Deployment Models
Managed, BYOC, and On-Premise - choose how and where your deployments run
LaserData Cloud supports three deployment models. All three use the same Warden agent, the same Console, and the same APIs - the difference is where the infrastructure runs and who owns it.
How It Works
Every deployment - regardless of model - runs the same stack: an Iggy server managed by a Warden agent that communicates with the LaserData control plane. The only difference is where the infrastructure lives.
All communication between nodes and the control plane is outbound only - initiated by Warden over HTTPS. No inbound connections, no SSH, no cloud-specific agents.
Managed
LaserData provisions and operates everything in our cloud infrastructure.
- Fully managed - we handle provisioning, networking, TLS certificates, upgrades, and monitoring
- Quick setup - create a deployment from the Console and connect in minutes
- Custom subdomain - every deployment gets a unique subdomain (e.g.
your-cluster.laserdata.cloud) for use in connection strings, with automated TLS - VPC Peering available - connect your own VPC for private network access (AWS and GCP)
- PrivateLink available - expose the deployment as a VPC endpoint service (AWS)
- Private Service Connect available - expose the deployment as a PSC service attachment (GCP)
- Load-balanced endpoints - public or private access with end-to-end TLS encryption
Suitable for teams that want fully managed infrastructure without cloud account setup.
BYOC (Bring Your Own Cloud)
LaserData manages the deployment, but the infrastructure runs in your cloud account. BYOC is available for AWS and GCP.
- Data stays in your account - all nodes, storage, and network are in your cloud environment. Data never leaves your infrastructure
- You control the cloud bill - resources run under your cloud account
- Same management experience - Console, monitoring, upgrades, and task orchestration work identically to Managed
- Scoped access only - LaserData assumes a scoped IAM role (AWS) or impersonates a service account (GCP) for provisioning only
- No Kubernetes required - runs on plain compute instances
Provisioning access is limited to compute, networking, and storage operations. No access to object storage, secret managers, or your application data.
See the BYOC Setup Guide for step-by-step instructions.
On-Premise
Run deployments on your own infrastructure - physical servers, private cloud, or any VMs - while the LaserData control plane handles orchestration.
- Full infrastructure control - run on any hardware or cloud provider
- Pull-based only - Warden connects outbound to the control plane. No inbound connections to your network
- Firewall-friendly - only outbound HTTPS (port 443) required
- Independent operation - Iggy continues running even if the control plane is unreachable. Tasks queue and execute when connectivity is restored
- Managed setup - On-Premise deployments are provisioned by the LaserData team. Contact us to get started
See the On-Premise Setup Guide for detailed instructions.
Comparison
| Managed | BYOC | On-Premise | |
|---|---|---|---|
| Infrastructure owner | LaserData | You (AWS/GCP) | You (any) |
| Data location | LaserData AWS/GCP | Your cloud account | Your infrastructure |
| Cloud bill | Included in plan | Your cloud account | Your infrastructure |
| Provisioning | Automatic | Automatic (IAM role on AWS, service account on GCP) | LaserData team (contact us) |
| Networking | VPC Peering, PrivateLink (AWS), PSC (GCP) | Direct VPC access | Your network |
| Upgrades | Automatic | Automatic | Pull-based via Warden |
| Console & APIs | Full access | Full access | Full access |
| Kubernetes required | No | No | No |
What You Get with Every Deployment
Regardless of model, every deployment includes:
Custom Subdomain
Each deployment receives a unique subdomain (e.g. your-cluster.laserdata.cloud) that serves as the connection endpoint. TLS is always enabled - all client connections are encrypted. Subdomains are managed automatically and require a public IP.
Built-in Stream UI
Every deployment includes a built-in web interface for browsing and managing your data - streams, topics, partitions, messages, and consumer groups. Stream UI runs embedded in the Warden process directly on the node, meaning your data is accessed in full isolation and never leaves your infrastructure. Access is controlled through Access Rules.
