Deployment Models
Managed, BYOC, and On-Premise - choose how and where your deployments run
LaserData Cloud supports three deployment models. All three use the same Warden agent, the same Console, and the same APIs - the difference is where the infrastructure runs and who owns it.
How It Works
Every deployment - regardless of model - runs the same stack: an Iggy server managed by a Warden agent that communicates with the LaserData control plane. The only difference is where the infrastructure lives.
All communication between nodes and the control plane is outbound only - initiated by Warden over HTTPS. No inbound connections, no SSH, no cloud-specific agents.
Managed
LaserData provisions and operates everything in our cloud infrastructure.
- Fully managed - we handle provisioning, networking, TLS certificates, upgrades, and monitoring
- Quick setup - create a deployment from the Console and connect in minutes
- Custom subdomain - every deployment gets a unique subdomain (e.g.
your-cluster.laserdata.cloud) for use in connection strings, with automated TLS - VPC Peering available - connect your own VPC for private network access (AWS and GCP)
- PrivateLink available - expose the deployment as a VPC endpoint service (AWS only)
- NLB-based endpoints - public or private access with end-to-end TLS encryption
Suitable for teams that want fully managed infrastructure without cloud account setup.
BYOC (Bring Your Own Cloud)
LaserData manages the deployment, but the infrastructure runs in your AWS account. BYOC is currently available for AWS only.
- Data stays in your account - all nodes, storage, and network are in your AWS environment. Data never leaves your infrastructure
- You control the cloud bill - resources run under your AWS account
- Same management experience - Console, monitoring, upgrades, and task orchestration work identically to Managed
- IAM role-based access - LaserData assumes a scoped IAM role in your account for provisioning only
- No Kubernetes required - runs on plain EC2 instances
The IAM role has limited scope: EC2, networking, and EBS operations for provisioning. No access to S3, Secrets Manager, CloudWatch, or your application data.
See the BYOC Setup Guide for step-by-step instructions.
On-Premise
Run deployments on your own infrastructure - physical servers, private cloud, or any VMs - while the LaserData control plane handles orchestration.
- Full infrastructure control - run on any hardware or cloud provider
- Pull-based only - Warden connects outbound to the control plane. No inbound connections to your network
- Firewall-friendly - only outbound HTTPS (port 443) required
- Independent operation - Iggy continues running even if the control plane is unreachable. Tasks queue and execute when connectivity is restored
- Managed setup - On-Premise deployments are provisioned by the LaserData team. Contact us to get started
See the On-Premise Setup Guide for detailed instructions.
Comparison
| Managed | BYOC | On-Premise | |
|---|---|---|---|
| Infrastructure owner | LaserData | You (AWS) | You (any) |
| Data location | LaserData AWS/GCP | Your AWS account | Your infrastructure |
| Cloud bill | Included in plan | Your AWS account | Your infrastructure |
| Provisioning | Automatic | Automatic (via IAM role) | LaserData team (contact us) |
| Networking | VPC Peering (AWS/GCP), PrivateLink (AWS), NLB | Direct VPC access | Your network |
| Upgrades | Automatic | Automatic | Pull-based via Warden |
| Console & APIs | Full access | Full access | Full access |
| Kubernetes required | No | No | No |
What You Get with Every Deployment
Regardless of model, every deployment includes:
Custom Subdomain
Each deployment receives a unique subdomain (e.g. your-cluster.laserdata.cloud) that serves as the connection endpoint. TLS is always enabled - all client connections are encrypted. Subdomains are managed automatically and require a public IP.
Built-in Stream UI
Every deployment includes a built-in web interface for browsing and managing your data - streams, topics, partitions, messages, and consumer groups. Stream UI runs embedded in the Warden process directly on the node, meaning your data is accessed in full isolation and never leaves your infrastructure. Access is controlled through Access Rules.
Data Isolation
Your data never transits the LaserData control plane. The control plane orchestrates infrastructure (tasks, configs, certificates) - but Iggy data, messages, and client connections stay entirely within your deployment nodes. This holds for all three deployment models.
Encryption
All disk storage is encrypted at rest by default via the underlying cloud provider (AWS EBS encryption, GCP Persistent Disk encryption). On top of that, you can enable server-side message payload encryption during deployment creation. When enabled, all message data is encrypted with a per-deployment key before being written to disk — adding an additional layer of protection beyond the underlying disk encryption. Combined with mandatory TLS for all connections, your data is encrypted both at rest and in transit.
Monitoring & Telemetry
The Warden agent on each node collects and pushes metrics, heartbeats, and logs to the control plane. Telemetry data is retained based on your plan (7 to 365 days). You can also redirect logs to your own OpenTelemetry-compatible endpoint if you prefer to keep log data in your own systems. See Monitoring for details.
