Manage BYOC Cloud Accounts¶

View and manage your customers' BYOC Cloud Accounts for BYOC deployments.

What is BYOC?¶

BYOC (Bring Your Own Cloud) is a deployment model where your customers' applications are deployed and managed within their own cloud accounts rather than in your infrastructure. This approach addresses critical customer requirements around data sovereignty, security compliance, and cost control while still providing a fully-managed SaaS experience.

BYOC Operations¶

Self-served BYOC Setup¶

The Customer Portal can be used by customers to connect and manage their BYOC cloud accounts.

Setup Customer Accounts on behalf of customer¶

You can also work with your customer to perform an assisted setup of their Cloud Account.

Responsibility model¶

In a BYOC deployment, responsibilities are split across three parties:

Customer account owner: Runs the onboarding flow in the target account, approves IAM and identity setup, and owns cloud quotas, organization policies, and network constraints in that account.
SaaS provider: Enables BYOC for the service, guides or assists the customer through onboarding, and operates the resulting instances through Omnistrate.
Omnistrate: Provides the onboarding artifacts, bootstraps the deployment cell, installs platform components, and orchestrates lifecycle operations in the connected account.

Lifecycle of a BYOC account¶

For most BYOC services, the lifecycle looks like this:

The customer connects their cloud account from the Customer Portal or through an assisted flow.
The first instance in a given account and region bootstraps the deployment cell for that location.
Later instances in the same account and region typically reuse that deployment cell instead of creating a new cluster every time.
The account can only be offboarded after all instances in that account are deleted.

For more background on deployment cells, see Deployment Cells.

Self-serve vs assisted onboarding¶

Both patterns are supported:

Self-serve: The customer runs the onboarding flow directly from the Customer Portal.
Assisted: Your team coordinates with the customer and helps execute the onboarding steps in their cloud account.

The underlying Omnistrate bootstrap flow is the same in both cases. The main difference is who drives the cloud-console or Cloud Shell steps.

CTL workflow for BYOA cloud accounts¶

If you prefer to onboard customer accounts from the CLI, use the provider-specific getting-started guides:

The common BYOA lifecycle commands are:

# Create a customer onboarding instance
omnistrate-ctl account customer create [provider flags] --service <service> --environment <environment> --plan <byoa-plan>

# List and inspect customer onboarding instances
omnistrate-ctl account customer list [flags]
omnistrate-ctl account customer describe <customer-account-instance-id>

# Update or delete a customer onboarding instance
omnistrate-ctl account customer update <customer-account-instance-id> [flags]
omnistrate-ctl account customer delete <customer-account-instance-id>

# Create a BYOA deployment with that onboarding instance
omnistrate-ctl instance create ... --customer-account-id <customer-account-instance-id>

In production environments, account customer create defaults to the calling user's subscription unless you explicitly pass --subscription-id or --customer-email.

Retrying onboarding safely¶

When onboarding fails partway through, or when bootstrap resources are deleted manually later, avoid trying to stitch old and new bootstrap state together.

Recommended approach:

Re-run the current onboarding flow for the exact target account and cloud provider.
If the connected account was partially onboarded and then manually modified, disconnect or offboard it and onboard again cleanly.
For GCP, treat deleted-and-recreated projects, removed workload identity pools/providers, or mismatched onboarding kits as fresh onboarding events.
Do not assume a previous bootstrap in another region, another environment, or another cloud account can be reused automatically.

BYOC PrivateLink Accounts¶

BYOC PrivateLink is selected at account-onboarding time (Customer Portal toggle, or --private-link on omnistrate-ctl account customer create). Once enabled, every instance in the account uses the PrivateLink dataplane topology.

Omnistrate-managed VPC¶

The simplest topology: Omnistrate provisions the VPC, subnets, NAT gateway, security group, and the management VPC Endpoint inside the customer's account on first deployment. The customer only grants the bootstrap role via CloudFormation — no manual VPC or VPCE setup is required.

To allow this path, the account must be onboarded with the Allow new cloud-native network creation option enabled. This grants Omnistrate permission to create new VPCs in the account on demand; without it, every deployment must reuse an existing customer-supplied VPC.