Data Isolation
Your data never leaves your infrastructure. The control plane handles orchestration only (tasks, configs, certificates). Iggy data, messages, and client connections stay entirely on your deployment nodes across all three deployment models.
Encryption
All connections use TLS (encrypted in transit). All storage is encrypted at rest - NVMe SSDs are encrypted by the cloud provider at the hardware level, and network disks (EBS, Persistent Disk) always have encryption enabled. On top of this, you can enable custom key encryption during deployment creation - message data is then encrypted with a per-deployment key before being written to disk, adding a second layer on top of the cloud provider's disk encryption.
Monitoring & Telemetry
The Warden agent on each node collects and pushes metrics, heartbeats, and logs to the control plane. Telemetry data is retained based on your plan (7 to 365 days). You can also redirect logs to your own OpenTelemetry-compatible endpoint if you prefer to keep log data in your own systems. See Monitoring for details.
Creating a Deployment
From the Console
- Navigate to your Environment in the Console
- Click Create Deployment
- Choose the deployment model - Managed or BYOC (for On-Premise, contact the LaserData team)
- Configure the deployment:
| Setting | Description |
|---|---|
| Name | Human-readable name for your deployment |
| Cloud | Cloud provider - aws or gcp |
| Region | Cloud region (e.g. us-west-1, europe-west1) |
| Tier | Compute tier - determines CPU, memory, and available features. See Tiers & Storage |
| Cluster | standalone (single node) or cluster (multi-node with VSR-based replication - coming soon, not yet available). Cluster available on every paid tier (Small and above) |
| Storage type | Network Balanced or NVMe SSD. See Tiers & Storage |
| Storage size | Disk size in GB (network storage only - NVMe SSD size is fixed by instance type) |
| Availability mode | Single-AZ or Multi-AZ. Multi-AZ distributes Cluster nodes across zones for zone-level fault tolerance |
| Encryption | Enable custom key encryption on top of transparent cloud provider encryption (all deployments are always encrypted at rest and in transit) |
| Protected | Enable resource protection - deleting a protected deployment requires a one-time code sent to the organization email |
| Target network throughput | Optional target throughput in KB/s. Used for capacity planning and pricing estimates |
| Retention | Telemetry retention period for metrics, heartbeats, and logs |
| Spend limit | Optional monthly spend cap |
- Click Deploy - provisioning typically takes a few minutes
Free Tier
The Free tier is designed for development and testing:
- Rate limited - network throughput is always capped at 100 KB/s on Free tier, regardless of plan
- Default access rule - Managed Free tier deployments are created with a global access rule (
0.0.0.0/0) so you can connect immediately. You can delete or replace this rule at any time - Public IP - Free tier IP may change on restart; paid tiers use a static Elastic IP
- Subdomain enabled - you still get a custom subdomain for connection strings
- Standalone only - Cluster deployments are not available on Free tier
- Single-AZ only - Multi-AZ is not available
The Free tier is available for development and testing at no cost.
Inactivity: Free-tier deployments that see no traffic for 14 days are flagged as inactive and deleted to free the slot. Warning emails go out at day 10 (4 days before) and day 12 (2 days before) so you have a chance to keep the deployment alive.
Network Rate Limits
| Tier | Rate Limit | Notes |
|---|---|---|
| Free | 100 KB/s | Always rate limited |
| Small and above | No limit | Available on Pro and Enterprise |
The Free tier is always rate limited at 100 KB/s. Basic plan tenants only get the Free tier; upgrade to Pro or Enterprise to unlock paid tiers and unrestricted throughput.
Public IP
| Mode | Behavior |
|---|---|
| Public | Fixed Elastic IP that persists across restarts. Includes a custom subdomain for connection strings with automated TLS |
| Private | No public IP. Access only via VPC Peering or PrivateLink |
Subdomains require a public IP. If you choose Private mode, subdomains are disabled and the deployment is only reachable through private networking.
The Free tier uses a dynamic public IP that may change on restart, unlike the static Elastic IP on paid tiers.
