Create a BYOC Cluster on AWS

To create a Redpanda cluster in your virtual private cloud (VPC), follow the instructions in the Redpanda Cloud UI. The UI contains the parameters necessary to successfully run rpk cloud byoc apply. See also: BYOC architecture.

With standard BYOC clusters, Redpanda manages security policies and resources for your VPC, including subnetworks, service accounts, IAM roles, firewall rules, and storage buckets. For the highest level of security, you can manage these resources yourself with a BYOVPC cluster on AWS.

Prerequisites

Before you deploy a BYOC cluster on AWS, check that the user creating the cluster has the following prerequisites:

  • A minimum version of Redpanda rpk v24.1. See Install or Update rpk.

  • The user authenticating to AWS has AWSAdministratorAccess access to create the IAM policies specified in AWS IAM policies.

  • The user has the AWS variables necessary to authenticate. Use either:

    • AWS_PROFILE or

    • AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY

    To verify access, you should be able to successfully run aws sts get-caller-identity for your region. For more information, see the AWS CLI reference.

Create a BYOC cluster

  1. Log in to Redpanda Cloud.

  2. On the Clusters page, click Create cluster, then click Create BYOC cluster.

  3. Enter a cluster name, then select the resource group, provider (AWS), region, tier, availability, and Redpanda version.

    • If you plan to create a private network in your own VPC, select the region where your VPC is located.

    • Three availability zones provide two backups in case one availability zone goes down.

    Optionally, click Advanced settings to specify up to five key-value custom tags. After the cluster is created, the tags are applied to all AWS resources associated with this cluster. For more information, see the AWS documentation. After the cluster is created, you can specify more tags with the Cloud API.

  4. Click Next.

  5. On the Network page, enter the connection type: either Public or Private. For BYOC clusters, Private is best-practice.

    • Your network name is used to identify this network.

    • For a CIDR range, choose one that does not overlap with your existing VPCs or your Redpanda network.

  6. Click Next.

  7. On the Deploy page, follow the steps to log in to Redpanda Cloud and deploy the agent.

    As part of agent deployment:

    • Redpanda assigns the permission required to run the agent. For details about these permissions, see AWS IAM policies.

    • Redpanda allocates one Elastic IP (EIP) address in AWS for each BYOC cluster.

Redpanda Cloud does not support customer access to the Kubernetes control plane with kubectl. This restriction allows Redpanda Data to manage all configuration changes internally to ensure a 99.99% service level agreement (SLA) for BYOC clusters.

Manage custom tags

Your organization might require custom tags for cost allocation, audit compliance, or governance policies. After cluster creation, you can manage tags with the Cloud Control Plane API. The Control Plane API allows up to 16 custom tags in AWS.

Make sure you have:

  • The cluster ID. You can find this in the Redpanda Cloud UI, in the Details section of the cluster overview.

  • A valid bearer token for the Cloud Control Plane API. For details, see Authenticate to the API.

To unlock this feature for your account, contact Redpanda Support.

  1. To refresh agent permissions so the Redpanda agent can update tags, run:

    export CLUSTER_ID="<cluster-id>"

rpk cloud byoc aws apply --redpanda-id="$CLUSTER_ID"

    This step is required because tag management requires additional IAM permissions that may not have been granted during initial cluster creation:

    • ec2:DescribeTags

    • ec2:DescribeVolumes

    • ec2:DescribeNetworkInterfaces

    • ec2:CreateTags

    • ec2:DeleteTags

    • iam:TagPolicy

    • iam:UntagPolicy

    • iam:TagInstanceProfile

    • iam:UntagInstanceProfile

  2. To update tags, invoke the Cloud API.

    First, set your authentication token:

    export AUTH_TOKEN="<your-bearer-token>"

    The PATCH call sets the tags specified under "cloud_provider_tags". It replaces the existing tags with the specified tags. Include all desired tags in the request. To remove a single entry, omit it from the map you send.

    cluster_patch_body=$(cat <<'JSON'
{
  "cloud_provider_tags": {
    "Environment": "production",
    "CostCenter": "engineering"
  }
}
JSON
)

curl -X PATCH "https://api.redpanda.com/v1/clusters/$CLUSTER_ID" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $AUTH_TOKEN" \
  -d "$cluster_patch_body"

    To remove all tags, send an empty cloud_provider_tags object:

    cluster_patch_body='{"cloud_provider_tags": {}}'

curl -X PATCH "https://api.redpanda.com/v1/clusters/$CLUSTER_ID" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $AUTH_TOKEN" \
  -d "$cluster_patch_body"

Next steps

Configure private networking