BYOC Deployment¶
What Is a BYOC Deployment¶
A BYOC (Bring Your Own Cloud) deployment Plan allows your customers to run your software inside their own cloud accounts or Kubernetes clusters while you retain full operational control through the Omnistrate control plane. The Plan specification defines the deployment model, cloud account configuration, API parameters, Helm chart or container configuration, and lifecycle settings.
Omnistrate supports three BYOC variants. Each uses the same Plan structure with different deployment configuration:
| Variant | Spec Field | Target |
|---|---|---|
| Standard BYOC | byoaDeployment | Customer cloud accounts (AWS, GCP, Azure, OCI, Nebius) |
| BYOC PrivateLink | byoaDeployment + account-level PrivateLink flag | Regulated environments with zero public exposure |
| BYOC On-Premise | byoaDeployment | Any Kubernetes cluster (cloud-managed, bare-metal, edge, local) |
Note
The same Plan can serve multiple BYOC variants. The variant is selected at customer account onboarding time, not in the Plan specification itself.
Configuring the Deployment Block¶
Compose Specification¶
For compose-based specifications, configure your provider account under x-omnistrate-service-plan:
x-omnistrate-service-plan:
name: 'My Product - BYOC'
deployment:
byoaDeployment:
awsAccountId: "<AWS_ACCOUNT_ID>"
awsBootstrapRoleAccountArn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/omnistrate-bootstrap-role
Note
Replace the placeholder values with your own cloud account information. You only need to configure the cloud providers you plan to support.
For the complete compose specification reference, see x-omnistrate-service-plan.deployment.byoaDeployment.
Plan Specification¶
For Plan-based specifications, configure the deployment block at the root level:
name: My Product - BYOC
deployment:
byoaDeployment:
awsAccountId: "<AWS_ACCOUNT_ID>"
awsBootstrapRoleAccountArn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/omnistrate-bootstrap-role
For the complete plan specification reference, see deployment schema.
Customer Account Onboarding¶
Before deploying into a customer's cloud account, the customer must onboard their account. This establishes the trust relationship between your provisioner account and the customer's account.
Self-Serve via Customer Portal¶
Customers can onboard their cloud account directly from your Customer Portal. The portal guides them through the cloud-specific setup (CloudFormation for AWS, Cloud Shell for GCP/Azure) and tracks the account status.
Assisted via CLI¶
You can onboard customer accounts on their behalf using omnistrate-ctl:
# AWS account
omnistrate-ctl account customer create \
--service=<service-name> \
--environment=<environment-name> \
--plan=<plan-name> \
--customer-email=<[email protected]> \
--aws-account-id=<CUSTOMER_AWS_ACCOUNT_ID>
# GCP account
omnistrate-ctl account customer create \
--service=<service-name> \
--environment=<environment-name> \
--plan=<plan-name> \
--customer-email=<[email protected]> \
--gcp-project-id=<CUSTOMER_GCP_PROJECT_ID> \
--gcp-project-number=<CUSTOMER_GCP_PROJECT_NUMBER> \
--gcp-service-account-email=<CUSTOMER_GCP_SA_EMAIL>
# Azure account
omnistrate-ctl account customer create \
--service=<service-name> \
--environment=<environment-name> \
--plan=<plan-name> \
--customer-email=<[email protected]> \
--azure-subscription-id=<CUSTOMER_AZURE_SUBSCRIPTION_ID> \
--azure-tenant-id=<CUSTOMER_AZURE_TENANT_ID>
For detailed onboarding guides per cloud provider, see:
Enabling PrivateLink¶
To enable BYOC PrivateLink for a customer account, add the --private-link flag at onboarding time:
omnistrate-ctl account customer create \
--service=<service-name> \
--environment=<environment-name> \
--plan=<plan-name> \
--customer-email=<[email protected]> \
--aws-account-id=<CUSTOMER_AWS_ACCOUNT_ID> \
--private-link
PrivateLink is a per-account setting — every instance deployed into a PrivateLink-enabled account uses private connectivity automatically. No Plan specification changes are required. For details, see BYOC PrivateLink.
Onboarding On-Premise Clusters¶
For BYOC On-Premise, pass a cluster name instead of cloud account credentials:
mkdir -p dp-install-kit && cd dp-install-kit
omnistrate-ctl account customer create \
--service=<service-name> \
--environment=<environment-name> \
--plan=<plan-name> \
--cluster-name=<customer-cluster-name> \
--cluster-description="Customer production Kubernetes cluster"
This generates an install kit that the customer runs against their Kubernetes cluster. For the full walkthrough, see BYOC On-Premise.
Bring Your Own VPC (BYO-VPC)¶
Customers running in BYOC mode can bring their own VPC instead of letting Omnistrate create one. When creating an instance, the customer specifies their VPC ID as the value of the cloud_provider_native_network_id input parameter.
VPC Requirements (AWS Standard)¶
| # | Requirement | Details |
|---|---|---|
| 1 | DNS settings | Enable DNS hostnames and DNS resolution on the VPC |
| 2 | NAT Gateway | A public NAT gateway for pulling container images; private subnet route tables must route to it |
| 3 | Public subnet auto-assign IP | Public subnets must have auto-assign public IPv4 address enabled |
| 4 | Subnet tags | Private subnets: kubernetes.io/role/internal-elb = 1. Public subnets: kubernetes.io/role/elb = 1 |
VPC Requirements (PrivateLink)¶
| # | Requirement | Details |
|---|---|---|
| 1 | VPC & subnet tags | Tag VPC and workload subnets with omnistrate.com/managed-by = omnistrate |
| 2 | DNS settings | Enable DNS hostnames and DNS resolution |
| 3 | Egress | Outbound internet via NAT Gateway, Transit Gateway, or VPN |
| 4 | Management VPC Endpoint | Interface VPC Endpoint targeting the PrivateLink service name Omnistrate provides |
| 5 | Cross-region | If the customer's VPC and PrivateLink service are in different regions, pass --service-region |
For full BYO-VPC details, see BYOC and Imported VPC requirements for BYOC PrivateLink.
Deploying Instances¶
Once a customer account is onboarded and in READY state, deploy instances into it:
omnistrate-ctl instance create \
--service=<service-name> \
--environment=<environment-name> \
--plan=<plan-name> \
--version=latest \
--resource=<resource-name> \
--cloud-provider=aws \
--region=us-east-1 \
--customer-account-id=<customer-account-instance-id> \
--param-file=./params.json \
--wait
For BYOC On-Premise deployments, use --cloud-provider=byoc-onprem and --region=on-prem:
omnistrate-ctl instance create \
--service=<service-name> \
--environment=<environment-name> \
--plan=<plan-name> \
--version=latest \
--resource=<resource-name> \
--cloud-provider=byoc-onprem \
--region=on-prem \
--customer-account-id=<customer-account-instance-id> \
--param-file=./params.json \
--wait
What's Next¶
- BYOC Overview — understand the BYOC model and why it matters
- BYOC use case — architecture and BYO-VPC details
- BYOC PrivateLink — zero-public-exposure variant
- BYOC On-Premise — deploy to any Kubernetes cluster
- BYOC Cloud Accounts — operational guide for managing customer accounts
- Deployment Models — compare all deployment models
- Compose Specification — full compose spec reference
- Plan Specification — full plan spec reference