LaserData Cloud
Deployments

BYOC Setup

Deploy LaserData-managed infrastructure in your own AWS or GCP account

BYOC (Bring Your Own Cloud) lets LaserData manage your Apache Iggy deployment while the infrastructure runs in your own cloud account. You keep full data sovereignty and pay your own cloud bill. Supported providers: AWS and GCP.

Architecture

LaserData assumes the IAM role only for infrastructure provisioning (EC2, networking, EBS). Once nodes are running, all communication is pull-based through Warden - identical to Managed and On-Premise deployments. Your data never leaves your AWS account.

Prerequisites

  • An AWS account
  • A VPC in the target region (the default VPC works)
  • BYOC enabled on your subscription (Pro and Enterprise plans)

Step 1: Generate BYOC Setup

From the Console, initiate a BYOC deployment and select your target cloud and region. The platform generates:

  • An IAM trust policy - allows LaserData to assume a role in your account
  • An IAM permissions policy - scoped to the resources LaserData needs to manage
  • An external ID - a unique identifier that prevents confused deputy attacks

Step 2: Create IAM Role

In your AWS account:

  1. Go to IAMRolesCreate role
  2. Select Custom trust policy
  3. Paste the trust policy provided by LaserData
  4. Create a new policy with the permissions policy provided by LaserData
  5. Attach the policy to the role
  6. Name the role (e.g. LaserDataByocRole)
  7. Copy the Role ARN

Using AWS CLI

aws iam create-role \
  --role-name LaserDataByocRole \
  --assume-role-policy-document file://trust-policy.json

aws iam put-role-policy \
  --role-name LaserDataByocRole \
  --policy-name LaserDataByocPermissions \
  --policy-document file://permissions-policy.json

Step 3: Complete Deployment

Provide your AWS Account ID, Role ARN, and the external ID back in the Console. LaserData then:

  1. Assumes the IAM role in your account via STS
  2. Creates a subnet within your VPC (finds a free CIDR automatically)
  3. Sets up security groups, route tables, and internet gateway (if needed)
  4. Launches EC2 instances with Elastic IPs
  5. Deploys Warden agents that connect outbound to the control plane

IAM Scope

The IAM role grants LaserData permissions for:

CategoryOperations
EC2Launch, terminate, start, stop, describe instances
NetworkingVPC, subnets, security groups, route tables, internet gateways, NAT gateways, elastic IPs
EBSCreate, delete, attach volumes and snapshots
Load BalancingCreate and manage NLBs and target groups
IAMCreate LaserNode-* roles (for Replica cluster fencing only)

Not included: No S3, no Secrets Manager, no CloudWatch, no SSM. LaserData has no access to your application data or secrets.

Cleanup

When you delete a BYOC deployment, LaserData:

  1. Terminates EC2 instances
  2. Releases Elastic IPs
  3. Deletes security groups, subnets, and route tables
  4. Removes IAM instance profiles and roles created for the deployment

Internet gateways are not deleted as they may be shared with other resources.

GCP BYOC

GCP BYOC uses a service account instead of IAM roles. LaserData impersonates the service account to provision infrastructure in your GCP project.

Prerequisites

  • A GCP project
  • A VPC network in the target region
  • BYOC enabled on your subscription (Pro and Enterprise plans)

Setup

  1. From the Console, initiate a BYOC deployment and select GCP as the provider
  2. LaserData generates setup instructions for your GCP project
  3. Create a service account and grant the required IAM roles (see below)
  4. Grant LaserData the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator) on the service account, allowing impersonation
  5. Provide your GCP Project ID, service account email, and VPC network name
  6. LaserData provisions the deployment in your project

IAM Roles

The service account requires the following IAM roles on the GCP project:

RolePurpose
roles/compute.instanceAdmin.v1VM management (create, start, stop, delete instances)
roles/compute.networkAdminNetworking (VPC, subnets, firewall rules, routes)
roles/compute.securityAdminFirewall rules and SSL certificates
roles/iam.serviceAccountUserAttach service accounts to instances
roles/resourcemanager.tagAdminCreate and manage resource tags
roles/resourcemanager.tagUserBind tags to resources

Additionally, LaserData needs to impersonate the service account:

RolePurpose
roles/iam.serviceAccountTokenCreatorAllows LaserData to generate credentials for the service account

Not included: No Cloud Storage, no Secret Manager, no Cloud Logging access. LaserData has no access to your application data or secrets.

API Reference

Validate BYOC Credentials

curl -X POST {supervisor_url}/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/byoc/validate \
  -H "ld-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "cloud": "aws",
    "region": "us-west-1",
    "account_id": "123456789012",
    "identity_arn": "arn:aws:iam::123456789012:role/LaserDataByocRole",
    "external_id": "unique-external-id-123",
    "vpc_id": "vpc-12345678"
  }'

Generate BYOC Setup

curl -X POST https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments/byoc/setup \
  -H "ld-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "cloud": "aws",
    "region": "us-west-1"
  }'

Create a BYOC Deployment

curl -X POST https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments/byoc \
  -H "ld-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "byoc-prod",
    "cloud": "aws",
    "tier": "large",
    "cluster": "replica",
    "region": "us-west-2",
    "protected": true,
    "encrypted": true,
    "storage": {
      "type": "network_balanced",
      "size": 500
    },
    "availability_mode": "multi_az",
    "subdomain_enabled": true,
    "aws": {
      "account_id": "123456789012",
      "identity_arn": "arn:aws:iam::123456789012:role/LaserDataByocRole",
      "external_id": "your-external-id",
      "vpc_id": "vpc-0abc123def456",
      "vpc_cidr": "10.0.0.0/16"
    }
  }'

The payload is the same as a managed deployment, with an additional aws object. Returns 202 Accepted with ld-environment and ld-deployment headers.

Create a GCP BYOC Deployment

curl -X POST https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments/byoc \
  -H "ld-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "byoc-gcp-prod",
    "cloud": "gcp",
    "tier": "large",
    "cluster": "single",
    "region": "europe-west1",
    "protected": false,
    "encrypted": false,
    "storage": {
      "type": "network_balanced",
      "size": 100
    },
    "availability_mode": "single_az",
    "public_ip_enabled": true,
    "subdomain_enabled": true,
    "gcp": {
      "project_id": "my-gcp-project-123",
      "service_account_email": "laserdata-byoc@my-gcp-project-123.iam.gserviceaccount.com",
      "vpc_name": "default"
    }
  }'

Same response as AWS BYOC — 202 Accepted with ld-environment and ld-deployment headers.

Deployment Models

Security Architecture

Networking

Tiers & Storage

Deployment tiers, storage types, cluster modes, and availability options

On-Premise Setup

Run deployments on your own infrastructure with LaserData control plane orchestration

On this page

ArchitecturePrerequisitesStep 1: Generate BYOC SetupStep 2: Create IAM RoleUsing AWS CLIStep 3: Complete DeploymentIAM ScopeCleanupGCP BYOCPrerequisitesSetupIAM RolesAPI ReferenceValidate BYOC CredentialsGenerate BYOC SetupCreate a BYOC DeploymentCreate a GCP BYOC Deployment