Deployment Models
Managed, BYOC, and On-Premise - choose how and where your deployments run
LaserData Cloud supports three deployment models. All three use the same Warden agent, the same Console, and the same APIs - the difference is where the infrastructure runs and who owns it.
How It Works
Every deployment - regardless of model - runs the same stack: an Iggy server managed by a Warden agent that communicates with the LaserData control plane. The only difference is where the infrastructure lives.
All communication between nodes and the control plane is outbound only - initiated by Warden over HTTPS. No inbound connections, no SSH, no cloud-specific agents.
Managed
LaserData provisions and operates everything in our cloud infrastructure.
- Fully managed - we handle provisioning, networking, TLS certificates, upgrades, and monitoring
- Quick setup - create a deployment from the Console and connect in minutes
- Custom subdomain - every deployment gets a unique subdomain (e.g.
your-cluster.laserdata.cloud) for use in connection strings, with automated TLS - VPC Peering available - connect your own AWS VPC for private network access
- PrivateLink available - expose the deployment as a VPC endpoint service
- NLB-based endpoints - public or private access with end-to-end TLS encryption
Suitable for teams that want fully managed infrastructure without cloud account setup.
BYOC (Bring Your Own Cloud)
LaserData manages the deployment, but the infrastructure runs in your AWS account.
- Data stays in your account - all nodes, storage, and network are in your AWS environment. Data never leaves your infrastructure
- You control the cloud bill - resources run under your AWS account
- Same management experience - Console, monitoring, upgrades, and task orchestration work identically to Managed
- IAM role-based access - LaserData assumes a scoped IAM role in your account for provisioning only
- No Kubernetes required - runs on plain EC2 instances
The IAM role has limited scope: EC2, networking, and EBS operations for provisioning. No access to S3, Secrets Manager, CloudWatch, or your application data.
See the BYOC Setup Guide for step-by-step instructions.
On-Premise
Run deployments on your own infrastructure - physical servers, private cloud, or any VMs - while the LaserData control plane handles orchestration.
- Full infrastructure control - run on any hardware or cloud provider
- Pull-based only - Warden connects outbound to the control plane. No inbound connections to your network
- Firewall-friendly - only outbound HTTPS (port 443) required
- Independent operation - Iggy continues running even if the control plane is unreachable. Tasks queue and execute when connectivity is restored
- Managed setup - On-Premise deployments are provisioned by the LaserData team. Contact us to get started
See the On-Premise Setup Guide for detailed instructions.
Comparison
| Managed | BYOC | On-Premise | |
|---|---|---|---|
| Infrastructure owner | LaserData | You (AWS) | You (any) |
| Data location | LaserData AWS | Your AWS account | Your infrastructure |
| Cloud bill | Included in plan | Your AWS account | Your infrastructure |
| Provisioning | Automatic | Automatic (via IAM role) | LaserData team (contact us) |
| Networking | VPC Peering, PrivateLink, NLB | Direct VPC access | Your network |
| Upgrades | Automatic | Automatic | Pull-based via Warden |
| Console & APIs | Full access | Full access | Full access |
| Kubernetes required | No | No | No |
What You Get with Every Deployment
Regardless of model, every deployment includes:
Custom Subdomain
Each deployment receives a unique subdomain (e.g. your-cluster.laserdata.cloud) that serves as the connection endpoint. TLS is always enabled - all client connections are encrypted. Subdomains are managed automatically and require a public IP.
Built-in Stream UI
Every deployment includes a built-in web interface for browsing and managing your data - streams, topics, partitions, messages, and consumer groups. Stream UI runs embedded in the Warden process directly on the node, meaning your data is accessed in full isolation and never leaves your infrastructure. Access is controlled through Access Rules.
Data Isolation
Your data never transits the LaserData control plane. The control plane orchestrates infrastructure (tasks, configs, certificates) - but Iggy data, messages, and client connections stay entirely within your deployment nodes. This holds for all three deployment models.
Encryption
Enable at-rest encryption during deployment creation. When enabled, all data stored on disk is encrypted with a per-deployment key. Combined with mandatory TLS for all connections, your data is encrypted both at rest and in transit.
Monitoring & Telemetry
The Warden agent on each node collects and pushes metrics, heartbeats, and logs to the control plane. Telemetry data is retained based on your plan (7 to 365 days). You can also redirect logs to your own OpenTelemetry-compatible endpoint if you prefer to keep log data in your own systems. See Monitoring for details.