Regions
Regions are grouped into three geographic areas - US, EU, and AP. Each area has a dedicated Supervisor API per cloud provider that manages all deployments in its regions.
US
| Cloud | Region | Location |
|---|---|---|
| AWS | us-east-1 | N. Virginia |
| AWS | us-east-2 | Ohio |
| AWS | us-west-1 | N. California |
| AWS | us-west-2 | Oregon |
| GCP | us-central1 | Iowa |
| GCP | us-east1 | South Carolina |
| GCP | us-east4 | N. Virginia |
| GCP | us-west1 | Oregon |
EU
| Cloud | Region | Location |
|---|---|---|
| AWS | eu-central-1 | Frankfurt |
| AWS | eu-west-1 | Ireland |
| AWS | eu-west-2 | London |
| GCP | europe-west1 | Belgium |
| GCP | europe-west2 | London |
| GCP | europe-west3 | Frankfurt |
AP
| Cloud | Region | Location |
|---|---|---|
| AWS | ap-south-1 | Mumbai |
| AWS | ap-southeast-1 | Singapore |
| AWS | ap-southeast-2 | Sydney |
| AWS | ap-northeast-1 | Tokyo |
| GCP | asia-south1 | Mumbai |
| GCP | asia-southeast1 | Singapore |
| GCP | asia-northeast1 | Tokyo |
Use the List Available Clouds and List Regions endpoints for the current list available to your tenant.
Upgrading a Deployment
After creation, you can upgrade a deployment's tier and storage configuration without recreating it. Upgrade changes the compute resources (tier) and/or storage type and size for network storage types. NVMe SSD deployments cannot be upgraded until clustering support is available.
Plan Limits
Each plan determines which deployment tiers are available and how many deployments you can create per tier. The deployment_tiers field in the tenant features response lists each allowed tier with its maximum count.
| Tier | Basic | Pro | Enterprise |
|---|---|---|---|
| Free | 1 | 1 | 1 |
| Small | - | 3 | 3 |
| Medium | - | 3 | 3 |
| Large | - | 2 | 3 |
| XLarge | - | 1 | 3 |
| 2XLarge | - | 1 | 3 |
| 4XLarge | - | - | 2 |
| 8XLarge | - | - | 2 |
| 16XLarge | - | - | 2 |
| Resource | Basic | Pro | Enterprise |
|---|---|---|---|
| Configurations per deployment | 3 | 5 | 10 |
| BYOC | - | Available | Available |
| Cluster (multi-node) | - | Available | Available |
| Multi-AZ | - | Available | Available |
API Reference
Deployment creation goes through the main API (laserdata.cloud/api). Upgrade, retention, and spend limit updates also go through the main API, scoped to the deployment. Operational endpoints (access rules, configs, connectors, metrics, logs) use the deployment API ({supervisor_url}). See API Architecture for details.
List Available Clouds
curl https://api.laserdata.cloud/tenants/{tenant_id}/clouds \
-H "ld-api-key: YOUR_API_KEY"List Regions
curl https://api.laserdata.cloud/tenants/{tenant_id}/clouds/{cloud}/regions \
-H "ld-api-key: YOUR_API_KEY"List Available Tiers
curl https://api.laserdata.cloud/tenants/{tenant_id}/clouds/{cloud}/regions/{region}/tiers \
-H "ld-api-key: YOUR_API_KEY"[
{
"key": "free",
"name": "Free",
"description": "Perfect for getting started. Great for development, testing, and learning the platform.",
"instance": "t3.micro",
"available": true,
"limit": 1,
"vcpus": 2,
"memory_gib": 1,
"clusters": ["standalone"],
"storages": ["network_balanced"],
"rate_limit": "100 KB/s"
},
{
"key": "large",
"name": "Large",
"description": "Sized for ~10 MB/s workloads. Built for demanding production applications with dedicated isolated nodes.",
"instance": "m7i.large",
"available": true,
"limit": 2,
"vcpus": 2,
"memory_gib": 8,
"clusters": ["standalone", "cluster"],
"storages": ["local_ssd", "network_balanced"],
"rate_limit": null
}
]instance is the baseline network-disk compute instance for the tier. Use this endpoint as the source of truth for tier availability, per-tier limits, compute specs, supported cluster/storage modes, and plan-aware rate limits.
