BYOC (Bring Your Own Cloud)
EZ-CDC uses a Bring Your Own Cloud deployment model where data processing happens entirely within your AWS account. This approach provides the security of self-hosting with the convenience of a managed service.
What is BYOC?
In the BYOC model:
- Workers run in your AWS account on EC2 instances you own
- Data never leaves your VPC - source and sink connections are direct
- You control the network - define security groups, subnets, and routing
- EZ-CDC manages orchestration - we handle job assignment, monitoring, and lifecycle
Security Benefits
1. Data Residency
Your data remains within your AWS account boundaries:
| Data Type | Location | Access |
|---|---|---|
| Source data (PostgreSQL) | Your VPC | Worker only |
| Replicated data (StarRocks) | Your VPC | Worker only |
| Connection credentials | EZ-CDC (encrypted) | Decrypted only in worker |
| Job metadata | EZ-CDC | Control plane |
| Metrics | Your VPC → Control Plane | Push only |
2. Network Isolation
Workers require zero inbound connections. All traffic is outbound only, connecting to the control plane, databases, and metrics endpoints.
3. IAM-Based Access Control
EZ-CDC uses IAM roles for AWS resource access:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::ez-cdc-releases/*"
},
{
"Effect": "Allow",
"Action": [
"ssm:UpdateInstanceInformation",
"ssm:DescribeInstanceInformation"
],
"Resource": "*"
}
]
}
4. Encryption
| Data | Encryption |
|---|---|
| Connection credentials | AES-256-GCM (at rest) |
| Control plane communication | TLS 1.3 (in transit) |
| Database connections | SSL/TLS (configurable) |
BYOC vs Traditional SaaS
| Aspect | Traditional SaaS | EZ-CDC BYOC |
|---|---|---|
| Data location | Vendor's cloud | Your cloud |
| Network exposure | Vendor IPs need access | No inbound access |
| Compliance | Depends on vendor | Your controls apply |
| Data sovereignty | May cross borders | Stays in your region |
| Audit trail | Vendor logs | Your CloudWatch |
Connectivity Options
Standard (Internet)
Workers connect to the control plane over the public internet using TLS-encrypted HTTPS/gRPC.
Pros: Simple setup, no additional AWS resources Cons: Traffic traverses internet (encrypted)
PrivateLink (Enterprise)
Workers connect via AWS PrivateLink—traffic never leaves AWS network.
Pros: No internet exposure, private IPs only Cons: Additional setup, PrivateLink costs
What EZ-CDC Can See
The control plane only sees:
✅ Visible to EZ-CDC:
- Job status (running, stopped, failed)
- Worker health metrics (CPU, memory)
- Replication metrics (events/sec, lag)
- Encrypted connection configs
- Table names (for UI display)
❌ NOT visible to EZ-CDC:
- Actual row data
- Query results
- Decrypted credentials
- Network traffic content
Compliance Considerations
BYOC helps with compliance requirements:
| Regulation | How BYOC Helps |
|---|---|
| GDPR | Data stays in your EU region |
| HIPAA | PHI never leaves your BAA-covered account |
| SOC 2 | Your existing controls apply |
| PCI DSS | Cardholder data stays in your CDE |
For regulated industries, combine BYOC with PrivateLink connectivity to eliminate any public internet exposure.
Next Steps
- Quickstart - Deploy your first BYOC worker
- PrivateLink Setup - Enable enterprise connectivity
- IAM Role Setup - Configure AWS permissions