Bring Your Own Cloud (BYOC) lets you deploy Pinecone Database in your own AWS account to ensure data sovereignty and compliance, with Pinecone handling provisioning, operations, and maintenance.

BYOC is in early access on AWS. To learn more about the offering, contact Pinecone.

Use cases

Pinecone BYOC is designed for organizations with high security and compliance requirements, for example:

  • Data sovereignty: If your organization has strict data governance policies, Pinecone BYOC can help ensure that all data is stored and processed locally and does not leave your security perimeter.
  • Data residency: The standard Pinecone managed service can be deployed in several AWS cloud regions. If your organization has specific data residency or latency constraints that require you to deploy in regions that Pinecone does not yet support, Pinecone BYOC gives you that flexibility.

Architecture

The BYOC architecture employs a split model:

  • Data plane: The data plane is responsible for storing and processing your records, executing queries, and interacting with object storage for index data. In a BYOC deployment, the data plane is hosted in your own AWS account within a dedicated VPC, ensuring that all data is stored and processed locally and does not leave your organizational boundaries. Private Endpoints for AWS PrivateLink can be established as an additional security measure to protect your data plane API calls.
  • Control plane: The control plane is responsible for managing the index lifecycle as well as region-agnostic services such as user management, authentication, and billing. The control plane does not hold or process any records. In a BYOC deployment, the control plane is managed by Pinecone and hosted globally. Communication between the data plane and control plane is encrypted using TLS and employs role-based access control (RBAC) with minimal IAM permissions.

Onboarding

The onboarding process for BYOC in AWS involves the following general stages:

  1. AWS account setup: If you don’t already have an AWS account where you want to deploy Pinecone, you create one for this purpose.
  2. Terraform template execution: You download and run a Terraform template provided by Pinecone. This template creates essential resources, including an IAM role with scoped-down permissions and a trust relationship with Pinecone’s AWS account.
  3. Environment creation: Pinecone deploys a data plane cluster in your VPC and works with you to configure PrivateLink for secure communication.
  4. Validation: Once the environment is operational, Pinecone performs validation tests to ensure proper functionality.

FAQs

Was this page helpful?