List Available Storage Types
curl https://api.laserdata.cloud/tenants/{tenant_id}/clouds/{cloud}/regions/{region}/storages \
-H "ld-api-key: YOUR_API_KEY"Use these discovery endpoints to build deployment creation forms - they return only what's available for your plan and region.
Create a Managed Deployment
curl -X POST https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments/managed \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "prod-cluster",
"cloud": "aws",
"tier": "large",
"cluster": "standalone",
"region": "us-west-1",
"protected": true,
"encrypted": true,
"storage": {
"type": "network_balanced",
"size": 500
},
"retention": {
"telemetry_days": 90
},
"target_network_tput": 10000,
"availability_mode": "single_az",
"dedicated": false,
"public_ip_enabled": true,
"subdomain_enabled": true,
"spend_limit": 500.00
}'| Field | Required | Values / Description |
|---|---|---|
name | Yes | Deployment name |
cloud | Yes | aws, gcp |
tier | Yes | free, small, medium, large, xlarge, 2xlarge, 4xlarge, 8xlarge, 16xlarge |
cluster | Yes | standalone, cluster (cluster not yet available) |
region | Yes | Cloud region (e.g. us-west-1, europe-west1) |
protected | No | Enable resource protection (default false) |
encrypted | No | Enable custom key encryption on top of transparent encryption (default false) |
storage.type | No | local_ssd, network_balanced |
storage.size | No | Storage size in GB (network storage only) |
retention.telemetry_days | No | Telemetry retention in days |
target_network_tput | No | Target network throughput in KB/s (e.g. 10000 = ~10 MB/s) |
availability_mode | No | single_az, multi_az |
dedicated | No | Dedicated infrastructure isolation (Enterprise only, default false) |
public_ip_enabled | No | Assign a public IP (default true) |
subdomain_enabled | No | Assign a custom subdomain (requires public IP) |
spend_limit | No | Monthly spend cap in USD |
Returns 202 Accepted with the ld-environment and ld-deployment headers containing the created resource IDs.
Create a BYOC Deployment
BYOC deployments use the same payload as managed deployments, with an additional aws object containing your IAM role credentials. See the BYOC Setup Guide for the full walkthrough and API reference.
Create a Starter Deployment
A quick way to spin up a Free-tier Standalone deployment for testing:
curl -X POST https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/deployments/starter \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"cloud": "aws",
"region": "us-west-1"
}'| Field | Required | Description |
|---|---|---|
cloud | Yes | Cloud provider (e.g. aws) |
region | Yes | Cloud region (e.g. us-west-1) |
environment_id | No | Existing environment ID to deploy into |
environment_name | No | Name for a new environment (defaults to sandbox if neither ID nor name is provided) |
deployment_name | No | Deployment name (auto-generated if omitted) |
Returns 202 Accepted with ld-environment and ld-deployment headers containing the created resource IDs.
List Deployments
curl https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments \
-H "ld-api-key: YOUR_API_KEY"{
"items": [
{
"id": 1,
"name": "prod-cluster",
"code": "abc123",
"variant": "managed",
"domain": "prod-cluster-abc123.laserdata.cloud",
"cloud": "aws",
"area": "us",
"region": "us-west-1",
"cluster": "standalone",
"tier": "large",
"runtimes": ["iggy"],
"nodes_count": 1,
"protected": true,
"encrypted": true,
"dedicated": false,
"storage_type": "network_balanced",
"storage_size": 500,
"availability_mode": "single_az",
"supervisor_url": "https://supervisor-aws-us.laserdata.cloud",
"rate_limit": null,
"target_network_tput": 10000,
"retention": {
"telemetry": {
"logs_days": 90,
"metrics_days": 90,
"heartbeats_days": 90
}
},
"upgraded_at": null,
"can_upgrade": true,
"created_at": "2025-01-15T10:30:00Z",
"updated_at": "2025-01-15T10:30:00Z"
}
],
"page": 1,
"total_results": 1,
"total_pages": 1
}Get Deployment
A full deployment details screen requires two parallel API calls - one to the main API for business metadata, one to the supervisor API for runtime/operational data. Each owns different fields.
