# BYOC deployment

The BYOC (Bring Your Own Cloud) deployment offers a fully managed, turnkey solution where all infrastructure management is offloaded to Union.ai.

The **data plane** resides in your cloud provider account but is managed by Union.ai, who handle deployment, monitoring, Kubernetes upgrades, and all other operational aspects of the platform. BYOC supports data planes on Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure.

The **control plane** resides in the Union.ai AWS account and is administered by Union.ai. Data separation is maintained between the data plane and the control plane, with no control plane access to the code, input/output, images or logs in the data plane.

## Subpages

- [Platform architecture](https://www.union.ai/docs/v1/union/deployment/byoc/platform-architecture/page.md)
  - Control plane
  - Data plane
  - Data plane nodes
  - Union.ai operator
  - Registry data
  - Execution data
  - Raw data
  - Literal data
  - Data privacy
- [Configuring your data plane](https://www.union.ai/docs/v1/union/deployment/byoc/configuring-your-data-plane/page.md)
  - Cloud provider
  - Multi-cluster
  - Account ID
  - Region
  - VPC
  - Data retention policy
  - Worker node groups
  - Node group name
  - Node type
  - Minimum
  - Maximum
  - Interruptible instances
  - Taints
  - Disk
  - Resources held back
  - Example specification
  - After deployment
  - Adjusting your configuration
- [Multi-cluster and multi-cloud](https://www.union.ai/docs/v1/union/deployment/byoc/multi-cluster/page.md)
  - Domain isolation
  - Project isolation
  - Data and metadata isolation
- [Data plane setup on AWS](https://www.union.ai/docs/v1/union/deployment/byoc/data-plane-setup-on-aws/page.md)
  - Setting permissions through CloudFormation
  - Click the Launch Stack button
  - Confirm the details
  - Share the role ARN
  - Updating permissions through CloudFormation
  - Update your CloudFormation template
  - Setting permissions manually
  - Prepare the policy documents
  - Create the role manually
  - Share the role ARN
  - Updating permissions manually
  - Setting up and managing your own VPC (optional)
  - Private EKS endpoint
  - Create additional roles for ECS
  - Attach a new IAM policy to the Union role
  - Configure VPC Endpoints
- [Data plane setup on GCP](https://www.union.ai/docs/v1/union/deployment/byoc/data-plane-setup-on-gcp/page.md)
  - Select or create a project
  - Ensure billing is linked
  - Create a workload identity pool and provider
  - In the GCP web console
  - On the command line using `gcloud`
  - Create a role for Union.ai admin
  - Create the Union.ai admin service account
  - In the GCP web console
  - On the command line using `gcloud`
  - Grant access for the Workflow Identity Pool to the Service Account
  - In the GCP web console
  - On the command line using `gcloud`
  - Enable services API
  - In the GCP web console
  - On the command line using `gcloud`
  - Setting up and managing your own VPC (optional)
  - Example VPC CIDR Block allocation
- [Data plane setup on Azure](https://www.union.ai/docs/v1/union/deployment/byoc/data-plane-setup-on-azure/page.md)
  - Selecting Azure tenant and subscription
  - Create a Microsoft Entra Application Registration
  - Create a Microsoft Entra ID Application for Union.ai Access
  - Create Microsoft Entra ID Applications for Union.ai cost allocation
  - (Recommended) Create a Microsoft Entra group for cluster administration
  - (Optional) Setting up and managing your own VNet
  - Required Union.ai VNet permissions
  - Required VNet properties
  - Example VPC CIDR Block allocation
  - Union.ai Maintenance Windows
- [Enabling AWS resources](https://www.union.ai/docs/v1/union/deployment/byoc/enabling-aws-resources/page.md)
  - Types of access
  - Infrastructure-level access
  - Task code access
  - Background
  - Enabling access
  - Creating a custom policy
  - Setting up global access
  - Setting up project-domain-scoped access
  - Create the IAM role
  - Configure the cluster to use the new IAM role
- [Enabling GCP resources](https://www.union.ai/docs/v1/union/deployment/byoc/enabling-gcp-resources/page.md)
  - Types of access
  - Infrastructure-level access
  - Task code access
  - Domain-scoped access
  - Globally-scoped access
  - Find the actual name of `<UserFlyteGSA>`
- [Enabling Azure resources](https://www.union.ai/docs/v1/union/deployment/byoc/enabling-azure-resources/page.md)
  - Types of access
  - Infrastructure-level access
  - Task code access
  - Domain-scoped access
  - Globally-scoped access
- [Single sign on setup](https://www.union.ai/docs/v1/union/deployment/byoc/single-sign-on-setup/page.md)
  - Google OpenID Connect
  - Microsoft Entra ID (formerly Azure AD)
  - Other identity providers

---
**Source**: https://github.com/unionai/unionai-docs/blob/main/content/deployment/byoc/_index.md
**HTML**: https://www.union.ai/docs/v1/union/deployment/byoc/