BYOC shared responsibility model

This page details the shared responsibility model for Bring Your Own Cloud (BYOC) with Decodable. For more details about the architecture of Decodable and its components, see these diagrams.

Control Plane

The Control Plane is the portion of Decodable’s BYOC offering which operates within Decodable’s account. It’s fully managed by Decodable and manages metadata about decodable resources, including connections, streams, pipelines, and account access controls.

Decodable Customer

Operate the control plane.

Create and configure accounts, connections, pipelines, streams, and secrets.

Configure integration with the customer’s Single Sign-On (SSO) provider.

Manage groups, roles, and permissions using the Decodable UI or API.

Data Plane

The Data Plane is the portion of Decodable’s BYOC offering which operates within the customer account. It launches Flink jobs, manages secrets and serves logs and data previews.

Decodable Customer

Provide regular versioned releases of the data plane software via a customer-accessible share container repository.

Operate and secure the required cloud infrastructure (EKS, MSK, S3, Secrets Manager).

Provide example configurations for deploying the product, demonstrating required variables and resources.

Install and upgrade the software.

Monitor logs and metrics for the data plane components and deployed Flink jobs.

Configure, secure, and operate AWS account networking infrastructure and settings.

Kubernetes

The BYOC data plane runs on Kubernetes. This may be a single-tenant cluster (running only Decodable) or a multi-tenant cluster (running many workloads). The customer is responsible for monitoring and securing the underlying Kubernetes cluster.

Decodable Customer

Provide reference implementations and guidance on compatible versions of Kubernetes and controllers.

Monitor the health and availability of cluster components, including controllers.

Provide documentation and guidance on Kubernetes configuration directly relevant to the data plane services.

Implement appropriate access controls.

Install required security software on Kubernetes nodes.

Apache Kafka

The BYOC data plane stores stream records, and internal states and metrics in Kafka. This may be a single-tenant Kafka deployment (used only by Decodable) or a multi-tenant cluster. The customer is responsible for monitoring and securing the Kafka cluster.

Decodable Customer

Provide reference implementations and guidance on compatible versions.

Monitor the health and availability of the Kafka cluster.

Support configurable authentication methods for secure communication with Kafka.

Implement appropriate access controls for data stored in the Kafka cluster.

Object storage

The BYOC data plane stores job state and job logs in object storage (such as Amazon S3).

Decodable Customer

Provide reference implementations and guidance on how to configure S3 buckets.

Implement appropriate access controls for the S3 buckets to prevent data loss.

Secrets management

The BYOC data plane stores secrets (such as credentials for sources and sinks) in AWS Secrets Manager.

Decodable Customer

Provide reference implementations and guidance on configuring Secret Manager.

Implement appropriate access controls for Secrets Manager.