Provider guide

Host Next.js on Hetzner Cloud

A sourced path for hosting Next.js on Hetzner Cloud, covering server choice, firewall rules, deployment, TLS, costs, and operational limits.

By HostNextJS Editorial TeamReviewed by HostNextJS Technical Review Published Updated
01Typeprovider
02Last reviewed
03Update policyCheck prices every 30 days; review setup steps every 90 days or after a material provider change.
Provider-specific scope

What is specific to Hetzner Cloud

This guide uses Hetzner Cloud servers, locations, Cloud Firewalls, primary IPs, and the Hetzner DNS boundary. The application runtime remains a standard Next.js Node.js deployment, while provisioning and network controls follow Hetzner's own surfaces.

Products and locations

Choose the right provider surface

  • 01Use a shared-vCPU CX or CPX Cloud server for variable small workloads; evaluate dedicated-vCPU CCX plans when sustained compute predictability matters.
  • 02Choose among available EU, US, or Singapore locations only after checking application latency, data location, and product availability in the Cloud console.
Before you start

Prerequisites

  • 01A Hetzner Cloud account and project
  • 02An SSH public key and a domain you control
  • 03A Next.js application that passes its production build
  • 04A documented backup and rollback destination
Manual path

Deployment sequence

  1. 01Create the Cloud server

    Choose the project, location, maintained Linux image, server type, and SSH key. Name the server for the environment and enable backups or document an independent backup path.

  2. 02Attach a Cloud Firewall

    Allow TCP 80 and 443 publicly, restrict TCP 22 to trusted administrative addresses where possible, and leave the Next.js application port private.

  3. 03Install and supervise Next.js

    Install a supported Node.js release, deploy a standalone or normal production build, and run it as an unprivileged user under systemd or another supervisor.

  4. 04Proxy, issue TLS, and cut over

    Point DNS at the server's primary IP, configure Nginx or another reverse proxy, issue the certificate only after DNS resolves, and validate before lowering rollback readiness.

Network and domain

Firewall, DNS, and TLS

  • 01Apply a Hetzner Cloud Firewall to the server and mirror essential restrictions in the guest firewall.
  • 02Publish A and, only when configured end to end, AAAA records for the server's primary IPs.
  • 03Expose ports 80 and 443 through the reverse proxy; do not publish the Next.js port directly.
  • 04Issue and renew TLS on the proxy, then test the production hostname, streaming responses, and certificate chain.
Dated examples

Cost reference

01 · CX23 exampleEUR 5.49/month

IPv6-only example shown for NBG1, excluding VAT, on 2026-07-12; network and address choices change the total.

02 · Included traffic example20 TB

Displayed for the checked EU calculator configuration; verify current terms for the selected region and plan.

HostNextJS is not affiliated with or endorsed by Hetzner. Provider names and pricing are shown for independent comparison.

Hetzner Cloud is a practical fit when predictable virtual-server pricing and infrastructure ownership matter more than eliminating server operations. A Next.js Node.js deployment works on a normal Linux cloud server, but Hetzner does not replace the deployment and runtime layer for you.

Choose the server deliberately

Select a location near the application’s users and data. Shared plans are cost-effective for low-to-medium traffic and variable workloads; dedicated-vCPU plans are designed for sustained production work. Start from measured memory and CPU needs rather than traffic alone, because builds and runtime image optimization can create short resource spikes.

Create the server with an SSH key, a maintained Linux image, and only the network addresses you need. Enable backups or establish an independent backup process before treating the server as production-ready.

Restrict the network

Attach a Hetzner Cloud Firewall. Permit SSH only from known administrative addresses where feasible, and allow public TCP traffic on ports 80 and 443. Do not expose the Next.js application port directly unless a documented architecture requires it.

Provider firewalls are one layer. Keep the operating system patched, use key-based access, run the application without root privileges, and configure the reverse proxy with TLS and request limits.

Deploy and verify

Install a supported Node.js release, deploy an immutable build or standalone artifact, and supervise the process with systemd or a comparable manager. Configure Nginx or another reverse proxy and verify streaming if the app uses Suspense or streamed responses.

Before DNS cutover, test the production hostname locally, validate certificates, exercise dynamic routes and image optimization, and confirm that a failed health check prevents traffic from reaching the new release. Keep the prior release available for rollback.

Methodology

How this resource was produced

The setup maps Hetzner's documented server and firewall controls to the official Next.js Node.js self-hosting requirements. Prices are examples copied from Hetzner's public calculator and are not quotes.

Limitations
  • 01

    You remain responsible for the operating system, patching, runtime, proxy, monitoring, backups, and incident response.

  • 02

    Shared-vCPU plans can have variable compute performance and may not suit sustained high workloads.

Evidence

Sources and review record

Primary documentation checked for the material claims on this page. Product behavior and prices can change after the checked date.

  1. 01 · HetznerHetzner CloudChecked July 12, 2026
  2. 02 · Hetzner DocsCreating a ServerChecked July 12, 2026
  3. 03 · Hetzner DocsCreating a FirewallChecked July 12, 2026
  4. 04 · Next.jsHow to self-host your Next.js applicationChecked July 12, 2026
FAQ

Questions about host next.js on hetzner cloud.

No fog. Just the practical details developers need before moving a production app.

Is the smallest Hetzner server enough for Next.js?

It can be enough for a small application, but build memory, image optimization, traffic shape, and background work determine the real requirement. Measure your own production workload.

Should port 3000 be public?

Usually no. Bind the Next.js process to an internal interface and expose only SSH from trusted sources plus HTTP and HTTPS through the reverse proxy.

Next step

Turn the resource into a deployment decision.

Plan a Hetzner deployment