BYOC Deployment¶

What Is a BYOC Deployment¶

A BYOC (Bring Your Own Cloud) deployment Plan allows your customers to run your software inside their own cloud accounts or Kubernetes clusters while you retain full operational control through the Omnistrate control plane. The Plan specification defines the deployment model, cloud account configuration, API parameters, Helm chart or container configuration, and lifecycle settings.

Omnistrate supports three BYOC variants. Each uses the same Plan structure with different deployment configuration:

Variant	Spec Field	Target
Standard BYOC	`byoaDeployment`	Customer cloud accounts (AWS, GCP, Azure, OCI, Nebius)
BYOC PrivateLink	`byoaDeployment` + account-level PrivateLink flag	Regulated environments with zero public exposure
BYOC On-Premise	`byoaDeployment`	Any Kubernetes cluster (cloud-managed, bare-metal, edge, local)

Note

The same Plan can serve multiple BYOC variants. The variant is selected at customer account onboarding time, not in the Plan specification itself.

Configuring the Deployment Block¶

Compose Specification¶

For compose-based specifications, configure your provider account under x-omnistrate-service-plan:

x-omnistrate-service-plan:
  name: 'My Product - BYOC'
  deployment:
    byoaDeployment:
      awsAccountId: "<AWS_ACCOUNT_ID>"
      awsBootstrapRoleAccountArn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/omnistrate-bootstrap-role

Note

Replace the placeholder values with your own cloud account information. You only need to configure the cloud providers you plan to support.

For the complete compose specification reference, see x-omnistrate-service-plan.deployment.byoaDeployment.

Plan Specification¶

For Plan-based specifications, configure the deployment block at the root level:

name: My Product - BYOC
deployment:
  byoaDeployment:
    awsAccountId: "<AWS_ACCOUNT_ID>"
    awsBootstrapRoleAccountArn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/omnistrate-bootstrap-role

For the complete plan specification reference, see deployment schema.

Customer Account Onboarding¶

Before deploying into a customer's cloud account, the customer must onboard their account. This establishes the trust relationship between your provisioner account and the customer's account.

Self-Serve via Customer Portal¶

Customers can onboard their cloud account directly from your Customer Portal. The portal guides them through the cloud-specific setup (CloudFormation for AWS, Cloud Shell for GCP/Azure) and tracks the account status.

Assisted via CLI¶

You can onboard customer accounts on their behalf using omnistrate-ctl:

# AWS account
omnistrate-ctl account customer create \
  --service=<service-name> \
  --environment=<environment-name> \
  --plan=<plan-name> \
  --customer-email=<customer@example.com> \
  --aws-account-id=<CUSTOMER_AWS_ACCOUNT_ID>

# GCP account
omnistrate-ctl account customer create \
  --service=<service-name> \
  --environment=<environment-name> \
  --plan=<plan-name> \
  --customer-email=<customer@example.com> \
  --gcp-project-id=<CUSTOMER_GCP_PROJECT_ID> \
  --gcp-project-number=<CUSTOMER_GCP_PROJECT_NUMBER> \
  --gcp-service-account-email=<CUSTOMER_GCP_SA_EMAIL>

# Azure account
omnistrate-ctl account customer create \
  --service=<service-name> \
  --environment=<environment-name> \
  --plan=<plan-name> \
  --customer-email=<customer@example.com> \
  --azure-subscription-id=<CUSTOMER_AZURE_SUBSCRIPTION_ID> \
  --azure-tenant-id=<CUSTOMER_AZURE_TENANT_ID>

For detailed onboarding guides per cloud provider, see:

Enabling PrivateLink¶

To enable BYOC PrivateLink for a customer account, add the --private-link flag at onboarding time:

omnistrate-ctl account customer create \
  --service=<service-name> \
  --environment=<environment-name> \
  --plan=<plan-name> \
  --customer-email=<customer@example.com> \
  --aws-account-id=<CUSTOMER_AWS_ACCOUNT_ID> \
  --private-link

PrivateLink is a per-account setting — every instance deployed into a PrivateLink-enabled account uses private connectivity automatically. No Plan specification changes are required. For details, see BYOC PrivateLink.

Onboarding On-Premise Clusters¶

For BYOC On-Premise, pass a cluster name instead of cloud account credentials:

mkdir -p dp-install-kit && cd dp-install-kit

omnistrate-ctl account customer create \
  --service=<service-name> \
  --environment=<environment-name> \
  --plan=<plan-name> \
  --cluster-name=<customer-cluster-name> \
  --cluster-description="Customer production Kubernetes cluster"

This generates an install kit that the customer runs against their Kubernetes cluster. For the full walkthrough, see BYOC On-Premise.

Bring Your Own VPC (BYO-VPC)¶

Customers running in BYOC mode can bring their own VPC instead of letting Omnistrate create one. When creating an instance, the customer specifies their VPC ID as the value of the cloud_provider_native_network_id input parameter.

VPC Requirements (AWS Standard)¶

#	Requirement	Details
1	DNS settings	Enable DNS hostnames and DNS resolution on the VPC
2	NAT Gateway	A public NAT gateway for pulling container images; private subnet route tables must route to it
3	Public subnet auto-assign IP	Public subnets must have auto-assign public IPv4 address enabled
4	Subnet tags	Private subnets: `kubernetes.io/role/internal-elb` = `1`. Public subnets: `kubernetes.io/role/elb` = `1`

VPC Requirements (PrivateLink)¶

#	Requirement	Details
1	VPC & subnet tags	Tag VPC and workload subnets with `omnistrate.com/managed-by` = `omnistrate`
2	DNS settings	Enable DNS hostnames and DNS resolution
3	Egress	Outbound internet via NAT Gateway, Transit Gateway, or VPN
4	Management VPC Endpoint	Interface VPC Endpoint targeting the PrivateLink service name Omnistrate provides
5	Cross-region	If the customer's VPC and PrivateLink service are in different regions, pass `--service-region`

For full BYO-VPC details, see BYOC and Imported VPC requirements for BYOC PrivateLink.

Deploying Instances¶

Once a customer account is onboarded and in READY state, deploy instances into it:

omnistrate-ctl instance create \
  --service=<service-name> \
  --environment=<environment-name> \
  --plan=<plan-name> \
  --version=latest \
  --resource=<resource-name> \
  --cloud-provider=aws \
  --region=us-east-1 \
  --customer-account-id=<customer-account-instance-id> \
  --param-file=./params.json \
  --wait

For BYOC On-Premise deployments, use --cloud-provider=byoc-onprem and --region=on-prem:

omnistrate-ctl instance create \
  --service=<service-name> \
  --environment=<environment-name> \
  --plan=<plan-name> \
  --version=latest \
  --resource=<resource-name> \
  --cloud-provider=byoc-onprem \
  --region=on-prem \
  --customer-account-id=<customer-account-instance-id> \
  --param-file=./params.json \
  --wait

What's Next¶

BYOC Overview — understand the BYOC model and why it matters
BYOC use case — architecture and BYO-VPC details
BYOC PrivateLink — zero-public-exposure variant
BYOC On-Premise — deploy to any Kubernetes cluster
BYOC Cloud Accounts — operational guide for managing customer accounts
Deployment Models — compare all deployment models
Compose Specification — full compose spec reference
Plan Specification — full plan spec reference