Creating a Deployment
From the Console
- Navigate to your Environment in the Console
- Click Create Deployment
- Choose the deployment model - Managed or BYOC (for On-Premise, contact the LaserData team)
- Configure the deployment:
| Setting | Description |
|---|---|
| Name | Human-readable name for your deployment |
| Cloud | Cloud provider — aws or gcp |
| Region | Cloud region (e.g. us-west-1, europe-west1) |
| Tier | Compute tier - determines CPU, memory, and available features. See Tiers & Storage |
| Cluster | Standalone (single node) or Replica (two-node HA with automatic failover). Replica requires Large tier or above |
| Storage type | Network Balanced or NVMe SSD. See Tiers & Storage |
| Storage size | Disk size in GB (network storage only - NVMe SSD size is fixed by instance type) |
| Availability mode | Single-AZ or Multi-AZ. Multi-AZ distributes Replica nodes across zones for zone-level fault tolerance |
| Encryption | Enable server-side message payload encryption with a per-deployment key (disk encryption is always on via the cloud provider) |
| Protected | Enable resource protection - deleting a protected deployment requires a one-time code sent to the organization email |
| Target network throughput | Optional target throughput in KB/s. Used for capacity planning and pricing estimates |
| Retention | Telemetry retention period for metrics, heartbeats, and logs |
| Spend limit | Optional monthly spend cap |
- Click Deploy - provisioning typically takes a few minutes
Free Tier
The Free tier is designed for development and testing:
- Rate limited - network throughput is always capped at 100 KB/s on Free tier, regardless of plan
- Default access rule - Managed Free tier deployments are created with a global access rule (
0.0.0.0/0) so you can connect immediately. You can delete or replace this rule at any time - Public IP - Free tier IP may change on restart; paid tiers use a static Elastic IP
- Subdomain enabled - you still get a custom subdomain for connection strings
- Standalone only - Replica deployments are not available on Free tier
- Single-AZ only - Multi-AZ is not available
The Free tier is available for development and testing at no cost.
Network Rate Limits
| Tier | Rate Limit | Notes |
|---|---|---|
| Free | 100 KB/s | Always rate limited |
| Small | 3 MB/s | Basic plan only |
| Medium | 10 MB/s | Basic plan only |
| Large and above | No limit | - |
The Free tier is always rate limited. Small and Medium tiers are rate limited on the Basic plan - once your tenant is upgraded to Pro or Enterprise, their rate limits are removed and higher tiers become available.
Public IP
| Mode | Behavior |
|---|---|
| Public | Fixed Elastic IP that persists across restarts. Includes a custom subdomain for connection strings with automated TLS |
| Private | No public IP. Access only via VPC Peering or PrivateLink |
Subdomains require a public IP. If you choose Private mode, subdomains are disabled and the deployment is only reachable through private networking.
The Free tier uses a dynamic public IP that may change on restart, unlike the static Elastic IP on paid tiers.
Regions
Available regions depend on the cloud provider. During deployment creation, select a region from the available list for your chosen cloud. Examples:
- AWS:
us-west-1,us-west-2,eu-west-1,eu-central-1,ap-southeast-1 - GCP:
us-central1,us-east1,europe-west1,asia-southeast1
Use the List Available Clouds and List Regions endpoints to see what's currently available for your tenant.
Upgrading a Deployment
After creation, you can upgrade a deployment's tier and storage configuration without recreating it. Upgrade changes the compute resources (tier) and/or storage type and size for network storage types. NVMe SSD deployments cannot be upgraded until clustering support is available.
Plan Limits
Each plan determines which deployment tiers are available and how many deployments you can create per tier. The deployment_tiers field in the tenant features response lists each allowed tier with its maximum count.
| Tier | Basic | Pro | Enterprise |
|---|---|---|---|
| Free | 1 | 1 | 1 |
| Small | 1 | 3 | 10 |
| Medium | 1 | 3 | 10 |
| Large | - | 2 | 10 |
| XLarge | - | 1 | 10 |
| 2XLarge | - | 1 | 10 |
| 4XLarge | - | - | 5 |
| 8XLarge | - | - | 3 |
| 16XLarge | - | - | 2 |
| Resource | Basic | Pro | Enterprise |
|---|---|---|---|
| Configurations per deployment | 3 | 5 | 10 |
| BYOC | - | Available | Available |
| Replica deployments | - | Available | Available |
| Multi-AZ | - | Available | Available |
API Reference
Deployment creation goes through the main API (laserdata.cloud/api). Upgrade, retention, and spend limit updates also go through the main API, scoped to the deployment. Operational endpoints (access rules, configs, connectors, metrics, logs) use the deployment API ({supervisor_url}). See API Architecture for details.
