SaaS UX with on-prem data sovereignty. Defense, banking, and air-gapped customers pick full on-prem.
Can I run Etlworks fully air-gapped?
Yes. Full on-prem deployments support air-gapped operation — no outbound network access required. Updates ship as signed packages your team installs at your cadence. License validation is offline. Used in production by customers in defense and regulated industries.
What inbound ports does the hybrid agent need?
None. The agent initiates an outbound HTTPS connection on port 443 to the Etlworks SaaS control plane and keeps it alive. No firewall holes, no VPN, no port forwarding. Plays nicely with proxy infrastructure, NTLM auth, and TLS-intercepting security stacks. The same connection model used by every modern SaaS agent.
How do I manage hundreds of agents?
From the SaaS control plane in hybrid mode, or from the on-prem control plane in full deployments. Both support fleet operations: deploy a new agent version to all sites or a subset, monitor health and lag per agent, group agents by region/site/environment, push configuration changes centrally. OpenGov runs 300+ agents this way across hundreds of customer locations with no IT staff at most sites.
What hardware do agents require?
Agents: minimum 4GB RAM and 1 CPU core. Docker is one of several install options (Windows .exe, Linux bash installer, and Docker images all supported). Heavier workloads (CDC, large file processing) benefit from 2–4 CPU cores and 8GB RAM. Full on-prem deployments scale to enterprise hardware — typical sizing is 4–8 vCPU + 16GB RAM for the control plane plus separate worker nodes. Sizing guidance per workload provided during evaluation.
How do updates work for full on-prem?
Two paths. The on-prem app updates via CLI — your team runs the update command at your cadence. Agents are push-updated from the host (control plane). Both paths include a tested rollback.
Can I switch between deployment models later?
Yes. The same engine runs in all three deployment models — flows, connections, transformations are portable. Customers commonly start in cloud SaaS for evaluation, move to hybrid once production data is involved, and migrate to full on-prem when compliance or scale demands it. The reverse direction works too. Migrations are usually a 2–4 week project including testing.
Request installer
14-day trial. Self-hosted.
Tell us your OS and email. We send a signed installer and a trial license. Live within an hour. No sales call required.