Main API - Metadata, Description, Upgrades
Returns business metadata managed by the core platform: resource protection, description, and upgrade history.
curl https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments/{deployment_id} \
-H "ld-api-key: YOUR_API_KEY"{
"id": 1,
"name": "prod-cluster",
"code": "abc123",
"variant": "managed",
"domain": "prod-cluster-abc123.laserdata.cloud",
"cloud": "aws",
"area": "us",
"region": "us-west-1",
"cluster": "standalone",
"tier": "large",
"runtimes": ["iggy"],
"nodes_count": 1,
"protected": true,
"encrypted": true,
"dedicated": false,
"storage_type": "network_balanced",
"storage_size": 500,
"availability_mode": "single_az",
"supervisor_url": "https://supervisor-aws-us.laserdata.cloud",
"rate_limit": null,
"target_network_tput": 10000,
"retention": {
"telemetry": {
"logs_days": 90,
"metrics_days": 90,
"heartbeats_days": 90
}
},
"upgraded_at": null,
"can_upgrade": true,
"created_at": "2025-01-15T10:30:00Z",
"updated_at": "2025-01-15T10:30:00Z",
"description": "Production streaming cluster",
"upgrades": [
{
"tier": "large",
"storage_type": "network_balanced",
"storage_size": 500,
"upgraded_at": "2025-01-20T14:00:00Z"
}
]
}Fields only available from the main API (not present in the supervisor response):
| Field | Description |
|---|---|
code | Encoded deployment identifier, used in domain naming (e.g. my-cluster-{code}.laserdata.cloud) |
protected | Whether resource protection is enabled |
description | Optional human-readable description, set via Update Deployment |
upgrades | History of tier/storage changes with timestamps |
Supervisor API - Status, Nodes, Configs, Networking
Returns runtime and operational data that the supervisor manages: live deployment status, node IPs, active configurations, and cloud-specific networking info. Use this to connect to the deployment, check node health, or inspect VPC/networking details.
curl {supervisor_url}/deployments/{deployment_id} \
-H "ld-api-key: YOUR_API_KEY"{
"id": 1,
"name": "prod-cluster",
"variant": "managed",
"status": "initialized",
"domain": "prod-cluster-abc123.laserdata.cloud",
"cloud": "aws",
"area": "us",
"region": "us-west-1",
"cluster": "standalone",
"tier": "large",
"runtimes": ["iggy"],
"nodes_count": 1,
"encrypted": true,
"dedicated": false,
"storage_type": "network_balanced",
"storage_size": 500,
"network_mode": "public",
"availability_mode": "single_az",
"cidr": "10.0.0.0/16",
"supervisor_url": "https://supervisor-aws-us.laserdata.cloud",
"rate_limit": null,
"target_network_tput": 10000,
"retention": {
"telemetry": {
"logs_days": 90,
"metrics_days": 90,
"heartbeats_days": 90
}
},
"upgraded_at": null,
"can_upgrade": true,
"created_at": "2025-01-15T10:30:00Z",
"updated_at": "2025-01-15T10:30:00Z",
"configs": [
{
"id": 1,
"kind": "iggy",
"name": "default",
"primary": true,
"initialized": true,
"version": 1,
"created_at": "2025-01-15T10:30:00Z",
"updated_at": "2025-01-15T10:30:00Z"
}
],
"nodes": [
{
"id": 1,
"name": "node-1",
"public_ip_addresses": ["54.183.100.50"],
"private_ip_addresses": ["10.0.1.10"],
"initialized": true,
"initialized_at": "2025-01-15T10:35:00Z",
"runtimes": ["iggy"],
"storage_type": "network_balanced",
"created_at": "2025-01-15T10:30:00Z",
"updated_at": "2025-01-15T10:35:00Z"
}
],
"aws": {
"network": {
"vpc_id": "vpc-0abc123def456789a",
"vpc_cidr": "10.0.0.0/16",
"public_ip_enabled": true,
"subdomain_enabled": true
}
}
}Fields only available from the supervisor API (not present in the main API response):
| Field | Description |
|---|---|
status | Deployment lifecycle status (see values below) |
network_mode | public (Elastic IP + subdomain), private (private networking only), or hybrid |
cidr | Deployment subnet CIDR block (used for VPC peering) |
