Self-Hosted (BYOC)
Introduction
Hasura DDN is also available to self-host if you need to have complete control over the infrastructure.
There are two models of deployment with Self-Hosted DDN.
-
Hasura manages the data plane on the customer's cloud account.
The data plane will run on a Kubernetes cluster of your choice and Hasura manages the uptime, upgrades, etc. The Hasura Control Plane will need to be given sufficient privileges to install, configure and manage the workloads and associated infrastructure components. The experience is exactly like using Hasura Hosted DDN, but running on your infrastructure. All API traffic stays within your network and does not leave the boundaries of your system.
-
Customer manages the data plane on their cloud account themselves.
The data plane can be installed on a Kubernetes cluster of your choice and you control the uptime, upgrades, etc. All API traffic stays within your network and does not leave the boundaries of your system.
Installation docs related to deployment of a self hosted, customer managed data plane are located here
In both cases, the control plane is always hosted by Hasura.
Data Flow and security
All critical data operations occur exclusively within the customer infrastructure. When an API user sends a GraphQL query, it's received by Hasura in the Data Plane. Hasura then directly accesses the necessary data sources within the customer infrastructure to fulfill the request. This direct access ensures that sensitive data never leaves the customer's controlled environment, maintaining data residency and security.
While the Control Plane, situated in the Hasura infrastructure, does communicate with the Data Plane, this communication is strictly limited to configuration and management purposes. Importantly, this communication does not involve customer data or API responses, further enhancing data security.
The distinction between the Control and Planes creates well-defined security boundaries. By keeping the Data Plane and all data sources within the customer's security perimeter, the architecture ensures that sensitive information remains under the customer's control at all times.
Interactions with the control plane
In Self-Hosted Hasura DDN, the Data Plane running on your infrastructure communicates with the control plane only in very specific scenarios:
- The Data Plane accesses a metadata storage bucket to retrieve build artifacts; these artifacts are required to process API requests.
- The data plane accesses the control plane APIs to retrieve information about (applied) builds for the purposes of routing.
- (Optional) The data plane sends observability data to the Control Plane so you can visualize it on the console; it does not contain any API response data or variables.
- The Control Plane interacts with the Kubernetes cluster to manage Data Plane workloads (only in a Hasura-Managed Data Plane).
Get started
To get started with Hasura DDN in your own cloud, contact sales.