List Available Clouds
curl https://api.laserdata.cloud/tenants/{tenant_id}/clouds \
-H "ld-api-key: YOUR_API_KEY"List Regions
curl https://api.laserdata.cloud/tenants/{tenant_id}/clouds/{cloud}/regions \
-H "ld-api-key: YOUR_API_KEY"List Available Tiers
curl https://api.laserdata.cloud/tenants/{tenant_id}/clouds/{cloud}/regions/{region}/tiers \
-H "ld-api-key: YOUR_API_KEY"[
{
"key": "free",
"name": "Free",
"description": "Perfect for getting started. Great for development, testing, and learning the platform.",
"instance": "t3.micro",
"available": true,
"limit": 1,
"vcpus": 2,
"memory_gib": 1,
"clusters": ["standalone"],
"storages": ["network_balanced"],
"rate_limit": "100 KB/s"
},
{
"key": "large",
"name": "Large",
"description": "Sized for ~10 MB/s workloads. Built for demanding production applications with dedicated isolated nodes.",
"instance": "m7i.large",
"available": true,
"limit": 2,
"vcpus": 2,
"memory_gib": 8,
"clusters": ["standalone", "replica"],
"storages": ["local_ssd", "network_balanced"],
"rate_limit": null
}
]instance is the baseline network-disk compute instance for the tier. Use this endpoint as the source of truth for tier availability, per-tier limits, compute specs, supported cluster/storage modes, and plan-aware rate limits.
List Available Storage Types
curl https://api.laserdata.cloud/tenants/{tenant_id}/clouds/{cloud}/regions/{region}/storages \
-H "ld-api-key: YOUR_API_KEY"Use these discovery endpoints to build deployment creation forms - they return only what's available for your plan and region.
Create a Managed Deployment
curl -X POST https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments/managed \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "prod-cluster",
"cloud": "aws",
"tier": "large",
"cluster": "standalone",
"region": "us-west-1",
"protected": true,
"encrypted": true,
"storage": {
"type": "network_balanced",
"size": 500
},
"retention": {
"telemetry_days": 90
},
"target_network_tput": 10000,
"availability_mode": "single_az",
"subdomain_enabled": true,
"spend_limit": 500.00
}'Allowed values:
| Field | Values |
|---|---|
cloud | aws, gcp |
tier | free, small, medium, large, xlarge, 2xlarge, 4xlarge, 8xlarge, 16xlarge |
cluster | standalone, replica |
storage.type | local_ssd, network_balanced |
availability_mode | single_az, multi_az |
target_network_tput | Target network throughput in KB/s (optional, integer). For example, 10000 = ~10 MB/s |
Returns 202 Accepted with the ld-environment and ld-deployment headers containing the created resource IDs.
Create a BYOC Deployment
BYOC deployments use the same payload as managed deployments, with an additional aws object containing your IAM role credentials. See the BYOC Setup Guide for the full walkthrough and API reference.
Create a Starter Deployment
A quick way to spin up a Free-tier Standalone deployment for testing:
curl -X POST https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/deployments/starter \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"cloud": "aws",
"region": "us-west-1"
}'| Field | Required | Description |
|---|---|---|
cloud | Yes | Cloud provider (e.g. aws) |
region | Yes | Cloud region (e.g. us-west-1) |
environment_id | No | Existing environment ID to deploy into |
environment_name | No | Name for a new environment (defaults to sandbox if neither ID nor name is provided) |
deployment_name | No | Deployment name (auto-generated if omitted) |
Returns 202 Accepted with ld-environment and ld-deployment headers containing the created resource IDs.
List Deployments
curl https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments \
-H "ld-api-key: YOUR_API_KEY"{
"items": [
{
"id": 1,
"name": "prod-cluster",
"code": "abc123",
"variant": "managed",
"domain": "prod-cluster.laserdata.cloud",
"cloud": "aws",
"area": "us",
"region": "us-west-1",
"cluster": "standalone",
"tier": "large",
"runtimes": ["iggy"],
"nodes_count": 1,
"protected": true,
"encrypted": true,
"storage_type": "network_balanced",
"availability_mode": "single_az",
"supervisor_url": "https://us.aws.supervisor.laserdata.cloud",
"rate_limit": null,
"target_network_tput": 10000,
"retention": {
"telemetry": {
"logs_days": 90,
"metrics_days": 90,
"heartbeats_days": 90
}
},
"upgraded_at": null,
"can_upgrade": true,
"created_at": "2025-01-15T10:30:00Z",
"updated_at": "2025-01-15T10:30:00Z"
}
],
"page": 1,
"total_results": 1,
"total_pages": 1
}Get Deployment Details
curl {supervisor_url}/deployments/{deployment_id} \
-H "ld-api-key: YOUR_API_KEY"Returns the full deployment details including nodes, active configurations, and AWS networking info.