Creating a Deployment
From the Console
- Navigate to your Environment in the Console
- Click Create Deployment
- Choose the deployment model - Managed or BYOC (for On-Premise, contact the LaserData team)
- Configure the deployment:
| Setting | Description |
|---|---|
| Name | Human-readable name for your deployment |
| Cloud | Cloud provider - currently AWS, with more providers coming soon |
| Region | AWS region (e.g. us-east-1, us-west-2, eu-west-1, eu-central-1) |
| Tier | Compute tier - determines CPU, memory, and available features. See Tiers & Storage |
| Cluster | Standalone (single node) or Replica (two-node HA with automatic failover). Replica requires Large tier or above |
| Storage type | Network Balanced, Network Optimized, Network Extreme, or Local SSD. See Tiers & Storage |
| Storage size | Disk size in GB (network storage only - Local SSD size is fixed by instance type) |
| Availability mode | Single-AZ or Multi-AZ. Multi-AZ distributes Replica nodes across zones for zone-level fault tolerance |
| Encryption | Enable at-rest encryption for data stored on disk |
| Protected | Prevent accidental deletion - protected deployments must be unprotected before they can be deleted |
| Retention | Telemetry retention period for metrics, heartbeats, and logs |
| Spend limit | Optional monthly spend cap |
- Click Deploy - provisioning typically takes a few minutes
Free Tier
The Free tier is designed for development and testing:
- Rate limited - network throughput is always capped at 100 KB/s on Free tier, regardless of plan
- Public IP - Free tier IP may change on restart; paid tiers use a static Elastic IP
- Subdomain enabled - you still get a custom subdomain for connection strings
- Standalone only - Replica deployments are not available on Free tier
- Single-AZ only - Multi-AZ is not available
The Free tier is available for development and testing at no cost.
Network Rate Limits
| Tier | Rate Limit | Notes |
|---|---|---|
| Free | 100 KB/s | Always rate limited |
| Small | 1 MB/s | Basic plan only |
| Medium | 10 MB/s | Basic plan only |
| Large and above | No limit | - |
The Free tier is always rate limited. Small and Medium tiers are rate limited on the Basic plan - once your tenant is upgraded to Pro or Enterprise, their rate limits are removed and higher tiers become available.
Public IP
| Mode | Behavior |
|---|---|
| Public | Fixed Elastic IP that persists across restarts. Includes a custom subdomain for connection strings with automated TLS |
| Private | No public IP. Access only via VPC Peering or PrivateLink |
Subdomains require a public IP. If you choose Private mode, subdomains are disabled and the deployment is only reachable through private networking.
The Free tier uses a dynamic public IP that may change on restart, unlike the static Elastic IP on paid tiers.
Regions
Available regions depend on the cloud provider. During deployment creation, select a region from the available list for your chosen cloud. Examples:
- AWS:
us-east-1,us-west-2,eu-west-1,eu-central-1,ap-southeast-1
Additional cloud providers are coming soon. Use the List Available Clouds endpoint to see what's currently available for your tenant.
Upgrading a Deployment
After creation, you can upgrade a deployment's tier and storage configuration without recreating it. Upgrade changes the compute resources (tier) and/or storage type and size for network storage types. Local SSD deployments cannot be upgraded until clustering support is available.
Plan Limits
| Resource | Basic | Pro | Enterprise |
|---|---|---|---|
| Deployments | 2 | 10 | 100 |
| Free deployments | 1 | 1 | 1 |
| Configurations per deployment | 3 | 10 | 100 |
| BYOC | - | Available | Available |
| Replica deployments | - | Available | Available |
| Multi-AZ | - | Available | Available |
API Reference
Deployment creation goes through the main API (laserdata.cloud/api). Upgrade, retention, and spend limit updates also go through the main API, scoped to the deployment. Operational endpoints (access rules, configs, connectors, metrics, logs) use the deployment API ({supervisor_url}). See API Architecture for details.
List Available Clouds
curl https://api.laserdata.cloud/tenants/{tenant_id}/clouds \
-H "ld-api-key: YOUR_API_KEY"List Regions
curl https://api.laserdata.cloud/tenants/{tenant_id}/clouds/{cloud}/regions \
-H "ld-api-key: YOUR_API_KEY"List Available Tiers
curl https://api.laserdata.cloud/tenants/{tenant_id}/clouds/{cloud}/regions/{region}/tiers \
-H "ld-api-key: YOUR_API_KEY"List Available Storage Types
curl https://api.laserdata.cloud/tenants/{tenant_id}/clouds/{cloud}/regions/{region}/storages \
-H "ld-api-key: YOUR_API_KEY"Use these discovery endpoints to build deployment creation forms - they return only what's available for your plan and region.
