External networks in DoubleCloud (BYOC)


External networks in DoubleCloud are used to transmit information between cloud resources, such as clusters, and connect them to the internet via peering connections in the same way as internal networks. The main difference is that the network will be created under your own AWS account and will belong to you.

Each network has its own CIDR blocks for both IPv4 and IPv6. You can find these addresses on the VPC overview page in the DoubleCloud console.

DoubleCloud creates external networks based on the CloudFormation stacks. When you start creating a network with your stack, CloudFormation creates a special IAM role with permission boundaries that will allow managing resources in your account, such as virtual machines, disks, VPCs, and others.

This technique is called BYOC that reads "Bring Your Own Cloud."

DoubleCloud stack template

You can find the DoubleCloud stack template in our S3 bucket to see which resources will be created by default.

DoubleCloud Transfer service supports BYOC to make your data migration more intuitive and straightforward.

Why use BYOC

This feature useful when you need to keep your data within your AWS network without providing any access to third parties, especially if you have strict compliance and security requirements or want to configure all the network elements by yourself.

The following diagram shows the allocation of your resources when using BYOC:


When you use external networks, you manage computational resources, storage, and data on the AWS side. DoubleCloud handles backups, monitoring, logs, and everything else to make the resource management convenient.

When you decide to use BYOC, you're the only one responsible for your network management in AWS. This includes all the network elements - VPC, subnets, security groups, ALBs, and other elements. You will also have to manage the costs on the AWS side.


Clusters in external networks have two levels of protection:

  • AWS VPC security measures

    When you add an external network, DoubleCloud creates several entities under your AWS account. The entities include VPC, security groups, ACLs, route tables, and others, depending on your network configuration. The predefined parameters prevent unauthorized access to your network.

  • Allowlists in DoubleCloud

    The main manually configurable access management measure is using allow lists for each separate cluster. The allow list prohibits access to the cluster from each IP address except the ones explicitly specified as allow lists entries.


DoubleCloud has no access to your data. For more information on our data privacy agreements, see Data privacy.


Unlike DoubleCloud standard pricing, the BYOC approach has custom pricing depending on the network parameters.

In this case, you are responsible for all underlying costs for traffic, storage and AWS resources that make the most part of the price. DoubleCloud receives fees for managed infrastructure.

You can see the pricing when creating a cluster in an external network.

See also