External networks in DoubleCloud (BYOA)


External networks in DoubleCloud are used to transmit information between cloud resources, such as clusters, and connect them to the internet via peering connections in the same way as internal networks. The main difference is that the network will be created under your own AWS account and will belong to you.

Each network has its own CIDR blocks for both IPv4 and IPv6. You can find these addresses on the VPC overview page in the DoubleCloud console.

DoubleCloud creates external networks based on the CloudFormation stacks. When you start creating a network with your stack, CloudFormation creates a special IAM role with permission boundaries that will allow managing resources in your account, such as virtual machines, disks, VPCs, and others.

This technique is called BYOA that reads "Bring Your Own Account".


DoubleCloud does not have access to the data you store and process. We handle CloudFormation stacks as a sandbox where only the infrastructure is accessible, not data.

You can find the DoubleCloud stack template in our S3 bucket to see which resources will be created by default.

Why use BYOA

It's useful when you need to keep your data within your AWS network without providing any access to third parties, especially if you have strict compliance and security requirements or want to configure all the network elements by yourself.

When you use external networks, you manage computational resources, storage, and data on the AWS side. DoubleCloud handles backups, monitoring, logs, and everything else to make the resource management convenient.

When you decide to use BYOA, you're the only one responsible for your network management in AWS. This includes all the network elements - VPC, subnets, security groups, ALBs, and other elements. You will also have to manage the costs on the AWS side.


Clusters in external networks have two levels of protection:

  • AWS VPC security measures

    When you add an external network, DoubleCloud creates several entities under your AWS account. The entities list includes VPC, security groups, ACLs, route tables, and others, depending on your network configuration. The predefined parameters prevent unauthorized access to your network.

  • Allow lists in DoubleCloud

    The main manually configurable access management measure is using allow lists for each separate cluster. The allow list prohibits access to the cluster from each IP address except the ones explicitly specified as allow lists entries.


DoubleCloud has no access to your data. Read more about our security policies here: Security principles in DoubleCloud.


Unlike DoubleCloud standard pricing, the BYOA approach has custom pricing depending on the network parameters. In this case, you are responsible for all underlying costs for traffic, storage and AWS resources that make the most part of the price. DoubleCloud receives fees for managed infrastructure.

You can see the pricing when you create a cluster in an external network.

See also