configs | Active deployment configurations (Iggy, connectors) with version info |
nodes | Individual node details including IPs, initialization state, and runtimes |
aws | AWS-specific networking info (VPC ID, CIDR, public IP and subdomain status). Only present for AWS deployments |
gcp | GCP-specific networking info. Only present for GCP deployments |
creatingcreating_subnetsecuring_networkcreating_load_balancerconfiguring_load_balancerconfiguring_dnsconfiguring_certificatesdeploying_nodeswaiting_for_nodesassigning_public_ipbootstrapping_wardeninitializinginitializedextendingupgradingrolling_backfaileddeletingCommon fields like id, name, cloud, tier, cluster, encrypted, dedicated, storage_type, storage_size, availability_mode, retention, upgraded_at, can_upgrade, created_at, updated_at are returned by both endpoints.
Get Deployment Credentials
curl {supervisor_url}/deployments/{deployment_id}/credentials \
-H "ld-api-key: YOUR_API_KEY"{
"username": "iggy",
"password": "your-deployment-password"
}Use these in your Iggy client connection strings.
Upgrade a Deployment
Upgrade an existing deployment's tier and/or storage configuration. At least one of tier or storage must be provided. Deployments using NVMe SSD storage cannot be upgraded until clustering support is available.
curl -X POST https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments/{deployment_id}/upgrade \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"tier": "xlarge",
"storage": {
"type": "network_balanced",
"size": 500
}
}'| Field | Required | Description |
|---|---|---|
tier | No* | Target tier (e.g. large, xlarge, 2xlarge). Cannot upgrade to free |
storage.type | No* | Target storage type: network_balanced |
storage.size | No | Storage size in GB. Cannot be smaller than current size |
* At least one of tier or storage must be provided.
Returns 202 Accepted. The upgrade is applied asynchronously by the Warden agent.
Extend a Deployment
Add nodes to an existing deployment:
curl -X POST https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments/{deployment_id}/extend \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json"Update Spend Limit
curl -X PUT https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments/{deployment_id}/spend_limit \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"spend_limit": 1000.00
}'Update Retention
curl -X PUT https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments/{deployment_id}/retention \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"retention": {
"telemetry_days": 90
}
}'Update a Deployment
curl -X PUT https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments/{deployment_id} \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"protected": true,
"description": "Production streaming cluster for analytics pipeline"
}'| Field | Required | Description |
|---|---|---|
protected | No | Enable/disable resource protection. Only the tenant owner can set this back to false |
description | No | Human-readable description. Send an empty string "" to clear it |
Returns 200 OK on success.
Delete a Deployment
For protected deployments, first request a resource code, then pass the code as a query parameter:
curl -X DELETE "https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments/{deployment_id}?code={protection_code}" \
-H "ld-api-key: YOUR_API_KEY"Returns 202 Accepted. The deletion is processed asynchronously.
Unprotected deployments can be deleted without the code parameter. This action is irreversible - all nodes are terminated and all data is permanently destroyed, including streams, topics, messages, partitions, consumer groups, configurations, backups, and telemetry history. None of this can be recovered.