Hosted Chef vs Puppet Enterprise

Last updated by UpGuard on June 29, 2020

scroll down

As the two leading IT automation platforms by market share, Chef and Puppet have been compared against each other extensively—for UpGuard’s recent take, please see Puppet vs. Chef Revisited. In this comparison, we’ll instead approach matters a little differently by comparing and contrasting Hosted Chef—the SaaS version of the product—with the full-fledged, flagship Puppet Enterprise offering.

Hosted Chef

When we talk of different versions of Chef, it really comes down to Open Source Chef vs. Chef Server, since Hosted Chef is just—as its name implies—a cloud-hosted version of the flagship Chef Server platform. For an in-depth look at Chef’s full lineup, check out Open Source Chef vs. Hosted Chef vs. On Premises (Private) Chef: Which Do You Need?

With Hosted Chef, cookbooks, roles, node definitions, and databags are securely stored in a cloud-based Chef server provisioned by Chef, Inc. This allows organizations to leverage a highly available, scalable version of the enterprise automation platform without having to install, configure, and manage the solution in-house. No need to worry about hardware management and maintenance or software upgrades – one simply uploads the cookbooks and Chef does the rest.

 Chef Server diagram

Chef Server. Source: Chef, Inc.

Aside from its SaaS delivery model, Hosted Chef offers the same benefits to enterprises as its on-premise version. An expansive collection of modules and recipes allows for easy customization of the solution to satisfy your organization’s unique requirements. The powerful SSH-based Knife tool is also available in Hosted Chef, as well as tight integration with Git for infrastructure-as-code enablement.

Hosted Chef is free for up to 5 nodes—sans support, with pricing thereafter starting at $6/node. This includes configuration support and provisioning assistance. For more regarding Hosted Chef pricing, please refer to Chef’s pricing page.

Security Posture: Hosted Chef

As a publicly accessible cloud service, Hosted Chef faces a myriad of security risks common to all SaaS offerings, namely—remote attacks, service outages, DDoS attacks, among others. However, Chef has taken steps to bolster its hosted solution’s security posture in anticipation of such events. Flexible role-based access control and data encryption give users additional layers of protection against compromises and data breaches. Data bags can be encrypted using shared secret encryption, and SSL verification is enabled by default for all requests made to the server.

Per the CVE database, Chef has 3 security vulnerabilities of low/medium severity:

Free DevOps Toolchain eBook

Puppet Enterprise

Unlike Chef, Puppet Enterprise does not offer a hosted version of its flagship automation platform. Its agent-based, master/client setup makes for a more resource-intensive solution—one that runs optimally on your own servers, behind your own firewall. Large enterprises will no doubt prefer to build and manage Puppet implementations themselves, especially if they are juggling heterogeneous infrastructures across data centers and disparate cloud environments.

Since Puppet Enterprise has been covered extensively in previous articles, we will instead focus on a few features that differentiate it from Chef’s cloud-hosted platform. Again--Hosted Chef is essentially Chef Server in the cloud, and the two share most if not all of the same features. For a comprehensive, up-to-date comparison between Puppet vs. Chef, check out Puppet vs. Chef Revisited.

Bare Metal Essentials

Puppet’s powerful Razor application is an advanced bare metal provisioning tool that handles bare metal hardware and virtual server provisioning. Co-developed with EMC, Razor can take an OS-less server and brings it under Puppet management with fully deployed applications.

So while Hosted Chef can automate the provisioning of virtual servers and applications, Puppet Enterprise with Razor can automatically discover and provision bare metal hardware with an OS or hypervisor of choice and then hand it over to Puppet Enterprise for further policy-based configuration of applications and services.

Security Posture: Puppet Enterprise

Because Puppet Enterprise is designed for deployment behind an organization’s firewall, proper measures must be taken by IT/operators to harden their instances. Fortunately, Puppet Forge—Puppet’s repository of community-developed modules—contains a wealth of pre-built components for bolstering the platform’s security posture. For example, the os_hardening module hardens the base OS with secure configuration, while the mysql_hardening module configures mysql for security hardening.

More often, the hidden cost of a solution’s popularity is an abundance of well-known vulnerabilities and attack vectors. This is certainly the case with Puppet Enterprise: 51 documented vulnerabilities to date per the CVE database, 17 of which are medium-to-high severity.


Two CM heavyweights, two different approaches to automation, and two different deployment models. Hosted Chef and Puppet Enterprise each provide distinct benefits, and—depending on an organization’s needs—may outshine the other in a given use case or scenario. For a lightweight yet powerful automation platform that is trivial to get up and running, go with Hosted Chef. If your organization requires an on-premise automation package that can provision from bare-metal, Puppet Enterprise is the ideal solution. In either case, UpGuard can dovetail seamlessly into your DevOps pipeline by outputting system/infrastructure configurations directly to Puppet Manifests or Chef Recipes. Give it a free test drive today.


Request a Free Demo  



Related posts

Learn more about the latest issues in cybersecurity