Platform Overview
Key capabilities of the LaserData Cloud platform
LaserData Cloud is the enterprise platform for Apache Iggy — the high-performance message streaming engine built in Rust. Deploy, manage, scale, and secure your Iggy infrastructure with zero ops, built-in connectors, and full observability.
Why LaserData Cloud
Complete Isolation by Default
Every deployment is fully network-isolated from day one — no traffic is allowed in or out until you explicitly create access rules. This includes LaserData itself — our control plane orchestrates infrastructure but has zero network access to your deployment endpoints or data. Your messages, streams, and client connections never transit the control plane. You are in full control.
Enterprise-Grade Security
- Pull-based architecture — the Warden agent initiates all connections outbound. No inbound ports, no SSH, no remote access of any kind
- Cryptographic verification — all binaries signed and verified before execution, all operational tasks signed with Ed25519
- Automated TLS — certificate issuance and rotation handled automatically, all connections encrypted end-to-end
- Zero-downtime upgrades — atomic binary swaps with automatic rollback on failure
Organization & Access Control
A full multi-tenant hierarchy — Tenant > Division > Environment > Deployment — with hierarchical RBAC that lets you scope permissions down to individual environments. Built-in role templates (Owner, Admin, Developer, Viewer, Billing) plus fully custom roles with per-division and per-environment overrides. Manage teams, invitations, and API keys programmatically.
Full API Coverage
Everything you can do in the Console is available via API. Two API layers — the main API for resource management and the deployment API for operations — both authenticated with the same API keys and RBAC model. Build CI/CD pipelines, Terraform providers, and custom integrations with complete programmatic control.
Built-in Connectors
Connectors extend every deployment with extremely fast, natively compiled Rust source and sink plugins for integrating with external systems — PostgreSQL, Elasticsearch, Apache Iceberg, Quickwit, and more. Activate from the Console, configure stream mappings, run multiple instances — all fully managed.
Comprehensive Observability
Built-in monitoring with metrics, heartbeats, logs, immutable audit trails, and on-demand backups. Redirect logs and traces to your own OpenTelemetry-compatible endpoint for full integration with your existing stack.
Key Features
- Stream UI — built-in web interface on every node for browsing streams, topics, messages, and consumer groups — runs locally in full data isolation
- Versioned configuration — create, activate, and roll back Iggy and connector configs with full version history
- Billing & usage tracking — per-deployment billing reports, invoices, and spend limits
- Multi-cloud — deploy to AWS today, with GCP coming soon — or run on-premise on any infrastructure
- 9 deployment tiers — from Free (development) to Ultimate (32 vCPUs, 256 GB RAM, 1.9 TB NVMe)
- High availability — Replica clusters with synchronous replication and automatic failover on Large tier and above
Deployment Models
Three models, same management experience. Every deployment runs the Warden agent and Iggy server — the difference is where the infrastructure lives.
| Model | Infrastructure | Best For |
|---|---|---|
| Managed | LaserData's cloud | Zero-ops, fastest path to production |
| BYOC | Your AWS account | Data sovereignty, your cloud bill |
| On-Premise | Your servers (any) | Regulated industries, air-gapped environments |
Connectors
Connectors extend every deployment with built-in Apache Iggy connector plugins — extremely fast, natively compiled Rust source and sink plugins for integrating with external systems. No JVM, no garbage collection pauses, minimal memory footprint.
Sink connectors: PostgreSQL, Elasticsearch, Apache Iceberg, Quickwit, Stdout Source connectors: PostgreSQL, Elasticsearch, Random
Activate any connector from the Console, configure stream mappings and plugin settings, run multiple instances per deployment, apply data transforms — all fully managed. The catalog is expanding through the Apache Iggy community, with premium LaserData-managed connectors coming in the future.