{
"id": 1,
"name": "prod-cluster",
"code": "abc123",
"variant": "managed",
"status": "initialized",
"domain": "prod-cluster.laserdata.cloud",
"cloud": "aws",
"area": "us",
"region": "us-west-1",
"cluster": "standalone",
"tier": "large",
"runtimes": ["iggy"],
"nodes_count": 1,
"protected": true,
"encrypted": true,
"storage_type": "network_balanced",
"storage_size": 500,
"network_mode": "public",
"availability_mode": "single_az",
"cidr": "10.0.0.0/16",
"supervisor_url": "https://us.aws.supervisor.laserdata.cloud",
"rate_limit": null,
"target_network_tput": 10000,
"retention": {
"telemetry": {
"logs_days": 90,
"metrics_days": 90,
"heartbeats_days": 90
}
},
"description": null,
"remarks": null,
"upgraded_at": null,
"can_upgrade": true,
"created_at": "2025-01-15T10:30:00Z",
"updated_at": "2025-01-15T10:30:00Z",
"configs": [
{
"id": 1,
"kind": "iggy",
"name": "default",
"primary": true,
"initialized": true,
"version": 1,
"created_at": "2025-01-15T10:30:00Z",
"updated_at": "2025-01-15T10:30:00Z"
}
],
"nodes": [
{
"id": 1,
"name": "node-1",
"public_ip_addresses": ["54.183.100.50"],
"private_ip_addresses": ["10.0.1.10"],
"initialized": true,
"initialized_at": "2025-01-15T10:35:00Z",
"runtimes": ["iggy"],
"storage_type": "network_balanced",
"created_at": "2025-01-15T10:30:00Z",
"updated_at": "2025-01-15T10:35:00Z"
}
],
"aws": {
"network": {
"vpc_id": "vpc-0abc123def456789a",
"vpc_cidr": "10.0.0.0/16",
"public_ip_enabled": true,
"subdomain_enabled": true
}
}
}| Field | Description |
|---|---|
status | Deployment lifecycle status: creating, initializing, initialized, extending, upgrading, rolling_back, failed, deleting (and intermediate provisioning states) |
storage_size | Disk storage size in GB (network storage) |
network_mode | public (Elastic IP + subdomain), private (private networking only), or hybrid |
cidr | Deployment subnet CIDR block (used for VPC peering) |
target_network_tput | Target network throughput in KB/s. null when not set (uses tier default) |
rate_limit | Enforced network rate limit when applicable (Free tier always, Small/Medium on Basic plan) |
configs | Active deployment configurations (Iggy, connectors) with version info |
nodes | Individual node details including IPs, initialization state, and runtimes |
aws | AWS-specific networking info (VPC ID, CIDR, public IP and subdomain status). Only present for AWS deployments |
gcp | GCP-specific networking info. Only present for GCP deployments |
Get Deployment Credentials
curl {supervisor_url}/deployments/{deployment_id}/credentials \
-H "ld-api-key: YOUR_API_KEY"{
"username": "iggy",
"password": "your-deployment-password"
}Use these in your Iggy client connection strings.
Upgrade a Deployment
Upgrade an existing deployment's tier and/or storage configuration. At least one of tier or storage must be provided. Deployments using NVMe SSD storage cannot be upgraded until clustering support is available.
curl -X POST https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments/{deployment_id}/upgrade \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"tier": "xlarge",
"storage": {
"type": "network_balanced",
"size": 500
}
}'| Field | Required | Description |
|---|---|---|
tier | No* | Target tier (e.g. large, xlarge, 2xlarge). Cannot upgrade to free |
storage.type | No* | Target storage type: network_balanced |
storage.size | No | Storage size in GB. Cannot be smaller than current size |
* At least one of tier or storage must be provided.
Returns 202 Accepted. The upgrade is applied asynchronously by the Warden agent.
Extend a Deployment
Add nodes to an existing deployment:
curl -X POST https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments/{deployment_id}/extend \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json"Update Spend Limit
curl -X PUT https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments/{deployment_id}/spend_limit \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"spend_limit": 1000.00
}'Update Retention
curl -X PUT https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments/{deployment_id}/retention \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"retention": {
"telemetry_days": 90
}
}'Update a Deployment
curl -X PUT https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments/{deployment_id} \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"protected": true
}'Only the tenant owner can set protected back to false. See Resource Protection.
Returns 200 OK on success.
Delete a Deployment
For protected deployments, first request a resource code, then pass the code as a query parameter:
curl -X DELETE "https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments/{deployment_id}?code={protection_code}" \
-H "ld-api-key: YOUR_API_KEY"Returns 202 Accepted. The deletion is processed asynchronously.
Unprotected deployments can be deleted without the code parameter. This action is irreversible — all nodes are terminated and all data is permanently destroyed, including streams, topics, messages, partitions, consumer groups, configurations, backups, and telemetry history. None of this can be recovered.