Customer Virtual Private Cloud

When data cannot leave your environment


We recommend the Managed Solution for most of our customers when possible to limit customer environment access and release engineering resources from the customer

With customer VPC deployment, there are three paths to get Validio deployed with differing levels of assistance from the Validio team depending on customer preference.

1. White glove deployment

The customer grants escalated privileges on either a dedicated or shared AWS account/GCP project to the deployment team at Validio. With white glove deployment, Validio will take care of the entire installation including provisioning of all resources needed on the cloud provider, such as Kubernetes cluster, load balancers, DNS entries. Kubernetes cluster will then be connected to a GitOps repository managed by Validio enabling installations, upgrades and maintenance of the Validio platform.

This option is available to select early adopters.


The Customer needs to grant the Editor role to the following groups:

And grant the Kubernetes Engine Admin and Logging Admin role to the following group:


The customer needs to grant AWSAdministratorAccess to a list of users (Validio’s Deployment Team) which will be provided in advance as part of the Customer Deployment Information document.

2. Deployment by accessing customer Kubernetes cluster

The customer will need to create a Kubernetes cluster with 3 worker nodes or more of at least types m5.large on AWS or n2-standard-2 on GCP. The control plane of the cluster needs to be on a public network, while the worker nodes may be located in a private/public network. The customer should make sure the worker nodes are on a single availability zone. Validio should receive Administrator level access on the cluster to hook the cluster into the GitOps repository managed by Validio to take care of installation, upgrade and maintenance of the platform.

On GKE cluster (GCP)
  • The customer needs to create a standard regional or zonal VPC-native GKE cluster. If it is a regional cluster, make sure to specify a single zone for the nodes. The control plane must be reachable publicly, and by default the workloads must be able to reach to the Internet, either by being on a public subnet or via a NAT gateway.
  • The cluster needs to have at least 3 nodes of type n2-standard-2. The nodes needs to be in the same zone as discussed in the point above.
  • The cluster must have Compute Engine persistent disk CSI Driver enabled.
  • The cluster must have Workload Identity enabled.
  • A cloud DNS zone must be configured within the project. (It can be a delegated zone)
  • A Google Service Account must be created having a DNS administrator role.
  • The Service Account, must grant a workload identity user to[kube-system/external-dns] (Replace PROJECT_ID with the GCP project ID)
  • The customer needs to grant Kubernetes Engine Admin role to Validio’s deployment and platform groups ([email protected], [email protected])
On EKS cluster (AWS)
  • The customer needs to create an EKS cluster with a node group being deployed in a single availability zone.
  • The cluster must have at least 3 nodes of type m5.large.
  • The cluster must have the AWS ALB ingress controller enabled to be able to create application load balancers.
  • A Route53 zone must be configured for the AWS account so the cluster can add a record entry in it. (This can also be a delegated zone)
  • The cluster must have an IAM role for a Service Account to be able to add records to the Route53 zone.
  • The customer needs to grant Kubernetes Admin access to a list of users (Validio’s Deployment Team) which will be provided in advance as part of the Customer Deployment Information document.

3. Customer manual deployment

With this approach, Validio neither has access to the customer's AWS account or GCP project, nor the Kubernetes cluster. The customer will instead be granted access to a distribution channel, where customers can download Validio Helm charts and install it manually on their EKS or GKE clusters. While Validio will offer support under agreed upon service levels, the customer needs to have adequate in-house DevOps resources since Validio will be unable to manage the infrastructure or maintain the Kubernetes cluster. Customers will be responsible to handle maintenance and updates manually.