Deployment Tiers & Storage
Each deployment is provisioned at a tier that determines compute, memory, and available storage:
| Tier | vCPUs | Memory | Storage Options |
|---|---|---|---|
| Free | 2 | 1 GB | Network Balanced, Network Optimized |
| Small | 2 | 2 GB | Network Balanced, Network Optimized |
| Medium | 2 | 8 GB | Network Balanced, Network Optimized |
| Large | 4 | 32 GB | + Local SSD (150 GB NVMe) |
| XLarge | 8 | 64 GB | + Local SSD (475 GB NVMe) |
| Compute Optimized | 16 | 32 GB | + Network Extreme, Local SSD (950 GB) |
| Network Optimized | 16 | 128 GB | + Network Extreme, Local SSD (950 GB) |
| Storage Optimized | 16 | 128 GB | + Network Extreme, Local SSD (3.75 TB) |
| Ultimate | 32 | 256 GB | + Network Extreme, Local SSD (1.9 TB) |
Cluster types: Standalone (all tiers) or Replica with automatic failover (Large and above, Pro/Enterprise plans).
Networking & Connectivity
Every deployment gets a custom subdomain (e.g. your-cluster.laserdata.cloud) with automated TLS. All connections encrypted end-to-end.
| Feature | What It Does |
|---|---|
| Custom subdomain | Unique endpoint per deployment for connection strings, with automatic TLS |
| Access Rules | Allow specific IPs/CIDRs to reach deployment endpoints, per-protocol |
| VPC Peering | Private network path between your VPC and the deployment |
| PrivateLink | Expose the deployment as a VPC endpoint service |
| Public IP modes | Static (persistent), Dynamic (Free tier), or None (private only) |
Every deployment starts fully locked down — no traffic allowed until explicitly configured.
Network rate limits apply on certain tiers: Free (100 KB/s, always), Small (1 MB/s) and Medium (10 MB/s) on Basic plan only.
Security
- Complete network isolation — every deployment starts fully locked down. Nobody has access — including LaserData — until you explicitly create access rules
- Pull-based architecture — Warden initiates all connections outbound. No inbound ports, no SSH, no remote access
- Binary verification — all binaries cryptographically signed and verified before execution
- Task signing — every operational task signed with Ed25519
- TLS everywhere — automated certificate issuance and rotation
- Zero-downtime upgrades — atomic binary swaps with automatic rollback on failure
- Data isolation — your data never transits the control plane. Stream UI runs locally on the node
- GDPR compliance — PII encryption at rest, data export, right to erasure
See Security Architecture for the full model.
Observability
Built-in monitoring for every deployment:
- Metrics — CPU, memory, disk I/O, message counts, client connections — per node and runtime
- Heartbeats — periodic health checks for all managed runtimes
- Logs — centralized, searchable by node, runtime, level, and time range
- OpenTelemetry — redirect logs and traces to your own OTEL-compatible endpoint
- Audit logs — immutable record of every state-changing operation
- Backups — named on-demand backups (Pro and Enterprise)
Plans
| Feature | Basic | Pro | Enterprise |
|---|---|---|---|
| Deployments | 2 | 10 | 20 |
| Members | 3 | 10 | 20 |
| Divisions | 1 | 10 | 20 |
| Environments | 2 | 10 | 20 |
| Custom roles | 2 | 10 | 20 |
| Backups per deployment | — | 10 | 20 |
| Audit log retention | 7 days | 90 days | 365 days |
| BYOC | — | Available | Available |
| On-Premise | — | — | Available |
| Replica clusters | — | Available | Available |
| Multi-AZ | — | Available | Available |
| Private networking | — | Available | Available |
| Cross-region DR | — | — | Available |
See Billing & Plans for the full feature matrix and tier access details.
API Architecture
LaserData Cloud exposes two API layers, both accessible through the Console and programmatically via API keys:
| API | Scope | What It Handles |
|---|---|---|
Main API (api.laserdata.cloud) | Global | Tenants, divisions, environments, members, roles, billing, deployment creation, connector activation |
Deployment API ({supervisor_url}) | Per cloud and region | Access rules, VPC peering, PrivateLink, configs, connector instances, metrics, logs, heartbeats, backups |
When you create a deployment, the response includes a supervisor_url — the regional API endpoint for that deployment. All operational management goes through this URL.
{
"id": 12345,
"name": "prod-cluster",
"cloud": "aws",
"region": "us-east-1",
"supervisor_url": "https://us.aws.supervisor.laserdata.cloud",
...
}The Console handles this routing transparently. Both APIs use the same ld-api-key authentication and permission model.
Console
The Console is a web-based UI for managing every aspect of the platform — deployments, connectors, networking, monitoring, configuration, team members, roles, audit logs, and backups — all from a single interface.