# Platform deployment The Union.ai platform uses a split-plane model with separate control and data planes. In both BYOC and Self-managed deployments, your code, input and output data, container images and logs reside entirely on the **data plane**, which runs in your cloud account, while the **control plane** runs on Union.ai's cloud account, providing the workflow orchestration logic. The **control plane** does not have access to the code, data, images, or logs in the **data plane**. If you choose a **Self-managed deployment**, your data isolation is further enhanced by the fact that you manage your data plane entirely on your own, without providing any access to Union.ai customer support. If you choose a **BYOC deployment**, Union.ai manages the Kubernetes cluster in your data plane for you. The data isolation of the control vs. data plane is still enforced - for example, Union.ai has no access to your object storage or logs. However, Union.ai customer support will have some access to your cluster, though strictly for upgrades, provisioning, and other actions related to maintaining cluster health. > [!NOTE] > These are the BYOC docs. You can switch to the Union.ai Self-managed docs with the product selector above. ## BYOC deployment The BYOC deployment offers a fully "serverless in your cloud", turnkey solution where all infrastructure management is offloaded to Union.ai: * The **data plane** resides in your cloud provider account but is managed by Union.ai, who will handle deployment, monitoring, Kubernetes upgrades, and all other operational aspects of the platform. BYOC deployment supports data planes on Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. * The **control plane**, as with all Union.ai deployment options, resides in the Union.ai AWS account and is administered by Union.ai. However, as mentioned, data separation is maintained between the data plane and the control plane, with no control plane access to the code, input/output, images or logs in the data plane. ## Data plane The data plane runs in your cloud account and VPC. It is composed of the required services to run and monitor workflows: * Kubernetes cluster * Object storage bucket * Container image registry * Secrets manager * Logging solution * IAM role with proper access When you run your workflow: 1. Your code is sent to the object storage bucket 2. Container images are built on a builder node and pushed to the registry 3. Pods are created and assume the IAM role 4. Container images are pulled down from the registry for each pod as needed 5. Containers load their inputs from, and save their outputs to, the object store All of this happens in the data plane, with the control plane aware only of the workflow execution state, and not the code, data, logs, secrets, or any other proprietary information. The data plane communicates with the control plane through an outgoing port through a zero trust proxy. There is no open incoming port to the data plane. ## Control plane Union.ai operates the control plane in its own cloud infrastructure in Amazon Web Services (AWS). The control plane has access to: * Workflow execution state information * Names of tasks and other deployed entities * Pointers to object storage locations in the data plane (but not any user data) * Union.ai IDP ## Subpages - [Platform architecture](https://www.union.ai/docs/v2/byoc/deployment/platform-architecture/page.md) - Control plane - Data plane - Data plane nodes - Union.ai operator - Registry data - Execution data - Raw data - Literal data - Data privacy - [Configuring your data plane](https://www.union.ai/docs/v2/byoc/deployment/configuring-your-data-plane/page.md) - Cloud provider - Multi-cluster - Account ID - Region - VPC - Data retention policy - Worker node groups - Node group name - Node type - Minimum - Maximum - Interruptible instances - Taints - Disk - Resources held back - Example specification - After deployment - Adjusting your configuration - [Multi-cluster and multi-cloud](https://www.union.ai/docs/v2/byoc/deployment/multi-cluster/page.md) - Domain isolation - Project isolation - Data and metadata isolation - [Data plane setup on AWS](https://www.union.ai/docs/v2/byoc/deployment/data-plane-setup-on-aws/page.md) - Setting permissions through CloudFormation - Click the Launch Stack button - Confirm the details - Share the role ARN - Updating permissions through CloudFormation - Update your CloudFormation template - Setting permissions manually - Prepare the policy documents - Create the role manually - Share the role ARN - Updating permissions manually - Setting up and managing your own VPC (optional) - Private EKS endpoint - Create additional roles for ECS - Attach a new IAM policy to the Union role - Configure VPC Endpoints - [Data plane setup on GCP](https://www.union.ai/docs/v2/byoc/deployment/data-plane-setup-on-gcp/page.md) - Select or create a project - Ensure billing is linked - Create a workload identity pool and provider - In the GCP web console - On the command line using `gcloud` - Create a role for Union.ai admin - Create the Union.ai admin service account - In the GCP web console - On the command line using `gcloud` - Grant access for the Workflow Identity Pool to the Service Account - In the GCP web console - On the command line using `gcloud` - Enable services API - In the GCP web console - On the command line using `gcloud` - Setting up and managing your own VPC (optional) - Example VPC CIDR Block allocation - [Data plane setup on Azure](https://www.union.ai/docs/v2/byoc/deployment/data-plane-setup-on-azure/page.md) - Selecting Azure tenant and subscription - Create a Microsoft Entra Application Registration - Create a Microsoft Entra ID Application for Union.ai Access - Create Microsoft Entra ID Applications for Union.ai cost allocation - (Recommended) Create a Microsoft Entra group for cluster administration - (Optional) Setting up and managing your own VNet - Required Union.ai VNet permissions - Required VNet properties - Example VPC CIDR Block allocation - Union.ai Maintenance Windows - [Data retention policy](https://www.union.ai/docs/v2/byoc/deployment/data-retention-policy/page.md) - Data categories - How policies are specified - Deletion of current versions - Deletion of non-current versions - Defaults - Attempting to access deleted data - Separate sets of policies per cluster - Data retention and task caching - [Manage Union through Terraform](https://www.union.ai/docs/v2/byoc/deployment/terraform/page.md) - Overview - Why use Terraform? - Getting Started - [Installation](https://www.union.ai/docs/v2/byoc/deployment/installation/page.md) - [Resource Management](https://www.union.ai/docs/v2/byoc/deployment/management/page.md) - [Security Best Practices](https://www.union.ai/docs/v2/byoc/deployment/security/page.md) - Requirements - [Enabling AWS resources](https://www.union.ai/docs/v2/byoc/deployment/enabling-aws-resources/page.md) - Types of access - Infrastructure-level access - Task code access - Background - Enabling access - Creating a custom policy - Setting up global access - Setting up project-domain-scoped access - Create the IAM role - Configure the cluster to use the new IAM role - [Enabling GCP resources](https://www.union.ai/docs/v2/byoc/deployment/enabling-gcp-resources/page.md) - Types of access - Infrastructure-level access - Task code access - Domain-scoped access - Globally-scoped access - Find the actual name of `` - [Enabling Azure resources](https://www.union.ai/docs/v2/byoc/deployment/enabling-azure-resources/page.md) - Types of access - Infrastructure-level access - Task code access - Domain-scoped access - Globally-scoped access - [Single sign on setup](https://www.union.ai/docs/v2/byoc/deployment/single-sign-on-setup/page.md) - Google OpenID Connect - Microsoft Entra ID (formerly Azure AD) - Other identity providers --- **Source**: https://github.com/unionai/unionai-docs/blob/main/content/deployment/_index.md **HTML**: https://www.union.ai/docs/v2/byoc/deployment/