Deployment Models
Managed, BYOC, and On-Premise — choose how and where your deployments run
LaserData Cloud supports three deployment models. All three use the same Warden agent, the same Console, and the same APIs — the difference is where the infrastructure runs and who owns it.
Managed
LaserData provisions and operates everything in our cloud infrastructure.
- Zero ops — we handle provisioning, networking, TLS certificates, upgrades, and monitoring
- Fastest path to production — create a deployment from the Console and connect in minutes
- Custom subdomain — every deployment gets a unique subdomain (e.g.
your-cluster.laserdata.cloud) for use in connection strings, with automated TLS - VPC Peering available — connect your own AWS VPC for private network access
- PrivateLink available — expose the deployment as a VPC endpoint service
- NLB-based endpoints — public or private access with end-to-end TLS encryption
Best for teams that want fully managed infrastructure without cloud account setup.
BYOC (Bring Your Own Cloud)
LaserData manages the deployment, but the infrastructure runs in your AWS account.
- Data stays in your account — all nodes, storage, and network are in your AWS environment. Data never leaves your infrastructure
- You control the cloud bill — resources run under your AWS account
- Same management experience — Console, monitoring, upgrades, and task orchestration work identically to Managed
- IAM role-based access — LaserData assumes a scoped IAM role in your account for provisioning only
- No Kubernetes required — runs on plain EC2 instances
The IAM role has limited scope: EC2, networking, and EBS operations for provisioning. No access to S3, Secrets Manager, CloudWatch, or your application data.
See the BYOC Setup Guide for step-by-step instructions.
On-Premise
Run deployments on your own infrastructure — physical servers, private cloud, or any VMs — while the LaserData control plane handles orchestration.
- Full infrastructure control — run on any hardware or cloud provider
- Pull-based only — Warden connects outbound to the control plane. No inbound connections to your network
- Firewall-friendly — only outbound HTTPS (port 443) required
- Independent operation — Iggy continues running even if the control plane is unreachable. Tasks queue and execute when connectivity is restored
- Managed setup — on-premise deployments are provisioned by the LaserData team. Contact us to get started
See the On-Premise Setup Guide for detailed instructions.
Comparison
| Managed | BYOC | On-Premise | |
|---|---|---|---|
| Infrastructure owner | LaserData | You (AWS) | You (any) |
| Data location | LaserData AWS | Your AWS account | Your infrastructure |
| Cloud bill | Included in plan | Your AWS account | Your infrastructure |
| Provisioning | Automatic | Automatic (via IAM role) | LaserData team (contact us) |
| Networking | VPC Peering, PrivateLink, NLB | Direct VPC access | Your network |
| Upgrades | Automatic | Automatic | Pull-based via Warden |
| Console & APIs | Full access | Full access | Full access |
| Kubernetes required | No | No | No |
What You Get with Every Deployment
Regardless of model, every deployment includes:
Custom Subdomain
Each deployment receives a unique subdomain (e.g. your-cluster.laserdata.cloud) that serves as the connection endpoint. TLS is always enabled — all client connections are encrypted. Subdomains are managed automatically; they require a public IP (Static or Dynamic).
Built-in Stream UI
Every deployment includes a built-in web interface for browsing and managing your data — streams, topics, partitions, messages, and consumer groups. Stream UI runs embedded in the Warden process directly on the node, meaning your data is accessed in full isolation and never leaves your infrastructure. Access is controlled through Access Rules.
Data Isolation
Your data never transits the LaserData control plane. The control plane orchestrates infrastructure (tasks, configs, certificates) — but Iggy data, messages, and client connections stay entirely within your deployment nodes. This holds for all three deployment models.
Encryption
Enable at-rest encryption during deployment creation. When enabled, all data stored on disk is encrypted with a per-deployment key. Combined with mandatory TLS for all connections, your data is encrypted both at rest and in transit.
Monitoring & Telemetry
The Warden agent on each node collects and pushes metrics, heartbeats, and logs to the control plane. Telemetry data is retained based on your plan (7 to 365 days). You can also redirect logs to your own OpenTelemetry-compatible endpoint if you prefer to keep log data in your own systems. See Monitoring for details.
