Skip to content

Manage BYOC Cloud Accounts

View and manage your customers' BYOC Cloud Accounts for BYOC deployments.

What is BYOC?

BYOC (Bring Your Own Cloud) is a deployment model where your customers' applications are deployed and managed within their own cloud accounts rather than in your infrastructure. This approach addresses critical customer requirements around data sovereignty, security compliance, and cost control while still providing a fully-managed SaaS experience.

BYOC Operations

Self-served BYOC Setup

The Customer Portal can be used by customers to connect and manage their BYOC cloud accounts.

Setup Customer Accounts on behalf of customer

You can also work with your customer to perform an assisted setup of their Cloud Account.

Responsibility model

In a BYOC deployment, responsibilities are split across three parties:

  • Customer account owner: Runs the onboarding flow in the target account, approves IAM and identity setup, and owns cloud quotas, organization policies, and network constraints in that account.
  • SaaS provider: Enables BYOC for the service, guides or assists the customer through onboarding, and operates the resulting instances through Omnistrate.
  • Omnistrate: Provides the onboarding artifacts, bootstraps the deployment cell, installs platform components, and orchestrates lifecycle operations in the connected account.

Lifecycle of a BYOC account

For most BYOC services, the lifecycle looks like this:

  1. The customer connects their cloud account from the Customer Portal or through an assisted flow.
  2. The first instance in a given account and region bootstraps the deployment cell for that location.
  3. Later instances in the same account and region typically reuse that deployment cell instead of creating a new cluster every time.
  4. The account can only be offboarded after all instances in that account are deleted.

For more background on deployment cells, see Deployment Cells.

Self-serve vs assisted onboarding

Both patterns are supported:

  • Self-serve: The customer runs the onboarding flow directly from the Customer Portal.
  • Assisted: Your team coordinates with the customer and helps execute the onboarding steps in their cloud account.

The underlying Omnistrate bootstrap flow is the same in both cases. The main difference is who drives the cloud-console or Cloud Shell steps.

Retrying onboarding safely

When onboarding fails partway through, or when bootstrap resources are deleted manually later, avoid trying to stitch old and new bootstrap state together.

Recommended approach:

  • Re-run the current onboarding flow for the exact target account and cloud provider.
  • If the connected account was partially onboarded and then manually modified, disconnect or offboard it and onboard again cleanly.
  • For GCP, treat deleted-and-recreated projects, removed workload identity pools/providers, or mismatched onboarding kits as fresh onboarding events.
  • Do not assume a previous bootstrap in another region, another environment, or another cloud account can be reused automatically.

Account Off-boarding

Off-board a customer account to sever the relationship with your SaaS Product.

For the exact sequence and cloud-specific teardown steps, see Cloud Account Offboarding.

The key rule is to let Omnistrate finish deleting deployment cells and other platform-managed resources first, and only then remove CloudFormation, GCP, or Azure onboarding artifacts. Deleting those artifacts too early can leave the account stuck in Deleting.