# BYOC deployment

> **📝 Note**
>
> An LLM-optimized bundle of this entire section is available at [`section.md`](https://www.union.ai/docs/v2/union/deployment/byoc/section.md).
> This single file contains all pages in this section, optimized for AI coding agent context.

In a BYOC (Bring Your Own Cloud) deployment, Union.ai manages the data plane infrastructure in your cloud account.
You provide the cloud account and network configuration; Union.ai handles Kubernetes cluster operations, upgrades, and monitoring.

Your code, data, container images, and logs remain entirely in your data plane.
The Union.ai control plane orchestrates workflow execution but has no access to your proprietary data.

## Getting started

1. Review the [platform architecture](https://www.union.ai/docs/v2/union/deployment/byoc/platform-architecture/page.md) to understand the control plane and data plane split.
2. Set up your data plane on your cloud provider:
   - [AWS](https://www.union.ai/docs/v2/union/deployment/byoc/data-plane-setup-on-aws/page.md)
   - [Azure](https://www.union.ai/docs/v2/union/deployment/byoc/data-plane-setup-on-azure/page.md)
   - [GCP](https://www.union.ai/docs/v2/union/deployment/byoc/data-plane-setup-on-gcp/page.md)
3. [Configure your data plane](https://www.union.ai/docs/v2/union/deployment/byoc/configuring-your-data-plane/page.md) with your specific requirements (regions, node groups, networking).

## Cloud resource integration

Connect your data plane to cloud-native services:

- [AWS resources](https://www.union.ai/docs/v2/union/deployment/byoc/enabling-aws-resources/_index) (S3, ECR, Secrets Manager)
- [Azure resources](https://www.union.ai/docs/v2/union/deployment/byoc/enabling-azure-resources/_index) (Blob Storage, Container Registry, Key Vault)
- [GCP resources](https://www.union.ai/docs/v2/union/deployment/byoc/enabling-gcp-resources/_index) (Cloud Storage, Artifact Registry, BigQuery)

## Additional configuration

- [Single sign-on setup](https://www.union.ai/docs/v2/union/deployment/byoc/single-sign-on-setup/_index) for OAuth2/OIDC-based authentication
- [Multi-cluster and multi-cloud](https://www.union.ai/docs/v2/union/deployment/byoc/multi-cluster/page.md) for domain and project isolation
- [Data retention policy](https://www.union.ai/docs/v2/union/deployment/byoc/data-retention-policy/page.md) for controlling stored data lifecycle

## Subpages

- [Platform architecture](https://www.union.ai/docs/v2/union/deployment/byoc/platform-architecture/page.md)
  - Control plane
  - Data plane
  - Data plane nodes
  - Union.ai operator
  - Registry data
  - Execution data
  - Raw data
  - Literal data
  - Data privacy
- [Configuring your data plane](https://www.union.ai/docs/v2/union/deployment/byoc/configuring-your-data-plane/page.md)
  - Cloud provider
  - Multi-cluster
  - Account ID
  - Region
  - VPC
  - Data retention policy
  - Worker node groups
  - Node group name
  - Node type
  - Minimum
  - Maximum
  - Interruptible instances
  - Taints
  - Disk
  - Resources held back
  - Example specification
  - After deployment
  - Adjusting your configuration
- [Multi-cluster and multi-cloud](https://www.union.ai/docs/v2/union/deployment/byoc/multi-cluster/page.md)
  - Domain isolation
  - Project isolation
  - Data and metadata isolation
- [Data plane setup on AWS](https://www.union.ai/docs/v2/union/deployment/byoc/data-plane-setup-on-aws/page.md)
  - Setting permissions through CloudFormation
  - Click the Launch Stack button
  - Confirm the details
  - Share the role ARN
  - Updating permissions through CloudFormation
  - Update your CloudFormation template
  - Setting permissions manually
  - Prepare the policy documents
  - Create the role manually
  - Share the role ARN
  - Updating permissions manually
  - Setting up and managing your own VPC (optional)
  - Private EKS endpoint
  - Create additional roles for ECS
  - Attach a new IAM policy to the Union role
  - Configure VPC Endpoints
- [Data plane setup on GCP](https://www.union.ai/docs/v2/union/deployment/byoc/data-plane-setup-on-gcp/page.md)
  - Select or create a project
  - Ensure billing is linked
  - Create a workload identity pool and provider
  - In the GCP web console
  - On the command line using `gcloud`
  - Create a role for Union.ai admin
  - Create the Union.ai admin service account
  - In the GCP web console
  - On the command line using `gcloud`
  - Grant access for the Workflow Identity Pool to the Service Account
  - In the GCP web console
  - On the command line using `gcloud`
  - Enable services API
  - In the GCP web console
  - On the command line using `gcloud`
  - Setting up and managing your own VPC (optional)
  - Example VPC CIDR Block allocation
- [Data plane setup on Azure](https://www.union.ai/docs/v2/union/deployment/byoc/data-plane-setup-on-azure/page.md)
  - Selecting Azure tenant and subscription
  - Create a Microsoft Entra Application Registration
  - Create a Microsoft Entra ID Application for Union.ai Access
  - Create Microsoft Entra ID Applications for Union.ai cost allocation
  - (Recommended) Create a Microsoft Entra group for cluster administration
  - (Optional) Setting up and managing your own VNet
  - Required Union.ai VNet permissions
  - Required VNet properties
  - Example VPC CIDR Block allocation
  - Union.ai Maintenance Windows
- [Data retention policy](https://www.union.ai/docs/v2/union/deployment/byoc/data-retention-policy/page.md)
  - Data categories
  - How policies are specified
  - Deletion of current versions
  - Deletion of non-current versions
  - Defaults
  - Attempting to access deleted data
  - Separate sets of policies per cluster
  - Data retention and task caching
- [Enabling AWS resources](https://www.union.ai/docs/v2/union/deployment/byoc/enabling-aws-resources/page.md)
  - Types of access
  - Infrastructure-level access
  - Task code access
  - Background
  - Enabling access
  - Creating a custom policy
  - Setting up global access
  - Setting up project-domain-scoped access
  - Create the IAM role
  - Configure the cluster to use the new IAM role
- [Enabling GCP resources](https://www.union.ai/docs/v2/union/deployment/byoc/enabling-gcp-resources/page.md)
  - Types of access
  - Infrastructure-level access
  - Task code access
  - Domain-scoped access
  - Globally-scoped access
  - Find the actual name of `<UserFlyteGSA>`
- [Enabling Azure resources](https://www.union.ai/docs/v2/union/deployment/byoc/enabling-azure-resources/page.md)
  - Types of access
  - Infrastructure-level access
  - Task code access
  - Domain-scoped access
  - Globally-scoped access
- [Single sign on setup](https://www.union.ai/docs/v2/union/deployment/byoc/single-sign-on-setup/page.md)
  - Google OpenID Connect
  - Microsoft Entra ID (formerly Azure AD)
  - Other identity providers

---
**Source**: https://github.com/unionai/unionai-docs/blob/main/content/deployment/byoc/_index.md
**HTML**: https://www.union.ai/docs/v2/union/deployment/byoc/