Create a Managed Deployment
curl -X POST https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments/managed \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "prod-cluster",
"cloud": "aws",
"tier": "large",
"cluster": "standalone",
"region": "us-east-1",
"protected": true,
"encrypted": true,
"storage": {
"type": "network_balanced",
"size": 500
},
"retention": {
"telemetry_days": 90
},
"availability_mode": "single_az",
"subdomain_enabled": true,
"spend_limit": 500.00
}'Allowed values:
| Field | Values |
|---|---|
cloud | aws (more providers coming soon) |
tier | free, small, medium, large, xlarge, compute_optimized, network_optimized, storage_optimized, ultimate |
cluster | standalone, replica |
storage.type | local_ssd, network_balanced, network_optimized, network_extreme |
availability_mode | single_az, multi_az |
Returns 202 Accepted with the ld-environment and ld-deployment headers containing the created resource IDs.
Create a BYOC Deployment
BYOC deployments use the same payload as managed deployments, with an additional aws object containing your IAM role credentials. See the BYOC Setup Guide for the full walkthrough and API reference.
Create a Starter Deployment
A quick way to spin up a Free-tier Standalone deployment for testing:
curl -X POST https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/deployments/starter \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"cloud": "aws",
"region": "us-east-1"
}'| Field | Required | Description |
|---|---|---|
cloud | Yes | Cloud provider (e.g. aws) |
region | Yes | Cloud region (e.g. us-east-1) |
environment_id | No | Existing environment ID to deploy into |
environment_name | No | Name for a new environment (defaults to sandbox if neither ID nor name is provided) |
deployment_name | No | Deployment name (auto-generated if omitted) |
Returns 202 Accepted with ld-environment and ld-deployment headers containing the created resource IDs.
List Deployments
curl https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments \
-H "ld-api-key: YOUR_API_KEY"{
"data": [
{
"id": 1,
"name": "prod-cluster",
"code": "abc123",
"variant": "managed",
"domain": "prod-cluster.laserdata.cloud",
"cloud": "aws",
"region": "us-east-1",
"cluster": "standalone",
"tier": "large",
"nodes_count": 1,
"protected": true,
"encrypted": true,
"storage_type": "network_balanced",
"availability_mode": "single_az",
"supervisor_url": "https://us.aws.supervisor.laserdata.cloud",
"retention": {
"telemetry_days": 90
},
"created_at": "2025-01-15T10:30:00Z",
"updated_at": "2025-01-15T10:30:00Z"
}
],
"page": 1,
"results": 10,
"total": 1
}Get Deployment Details
curl {supervisor_url}/deployments/{deployment_id} \
-H "ld-api-key: YOUR_API_KEY"{
"id": 1,
"name": "prod-cluster",
"code": "abc123",
"variant": "managed",
"domain": "prod-cluster.laserdata.cloud",
"cloud": "aws",
"region": "us-east-1",
"cluster": "standalone",
"tier": "large",
"nodes_count": 1,
"protected": true,
"encrypted": true,
"storage_type": "network_balanced",
"availability_mode": "single_az",
"supervisor_url": "https://us.aws.supervisor.laserdata.cloud",
"retention": {
"telemetry_days": 90
},
"created_at": "2025-01-15T10:30:00Z",
"updated_at": "2025-01-15T10:30:00Z"
}Get Deployment Credentials
curl {supervisor_url}/deployments/{deployment_id}/credentials \
-H "ld-api-key: YOUR_API_KEY"{
"username": "iggy",
"password": "your-deployment-password"
}Use these in your Iggy client connection strings.
Upgrade a Deployment
Upgrade an existing deployment's tier and/or storage configuration. At least one of tier or storage must be provided. Deployments using Local SSD storage cannot be upgraded until clustering support is available.
curl -X POST https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments/{deployment_id}/upgrade \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"tier": "xlarge",
"storage": {
"type": "network_optimized",
"size": 500
}
}'| Field | Required | Description |
|---|---|---|
tier | No* | Target tier (e.g. large, xlarge, compute_optimized). Cannot upgrade to free |
storage.type | No* | Target storage type: network_balanced, network_optimized, network_extreme |
storage.size | No | Storage size in GB. Cannot be smaller than current size |
* At least one of tier or storage must be provided.
Returns 202 Accepted. The upgrade is applied asynchronously by the Warden agent.
Extend a Deployment
Add nodes to an existing deployment:
curl -X POST https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments/{deployment_id}/extend \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json"Update Spend Limit
curl -X PUT https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments/{deployment_id}/spend_limit \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"spend_limit": 1000.00
}'Update Retention
curl -X PUT https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments/{deployment_id}/retention \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"retention": {
"telemetry_days": 90
}
}'Delete a Deployment
Protected deployments require the deployment code (shown in the Console and in the deployment details response). Pass it as a query parameter:
curl -X DELETE "https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments/{deployment_id}?code={deployment_code}" \
-H "ld-api-key: YOUR_API_KEY"Unprotected deployments can be deleted without the code parameter.