Creating a Deployment
From the Console
- Navigate to your Environment in the Console
- Click Create Deployment
- Choose the deployment model — Managed or BYOC (for On-Premise, contact the LaserData team)
- Configure the deployment:
| Setting | Description |
|---|---|
| Name | Human-readable name for your deployment |
| Cloud | Cloud provider — currently AWS, with more providers coming soon |
| Region | Provider-specific region (e.g. us-east-1, eu-west-1, europe-west1) |
| Tier | Compute tier — determines CPU, memory, and available features. See Tiers & Storage |
| Cluster | Standalone (single node) or Replica (two-node HA with automatic failover). Replica requires Large tier or above |
| Storage type | Network Balanced, Network Optimized, Network Extreme, or Local SSD. See Tiers & Storage |
| Storage size | Disk size in GB (network storage only — Local SSD size is fixed by instance type) |
| Availability mode | Single-AZ or Multi-AZ. Multi-AZ distributes Replica nodes across zones for zone-level fault tolerance |
| Encryption | Enable at-rest encryption for data stored on disk |
| Protected | Prevent accidental deletion — protected deployments must be unprotected before they can be deleted |
| Retention | Telemetry retention period for metrics, heartbeats, and logs |
| Spend limit | Optional monthly spend cap |
- Click Deploy — provisioning typically takes a few minutes
Free Tier
The Free tier is designed for development and testing:
- Rate limited — network throughput is always capped at 100 KB/s on Free tier, regardless of plan
- Dynamic public IP — assigned on launch (may change on restart, unlike Static IPs on paid tiers)
- Subdomain enabled — you still get a custom subdomain for connection strings
- Standalone only — Replica clusters are not available on Free tier
- Single-AZ only — Multi-AZ is not available
Free tier is a great way to try out the platform with zero commitment.
Network Rate Limits
| Tier | Rate Limit | Notes |
|---|---|---|
| Free | 100 KB/s | Always rate limited |
| Small | 1 MB/s | Basic plan only |
| Medium | 10 MB/s | Basic plan only |
| Large and above | No limit | — |
The Free tier is always rate limited. Small and Medium tiers are rate limited on the Basic plan — once your tenant is upgraded to Pro or Enterprise, their rate limits are removed and higher tiers become available.
Public IP Modes
| Mode | Behavior |
|---|---|
| Static | Fixed Elastic IP that persists across restarts. Default for paid tiers |
| Dynamic | Public IP assigned on launch, may change on restart. Default for Free tier |
| None | No public IP. Access only via VPC Peering or PrivateLink |
Subdomains require a public IP (Static or Dynamic). If you set the public IP mode to None, subdomains are disabled and the deployment is only reachable through private networking.
Regions
Available regions depend on the cloud provider. During deployment creation, select a region from the available list for your chosen cloud. Examples:
- AWS:
us-east-1,us-west-2,eu-west-1,eu-central-1,ap-southeast-1
Additional cloud providers are coming soon. Use the List Available Clouds endpoint to see what's currently available for your tenant.
Extending a Deployment
After creation, you can extend a deployment to upgrade its resources — tier, storage, or instance configuration — without recreating it.
Plan Limits
| Resource | Basic | Pro | Enterprise |
|---|---|---|---|
| Deployments | 2 | 10 | 20 |
| Free deployments | 1 | 1 | 1 |
| Configurations per deployment | 3 | 10 | 20 |
| BYOC | — | Available | Available |
| Replica clusters | — | Available | Available |
| Multi-AZ | — | Available | Available |
API Reference
Deployment creation goes through the main API (api.laserdata.cloud). Once created, all operational endpoints (extend, retention, spend limit) use the deployment API — the {supervisor_url} returned in the deployment response. See API Architecture for details.
List Available Clouds
curl https://api.laserdata.cloud/tenants/{tenant_id}/clouds \
-H "ld-api-key: YOUR_API_KEY"List Regions
curl https://api.laserdata.cloud/tenants/{tenant_id}/clouds/{cloud}/regions \
-H "ld-api-key: YOUR_API_KEY"List Available Tiers
curl https://api.laserdata.cloud/tenants/{tenant_id}/clouds/{cloud}/regions/{region}/tiers \
-H "ld-api-key: YOUR_API_KEY"List Available Storage Types
curl https://api.laserdata.cloud/tenants/{tenant_id}/clouds/{cloud}/regions/{region}/storages \
-H "ld-api-key: YOUR_API_KEY"Use these discovery endpoints to build deployment creation forms — they return only what's available for your plan and region.