Customer Portal: enable Allow new cloud-native network creation on the AWS account form.

omnistrate-ctl: pass --allow-create-new-cloud-native-network on account customer create:

omnistrate-ctl account customer create \
  --service=<service> \
  --environment=<environment> \
  --plan=<plan> \
  --customer-email=<customer@example.com> \
  --aws-account-id=<AWS_ACCOUNT_ID> \
  --private-link \
  --allow-create-new-cloud-native-network

When this option is set, the first instance in each region triggers Omnistrate to create the deployment cell's VPC, subnets, NAT gateway, security group, and management VPCE. Later instances in the same region reuse the same network.

Imported VPC requirements for BYOC PrivateLink¶

Customers typically bring their own VPC when they need to comply with internal network governance — for example, reusing an existing CIDR plan that fits Transit Gateway / Direct Connect routing, attaching the dataplane to a pre-approved security-group and firewall posture, sharing a NAT gateway or egress proxy with other workloads, or operating under a policy that prohibits the SaaS provider from creating new VPCs in their account.

When the customer brings their own VPC for a PrivateLink account, the VPC must satisfy the following before any instance is deployed:

#	Requirement	Details
1	VPC & subnet tags	Tag the VPC and the subnets where deployment instances should run with `omnistrate.com/managed-by` = `omnistrate`. The tag is both the IAM permission gate and the subnet selector for EKS nodegroup placement — tag only the subnets where you want deployment instances to be placed.
2	DNS	Enable `enableDnsSupport` and `enableDnsHostnames` on the VPC.
3	Egress	Deployment subnets need outbound internet via NAT Gateway, Transit Gateway, or VPN. Required for Helm binary downloads and `ghcr.io` chart pulls during dataplane bootstrap.
4	Management VPC Endpoint	Create a single Interface VPC Endpoint targeting the PrivateLink service Omnistrate provides, with:
		• Tag `Name` = `omnistrate-byoc-private-vpce-<provisioner-hc-id>`
		• Security-group allowing inbound TCP 8443–8506 from the VPC CIDR
5	Cross-region (if applicable)	If the customer's VPC and the PrivateLink service live in different AWS regions, pass `--service-region` to `aws ec2 create-vpc-endpoint` (or `service_region` in the Terraform `aws_vpc_endpoint` resource). Do not enable private DNS — AWS does not support it for cross-region interface endpoints.
6	Subnet tags (optional)	Private subnets: tag `kubernetes.io/role/internal-elb` = `1`. Public subnets: tag `kubernetes.io/role/elb` = `1`. Not mandatory for PrivateLink deployments, but recommended if you plan to use internal load balancers.

Note

Omnistrate hands the customer the VPCE service name and the provisioner host-cluster ID after the account is onboarded; both are needed to create the management VPC Endpoint.

Account Offboarding¶

When a customer no longer needs your SaaS Product or wants to disconnect their cloud account, you can offboard their BYOC account. This removes all Omnistrate-managed resources from the customer's cloud account and severs the trust relationship.

Prerequisites¶

Before a BYOC account can be offboarded:

The customer must delete all deployment instances running in their cloud account. Active instances must be terminated before the account can be offboarded.

Warning

Offboarding is a destructive operation. All deployment cells, networking, and control plane components in the customer's cloud account are permanently removed. Ensure the customer has backed up any data they need to retain.

Offboarding Steps¶

Offboarding from the Customer Portal¶

Customers offboard their BYOC account directly from the Customer Portal:

Navigate to your cloud account settings in the Customer Portal.
Delete the cloud account configuration.
Confirm the offboarding operation.
Wait for Omnistrate to automatically remove all managed resources from your account.

What offboarding cleans up¶

When you offboard a customer's BYOC account, Omnistrate removes the following resources from the customer's cloud:

Control plane agents and system nodes
Monitoring infrastructure
Networking resources (VPCs, subnets, and security groups created by Omnistrate) — only if you are not using a Bring Your Own Network deployment model
Deployment cells and their underlying Kubernetes clusters

Customer-side cleanup¶

After the offboarding process completes, the customer should remove the onboarding permissions from their cloud account. For cloud-specific cleanup steps, see Offboarding.

Note

The cloud-provider-specific onboarding permissions are not automatically removed during offboarding. The customer must clean these up manually.