Sign inTry Free

Helios BYOC

On this page

Note

This is a Preview feature.

For customers that want a managed experience like SingleStore Helios, but have data sovereignty and tenancy restrictions due to compliance or contractual reasons, SingleStore offers Helios Bring Your Own Cloud (BYOC). Helios BYOC enables you to deploy SingleStore within your AWS VPC without the typical operational overhead and provides access to some SingleStore Helios features. With Helios BYOC, the customer's data never leaves their cloud tenancy.

Why Use Helios BYOC

Helios BYOC brings the fully managed cloud experience to the customer's own AWS VPC with the following benefits:

  • Operational management

    • Create, suspend, and resume workspaces through the SingleStore Cloud Portal

    • Out-of-the-box Grafana dashboards for workspace monitoring

  • Scalability and reliability

    • Scale workspaces using the Cloud Portal

    • Auto healing in the event of node failure

    • A variety of scaling mechanisms for dynamic workloads, such as auto-scaling, cache scaling, and fast scaling

  • Resource/data management and security

    • Isolate workloads with shared data using workspaces within the customer's VPC in their AWS account

    • Organization-, workspace group-, and database-level role-based access control (RBAC)

Helios BYOC Architecture

Helios BYOC is designed as a modular system consisting of three distinct components:

  • Control Plane

  • Data Plane

  • Nimbus Gateway

The following is a visual representation of the Helios BYOC architecture which illustrates the primary components and how they interact with each other.

BYOC architecture that contains the Control Plane and the Data Plane connected via the Nimbus Gateway.

Control Plane

The Control Plane is an online portal that provides tools to manage your SingleStore workspaces, database deployments, and services in the Data Plane. It is a collection of secure services that manage the cluster's resources and provide access to billing information, access control, and monitoring insights (such as performance metrics, resource usage, cluster health, etc.). These services interact with the Data Plane through secure tunnels via the Nimbus Gateway, which enables the operations triggered from the Control Plane to securely reach the Data Plane. The customer-facing portal is accessible via the Cloud Portal.

Note

From the Control Plane, the customer-hosted Data Planes are accessible only via these secure tunnels. The Data Plane in the customer's VPC has no open inbound ports or publicly-accessible IPs.

The Control Plane stores data on the organizations, cluster metadata, and billing information. It does not contain any customer data or customer-specific sensitive information.

Data Plane

The Data Plane represents a SingleStore cell that is bootstrapped in the customer’s VPC within their AWS account. A SingleStore cell consists of a Kubernetes cluster that provides compute resources in addition to identity and access management (IAM), networking, storage, and all the AWS primitives required to run the cell. SingleStore workspaces and databases are deployed within this cell. The DML and DDL endpoints of a workspace are accessible within the Data Plane to allow deployment and management of resources. During bootstrapping, a Nimbus client is deployed within the cell which creates a secure tunnel with the Nimbus gateway in the Control Plane. This secure tunnel enables the Control Plane to manage the Data Plane (via restricted IAM roles).

Nimbus Gateway

The Nimbus Gateway enables communication between the Control Plane and the Data Plane by establishing secure tunnels. The HTTPS API used between the Control Plane and the Data Plane is secured using signed JWT tokens with HTTP authentication. The Nimbus Gateway implements a client-server architecture, where the server runs on the Control Plane and the client runs on the Data Plane, subsequently creating a tunnel. Without the Nimbus Gateway, services from the Control Plane cannot access the Data Plane.

The following is a visual representation of the data flow via the Nimbus Gateway.

Nimbus Gateway data flow diagram.

How Helios BYOC Works

Helios BYOC establishes a fully-managed cloud environment within the customer's own AWS account through the Control Plane and the Data Plane. The Control Plane communicates with the Data Plane via the Nimbus gateway. The Control Plane sends cluster management commands to deploy (bootstrap) a custom SingleStore cluster on the customer's AWS VPC (the Data Plane). These resources in the Data Plane are managed by the Control Plane. After initial bootstrap, all communications to the Control Plane are initiated from the Data Plane.

In this section

Last modified: September 17, 2024

Was this article helpful?

On this page

Was this article helpful?