Bring Your Own Cloud (BYOC) lets you deploy Pinecone Database in your own AWS account to ensure data sovereignty and compliance, with Pinecone handling provisioning, operations, and maintenance.

BYOC is in early access on AWS. To learn more about the offering, contact Pinecone.

Use cases

Pinecone BYOC is designed for organizations with high security and compliance requirements, for example:

  • Data sovereignty: If your organization has strict data governance policies, Pinecone BYOC can help ensure that all data is stored and processed locally and does not leave your security perimeter.
  • Data residency: The standard Pinecone managed service can be deployed in several AWS cloud regions. If your organization has specific data residency or latency constraints that require you to deploy in regions that Pinecone does not yet support, Pinecone BYOC gives you that flexibility.

Architecture

The BYOC architecture employs a split model:

  • Data plane: The data plane is responsible for storing and processing your records, executing queries, and interacting with object storage for index data. In a BYOC deployment, the data plane is hosted in your own AWS account within a dedicated VPC, ensuring that all data is stored and processed locally and does not leave your organizational boundaries. Private Endpoints for AWS PrivateLink is used as an additional security measure to protect your data plane API calls.

  • Control plane: The control plane is responsible for managing the index lifecycle as well as region-agnostic services such as user management, authentication, and billing. The control plane does not hold or process any records. In a BYOC deployment, the control plane is managed by Pinecone and hosted globally. Communication between the data plane and control plane is encrypted using TLS and employs role-based access control (RBAC) with minimal IAM permissions.

Onboarding

The onboarding process for BYOC in AWS involves the following general stages:

  1. AWS account setup: If you don’t already have an AWS account where you want to deploy Pinecone, you create one for this purpose.
  2. Terraform template execution: You download and run a Terraform template provided by Pinecone. This template creates essential resources, including an IAM role with scoped-down permissions and a trust relationship with Pinecone’s AWS account.
  3. Environment creation: Pinecone deploys a data plane cluster in your VPC and works with you to configure PrivateLink for secure communication.
  4. Validation: Once the environment is operational, Pinecone performs validation tests to ensure proper functionality.

Create an index

Once your BYOC environment is ready, you can create a BYOC index in the Pinecone console or via the Pinecone API. Pinecone SDKs do not yet support BYOC index creation.

To create a BYOC index via the API, set the X-Pinecone-API-Version header to 2025-04 and the spec.byoc.environment parameter to the environment name provided to you during onboarding, for example:

curl
curl -s "https://api.pinecone.io/indexes" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -H "Api-Key: $PINECONE_API_KEY" \
  -H "X-Pinecone-API-Version: 2025-04" \
  -d '{
        "name": "example-byoc-index",
        "vector_type": "dense",
        "dimension": 1536,
        "metric": "cosine",
        "spec": {
            "byoc": {
                "environment": "aws-us-east-1-b921"
            }
        },
        "tags"={
            "example": "tag"
        },
        "deletion_protection": "disabled"
      }'

Read and write data

Once your Private Endpoint is configured, you can run data operations against a BYOC index as usual, but you must target the index using its Private Endpoint URL.

BYOC does not support reading and writing data from the index browser in the Pinecone console.

Monitoring

Pinecone engineers monitor the state of your BYOC deployment and manage incidents if they arise. In addition, you can monitor performance metrics for your BYOC indexes in the Pinecone Console or with Prometheus or Datadog.

To use Prometheus, your monitoring tool must have access to your VPC.

FAQs

Was this page helpful?