Skip to main content
Insights

9 Myths About BYOC

Bring Your Own Cloud isn’t misguided — it’s just misunderstood

Mark Milligan portrait

Mark Milligan

VP of Revenue

7 min read

BYOC promises the flexibility of customer-hosted infrastructure with the ease of SaaS delivery. Yet, from cost to control to complexity, many myths persist. Vendors and customers often misunderstand what a modern BYOC platform like Nuon actually does. Let’s take a look at the nine biggest misconceptions — and unpack the truth behind them.

1. The app setup sounds complicated

Operators of BYOC platforms like Nuon sometimes have a misconception that they have to rewrite infrastructure as code (IaC) and configuration settings. Nuon's architecture is flexible to allow components to point to existing Terraform modules, Helm charts, and Kubernetes manifests. The goal isn't to burden operators of Nuon, but give them easier ways to onboard, upgrade, and manage customer installations.

A Helm component described through a Nuon .toml configuration file

2. This will be more expensive than SaaS or self-hosted

The cost structure shifts, rather than increases necessarily. Software vendors offering single-tenant can get out of the costly infrastructure business. Customers or recipients of the vendor's app can leverage existing cloud contracts and volume discounts.

Customers who self-host already can transfer the DevOps and platform engineering costs to the vendor, who procures and manages the Nuon software and technical human labor costs.

We wrote a blog contrasting the build versus buy costs of offering BYOC.

3. BYOC is not secure

This is perhaps the biggest myth, especially when it comes to Nuon and how much we differ from other BYOC options.

This misconception likely arises from the fact that BYOC deployments often give full permissions internally to the customer's infrastructure, which creates a wider attack surface to rogue actors or mistaken installation actions. Nuon doesn't work this way — which is not only more secure, but also unburdens customers from having to monitor access to their cloud accounts.

Nuon instead provides the customer or recipient with a cloud stack (such as CloudFormation) that defines four roles and permissions specific to the lifecycle of the vendor's app. The stack also creates or reuses a VPC, and creates a VM with the Nuon runner to egress-only “phone home” to the Nuon control plane for instructions to install and manage the customer's app.

The vendor never has direct access to the customer's cloud account. If the app falls down and requires that elevated permissions be given to the vendor, another cloud stack update is performed — by the customer — to elevate the vendor's permissions for a limited time.

Other alternatives that have security- and infrastructure-related drawbacks include tunneling, network-controlled Kubernetes, and Kubernetes operators.

We wrote a blog detailing Nuon’s secure runner architecture versus alternative, less-secure approaches.

4. The customer won’t have control or visibility into what changes in our cloud infrastructure

Modern cloud-native BYOC platforms like Nuon give control to customers — from running the cloud stack and creating the initial VPC, VM, and Nuon runner, to visibility into approvals and detailed logging for all changes made to the customer's cloud infrastructure. Customers can set up their own monitoring tools like Grafana, Datadog, and Honeycomb.io to track app performance.

This creates a verifiable, auditable trail of what’s running, eliminating the “black box” feeling of traditional SaaS.

Export install logs to csv and share with the customer.

5. Vendors will have full control of the customer’s app installation

With BYOC and Nuon, the opposite is true: vendors have limited and scoped access defined and accepted by the customer when they deploy the CloudFormation stack, VM, Nuon runner, and scoped roles and permissions The control boundary is intentional — customers keep the keys, even control over adding secrets in the cloud stack, while vendors ensure smooth software delivery.

If critical issues arise, customers can temporarily elevate vendor permissions to troubleshoot and resolve problems. Customers can also shutdown the VM with the runner to stop all vendor activity.

In the app configuration, specify the permissions boundary for the maintenance role, which is less permissive than the provision or de-provision roles.

6. The customer won’t be able to easily make changes to the app

To the contrary, the customer is free from the hassle of maintaining and updating the app. Unlike SaaS, customers can decide their own upgrade schedules, and can test new versions in staging environments before rolling out to production — all managed by the vendor through Nuon.

At the customer’s discretion, update the app’s Helm release version and the customer’s install.

7. The vendor will have less control over customer installations

The benefits of offloading infrastructure costs and management to customers outweigh the perceived loss of control. Vendors can still define apps, their components, Terraform, Helm charts, and Kubernetes manifests, and use Nuon to automate deployment and day-2 management with action scripts across multiple customer installations.

In emergency situations, vendors can request break-glass access from customers, which temporarily elevates their permissions in order to address critical issues.

The alternative with self-hosted customers is worse: the vendor has no visibility or control over the customer's infrastructure, relying on Zoom calls, emails, and tickets to manage installations — all with the tendency of finger pointing.

Workflow history of healthcheck action scripts executed on a customer install.

8. The vendor won’t be able to meet SLAs if they don’t host the infrastructure

SLAs depend on monitoring, alerting, and automation — not ownership of the servers. BYOC platforms like Nuon give vendors visibility into logs, metrics, traces, and health checks across all installations. Vendors can still guarantee uptime and response times, leveraging the customer’s own cloud redundancy and best-of-breed observability platforms like Grafana, Honeycomb and Datadog.

Install Datadog inside a customer install to monitor API and database health.

9. We’ll just stick with writing Terraform to keep things simple

Terraform is powerful, but not a full BYOC strategy. It’s a provisioning tool, not a delivery and management platform. Vendors need mechanisms for version control, upgrades, dependency management, and day-2 operations. While these are often handled with scripts and Terraform, Nuon abstracts those challenges, using Terraform as a tool — not the solution.

Rest assured, Nuon fully supports and reuses Terraform modules as part of its flexible architecture. Nuon also persists installation state, tracks versions, and automates upgrades across multiple customer installations, reducing the operational burden on vendors.

Viewing the entire install state including Terraform, Helm and the cloud stack, in the dashboard UI.
An app component re-using an existing git-backed Terraform module to provision an AWS certificate.

Ready to get started?

Book a demo Log in

Newsletter

Subscribe to our newsletter

Too much email? Subscribe via RSS feed