Private Deployment - Bring Your Own Cloud (BYOC)
Early Access Release
Interested in BYOC? We'll make it self-serve in the future, but for now please reach out to our team to get access: [email protected]
BYOC at a glance
Bring-Your-Own-Cloud lets you run all Freeplay services inside your own AWS, GCP, or Azure account. You keep full control over data, IAM roles, and network boundaries while Freeplay still updates and supports the software.
Why choose BYOC?
- All prompts and responses remain inside your cloud; Freeplay never receives or stores them. – Meets strict data-residency or internal-only policies.
- Reduced vendor-risk reviews – Auditors see a familiar cloud footprint that you govern.
- Same product feature velocity – Freeplay’s automated control plane delivers signed updates to the Freeplay application.
- Minimal DevOps overhead – when compared to alternative models for privately hosted software, like installing & updating Docker images and setting up & maintaining all of your own serving and database infrastructure
Architecture Overview
BYOC Deep Dive
How BYOC works
- Prepare your environment - create an empty cloud project or sub-account and provision a cloud managed Kubernetes cluster.
- Deploy the Freeplay agent – run a one-line script that installs a small Freeplay agent pod.
- Provision cluster – the agent uses Terraform + Helm to spin up a managed SQL database (PostgreSQL), Elasticsearch, object storage, NATS, and the Freeplay web application.
- Stay current – the agent polls Freeplay’s control plane for releases and applies rolling upgrades.
# Example quick-start (AWS)
./freeplay-up.sh --license ./freeplay.lic --deployment-name freeplay-prod
Prerequisites
| Item | Requirement |
|---|---|
| Cloud project | Empty AWS account / GCP project / Azure subscription |
| Kubernetes | 1.27+ (EKS, GKE, AKS) |
| Database | RDS / Cloud SQL: db.t3.medium (2 vCPU, 4 GB) or larger |
| Object storage | S3 / GCS / Blob Storage bucket (any class) |
| IAM | Temporary admin role for the installer → least-privilege roles generated afterward |
| Networking | Public or private subnets with NAT; optional VPC peering or Private Link |
| Outbound egress | updates.freeplay.ai, Datadog, Mixpanel (HTTPS only, see domains below) |
Security & compliance
- Data residency – all sensitive customer data including prompts, responses, and evaluations stay in your cloud account. Optional ability to share support bundles for troubleshooting scenarios.
- Secrets – stored in your cloud KMS‐backed secret manager; never transmitted to Freeplay.
- Updates – releases are signed and verified before install; only metadata (version, health ping) is sent to the control plane.
Costs
- Freeplay subscription – BYOC is available only for Enterprise-tier contracts. Please contact Sales for more info about access.
- Your cloud – you pay for all nodes, database, Elasticsearch, storage, and egress. Typical mid-sized install runs ≈$1.2k-$2k/mo in AWS us-east-1.
BYOC Outbound-Egress Matrix
| # | Destination (FQDN / IP range) | Port / Protocol | Purpose | Data Transmitted | Required?* | How to Disable / Restrict |
|---|---|---|---|---|---|---|
| 1 | updates.freeplay.ai (Google Artifact Registry) | 443 / HTTPS | Agent polls for signed application & infra releases | Agent ID, current version, signed artifacts | Yes | N/A |
| 2 | *.datadoghq.com (regional endpoints) | 443 / HTTPS | Metrics / traces for 24×7 ops SLA | Health metrics, cluster stats, scrubbed logs (no content) | Yes | N/A |
| 3 | *.mixpanel.com | 443 / HTTPS | Product-usage analytics (UX insights) | Anonymous instance ID, UI events (no PII or prompt data) | No | analytics.enabled=false in Helm values |
| 4 | LLM provider endpoints (e.g. api.openai.com, bedrock-runtime.*, *.anthropic.com, Azure OpenAI private URL) | 443 / HTTPS | Inference calls initiated by Freeplay application | Prompts, context, parameters, model responses | Conditional (Yes if you use external models) | Use VPC-endpoints / private links where the provider offers them |
Rows 1–2 are always required for a supported install. Row 4 is required only when your workloads invoke external hosted models; BYOC also supports running local/onsite models if you need zero data egress for LLM traffic.
Key Points
- You decide which LLM providers and regions to enable in the Freeplay UI or Helm values.
- All calls use HTTPS (TLS 1.2+).
- Freeplay's log policy prevents user content from landing in Datadog.
- If you need a completely offline install, talk to us. An artifact-mirror and on-prem observability stack are on the roadmap.
FAQ
| Question | Answer |
|---|---|
| Can we air-gap entirely? | Not yet. The agent needs periodic egress for updates and license checks. |
| Is bring-your-own-KMS supported? | Yes, point the Helm chart at your KMS |
| Can I scale horizontally? | The Helm values file exposes replicas and resources; autoscale works like any K8s app. |
| Private-only access? | Enable VPC peering or Private Link and restrict the load balancer to internal traffic. |
| Is the site reachable from the public Internet? | By default yes, behind an ALB/ELB with HTTPS. You can lock it to specific CIDRs or internal-only mode. |
| What persistent storage is part of this deployment? | • Managed Cloud SQL / RDS / Azure SQL Database (PostgreSQL) • S3 / GCS / Blob storage for multi-modal artifacts • Block storage (EBS / PD / Disk) for Elastic search indices and NATS |
| I’ve heard Kubernetes can be unreliable with persistent volumes. Does that put my data at risk? | No. BYOC keeps the source-of-truth in a managed database service such as Amazon RDS, Cloud SQL, or Azure PostgreSQL that runs outside Kubernetes. Everything stored on in-cluster volumes (search indices, NATS JetStream, temporary files) can be rebuilt from that database. If a node or the whole cluster is lost, you simply spin up new nodes, redeploy the chart, and point it at the same database. The application comes back with no data loss. |
| Can I connect BYOC to my existing Kubernetes cluster, Elasticsearch stack, or shared database? | Not today. BYOC runs in an isolated project or account so Freeplay can manage scaling, upgrades, and support without impacting your other workloads. This isolation also lets us guarantee performance, security boundaries, and fast root-cause analysis. |
Updated 5 days ago