BYOC (Bring Your Own Cloud)
EZ-CDC uses a Bring Your Own Cloud deployment model where data processing happens entirely within your cloud account (AWS or GCP). This approach provides the security of self-hosting with the convenience of a managed service.
What is BYOC?
In the BYOC model:
- Workers run in your cloud account on compute instances you own (EC2 on AWS, GCE on GCP)
- Data never leaves your VPC - source and sink connections are direct
- You control the network - define security groups, subnets, and routing
- EZ-CDC manages orchestration - we handle job assignment, monitoring, and lifecycle
Security Benefits
1. Data Residency
Your data remains within your cloud account boundaries:
| Data Type | Location | Access |
|---|---|---|
| Source data (PostgreSQL) | Your VPC | Worker only |
| Replicated data (StarRocks) | Your VPC | Worker only |
| Connection credentials | EZ-CDC (encrypted) | Decrypted only in worker |
| Job metadata | EZ-CDC | Control plane |
| Metrics | Your VPC → Control Plane | Push only |
2. Network Isolation
Workers require zero inbound connections. All traffic is outbound only, connecting to the control plane, databases, and metrics endpoints.
3. Minimal Permissions
EZ-CDC workers use the minimum permissions needed:
- AWS: IAM Instance Profile with CloudWatch Logs, S3 (binary downloads), and SSM access
- GCP: Service Account with Logging and Monitoring write permissions
No permissions to read your database data, modify your network, or access other resources in your account.
4. Encryption
| Data | Encryption |
|---|---|
| Connection credentials | AES-256-GCM (at rest) |
| Control plane communication | TLS 1.3 (in transit) |
| Database connections | SSL/TLS (configurable) |
BYOC vs Traditional SaaS
| Aspect | Traditional SaaS | EZ-CDC BYOC |
|---|---|---|
| Data location | Vendor's cloud | Your cloud (AWS or GCP) |
| Network exposure | Vendor IPs need access | No inbound access |
| Compliance | Depends on vendor | Your controls apply |
| Data sovereignty | May cross borders | Stays in your region |
| Audit trail | Vendor logs | Your CloudWatch / Cloud Logging |
Connectivity Options
Standard (AWS & GCP)
Workers connect to the control plane over the public internet using TLS-encrypted HTTPS/gRPC.
Pros: Simple setup, no additional cloud resources Cons: Traffic traverses internet (encrypted)
PrivateLink (AWS)
Workers connect via AWS PrivateLink — traffic never leaves the AWS network.
Pros: No internet exposure, private IPs only Cons: Additional setup, PrivateLink costs
Cloud NAT (GCP)
Workers have no public IPs — all egress goes through Cloud NAT with mTLS.
Pros: No public IPs on workers, secure egress Cons: Cloud NAT costs (~$1/day + data transfer)
What EZ-CDC Can See
The control plane only sees:
✅ Visible to EZ-CDC:
- Job status (running, stopped, failed)
- Worker health metrics (CPU, memory)
- Replication metrics (events/sec, lag)
- Encrypted connection configs
- Table names (for UI display)
❌ NOT visible to EZ-CDC:
- Actual row data
- Query results
- Decrypted credentials
- Network traffic content
Compliance Considerations
BYOC helps with compliance requirements:
| Regulation | How BYOC Helps |
|---|---|
| GDPR | Data stays in your EU region |
| HIPAA | PHI never leaves your BAA-covered account |
| SOC 2 | Your existing controls apply |
| PCI DSS | Cardholder data stays in your CDE |
For regulated industries, combine BYOC with PrivateLink (AWS) or Cloud NAT (GCP) to eliminate any public internet exposure on workers.
Next Steps
- Quickstart - Deploy your first BYOC worker
- PrivateLink Setup - Enable enterprise connectivity
- IAM Role Setup - Configure AWS permissions