Create a Managed Deployment
curl -X POST https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments/managed \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "prod-cluster",
"cloud": "aws",
"tier": "large",
"cluster": "standalone",
"region": "us-east-1",
"protected": true,
"encrypted": true,
"storage": {
"type": "network_balanced",
"size": 500
},
"retention": {
"telemetry_days": 90
},
"availability_mode": "single_az",
"subdomain_enabled": true,
"spend_limit": 500.00
}'Allowed values:
| Field | Values |
|---|---|
cloud | aws (more providers coming soon) |
tier | free, small, medium, large, xlarge, compute_optimized, network_optimized, storage_optimized, ultimate |
cluster | standalone, replica |
storage.type | local_ssd, network_balanced, network_optimized, network_extreme |
availability_mode | single_az, multi_az |
Returns 202 Accepted with the ld-environment and ld-deployment headers containing the created resource IDs.
Create a BYOC Deployment
curl -X POST https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments/byoc \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "byoc-prod",
"cloud": "aws",
"tier": "large",
"cluster": "replica",
"region": "us-west-2",
"protected": true,
"encrypted": true,
"storage": {
"type": "network_optimized",
"size": 500
},
"availability_mode": "multi_az",
"subdomain_enabled": true,
"aws": {
"account_id": "123456789012",
"identity_arn": "arn:aws:iam::123456789012:role/LaserDataBYOC",
"external_id": "your-external-id",
"vpc_id": "vpc-0abc123def456",
"vpc_cidr": "10.0.0.0/16"
}
}'Create a Starter Deployment
A quick way to spin up a Free-tier deployment for testing:
curl -X POST https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/deployments/starter \
-H "ld-api-key: YOUR_API_KEY"List Deployments
curl https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments \
-H "ld-api-key: YOUR_API_KEY"{
"data": [
{
"id": 1,
"name": "prod-cluster",
"code": "abc123",
"variant": "managed",
"domain": "prod-cluster.laserdata.cloud",
"cloud": "aws",
"region": "us-east-1",
"cluster": "standalone",
"tier": "large",
"nodes_count": 1,
"protected": true,
"encrypted": true,
"storage_type": "network_balanced",
"availability_mode": "single_az",
"supervisor_url": "https://supervisor.laserdata.cloud",
"retention": {
"telemetry_days": 90
},
"created_at": "2025-01-15T10:30:00Z",
"updated_at": "2025-01-15T10:30:00Z"
}
],
"page": 1,
"results": 10,
"total": 1
}Get Deployment Details
curl {supervisor_url}/deployments/{deployment_id} \
-H "ld-api-key: YOUR_API_KEY"{
"id": 1,
"name": "prod-cluster",
"code": "abc123",
"variant": "managed",
"domain": "prod-cluster.laserdata.cloud",
"cloud": "aws",
"region": "us-east-1",
"cluster": "standalone",
"tier": "large",
"nodes_count": 1,
"protected": true,
"encrypted": true,
"storage_type": "network_balanced",
"availability_mode": "single_az",
"supervisor_url": "https://supervisor.laserdata.cloud",
"retention": {
"telemetry_days": 90
},
"created_at": "2025-01-15T10:30:00Z",
"updated_at": "2025-01-15T10:30:00Z"
}Get Deployment Credentials
curl {supervisor_url}/deployments/{deployment_id}/credentials \
-H "ld-api-key: YOUR_API_KEY"{
"username": "iggy",
"password": "your-deployment-password"
}Use these in your Iggy client connection strings.
Extend a Deployment
Upgrade an existing deployment's tier, storage, or add nodes:
curl -X POST https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments/{deployment_id}/extend \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json"Update Spend Limit
curl -X PUT https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments/{deployment_id}/spend_limit \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"spend_limit": 1000.00
}'Update Retention
curl -X PUT https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments/{deployment_id}/retention \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"retention": {
"telemetry_days": 90
}
}'Delete a Deployment
Protected deployments require the deployment code (shown in the Console and in the deployment details response). Pass it as a query parameter:
curl -X DELETE "https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}/deployments/{deployment_id}?code={deployment_code}" \
-H "ld-api-key: YOUR_API_KEY"Unprotected deployments can be deleted without the code parameter.