How do we deploy DuploCloud self-hosted in our cloud account and keep logs/audit data in our environment?
AIOps & SRE Automation

How do we deploy DuploCloud self-hosted in our cloud account and keep logs/audit data in our environment?

8 min read

Many organizations in highly regulated industries need to deploy DuploCloud self-hosted inside their own cloud account while ensuring that all logs and audit data also stay within their environment. This approach gives you the benefits of DuploCloud’s DevOps automation, compliance, and observability, while maintaining full control over data residency, access, and security.

Below is a high-level guide to how this typically works, key architectural considerations, and best practices for keeping logs and audit trails in your own cloud.

Why deploy DuploCloud self-hosted in your own cloud account?

Enterprises in sectors like healthcare, finance, and SaaS with strict regulations (SOC 2, HIPAA, PCI-DSS, ISO 27001, GDPR, etc.) often require:

  • Full control of infrastructure – All compute, networking, and storage running in their own AWS, Azure, or GCP account/subscription.
  • Data residency and sovereignty – Logs, metrics, traces, and compliance evidence remain inside their controlled environment.
  • Stronger security posture – Integration with internal IAM, private networks (VPC/VNet), VPNs, and corporate SIEM.
  • Streamlined audits – Central, in-tenant logging and reporting to speed up SOC 2, HIPAA, PCI-DSS, and similar audits.

DuploCloud supports this by allowing self-hosted deployment in your cloud accounts, combined with comprehensive observability and audit capabilities that also live in your environment.

High-level architecture of a self-hosted DuploCloud deployment

At a conceptual level, a self-hosted deployment of DuploCloud in your cloud account typically includes:

  • Management plane (DuploCloud platform)

    • Runs in your cloud account as containers (e.g., on Kubernetes) or VMs.
    • Provides the web UI, APIs, and automation engine.
    • Orchestrates provisioning of infrastructure, CI/CD, observability, and compliance controls.

  • Landing zones and tenant isolation

    • Uses your VPC/VNet, subnets, and availability zones.
    • Implements isolated tenants representing environments (dev, staging, prod) or business units.
    • Enforces logical access controls per tenant for SOC 2 and similar frameworks.

  • Cloud services and workloads

    • DuploCloud provisions and manages your cloud services:
      • Kubernetes, serverless, DNS, load balancers, Kubeflow
      • Databases, Kafka, Elasticsearch, virtual machines
      • Over 50+ managed cloud services, all in your account.

  • Observability and audit stack

    • Logging, metrics, tracing, and alerting configured to send data to:
      • Your logging service (e.g., CloudWatch Logs, Azure Monitor, GCP Logging, Elasticsearch, or a self-managed stack).
      • Your SIEM and compliance reporting systems.
    • Audit & reporting features (SIEM integration, compliance reports, evidence, IT questionnaires) run against the data stored in your environment.

Step-by-step: Deploying DuploCloud self-hosted in your cloud account

Implementation details vary by cloud provider and architecture, but the process usually follows these phases.

1. Prepare your cloud environment

  1. Create or identify a dedicated account/subscription/project

    • Recommended to isolate DuploCloud platform resources from other workloads.
    • Configure IAM roles and policies for least-privilege access.

  2. Set up networking and landing zones

    • Create a VPC/VNet (or reuse an existing one) with:
      • Public and private subnets
      • Route tables, NAT gateways, and internet gateways as needed
    • Configure VPN/Direct Connect/ExpressRoute if DuploCloud services must be reachable from on-premise.

  3. Decide on a compute platform

    • Common choices:
      • Managed Kubernetes service (e.g., EKS/AKS/GKE) for DuploCloud’s control plane and supporting services.
      • Virtual machines/VM scale sets where container platforms are not preferred.

  4. Prepare secrets and key management

    • Store sensitive values (API keys, DB passwords) in your KMS, Secrets Manager, or equivalent service.
    • Ensure DuploCloud platform components can access these securely via IAM roles.

2. Install the DuploCloud platform

  1. Provision base infrastructure

    • Deploy the Kubernetes cluster or VM infrastructure where DuploCloud will run.
    • Apply security baselines (security groups, NSGs, firewalls, hardened images).

  2. Deploy DuploCloud services

    • Install DuploCloud core components into your cluster/VMs using the method provided by DuploCloud (e.g., Helm charts, Terraform modules, installation scripts).
    • Configure the platform with:
      • Cloud provider credentials (preferably via IAM roles instead of static keys).
      • Tenant model and initial landing zones.
      • Network policies and ingress/egress rules.

  3. Integrate identity and access management

    • Connect DuploCloud to your identity provider (IdP) via SSO/SAML/OIDC.
    • Configure role-based access control (RBAC) mapped to your teams and environments.
    • Leverage DuploCloud’s access controls in its tenant model for logical segregation and SOC 2 alignment.

3. Configure observability to keep logs and audit data in your environment

This is the critical step for ensuring logs and audit data never leave your cloud account.

DuploCloud provides a unified observability layer for:

  • Logging
  • Metrics
  • Tracing
  • Alerting

Additionally, it supports:

  • SIEM integration
  • Compliance reports
  • Evidence collection
  • IT questionnaires and audit artifacts

To keep all of this inside your environment:

  1. Centralize logs in your cloud logging solution

    • Configure DuploCloud agents and integrations to forward logs to:
      • A cloud-native logging service (e.g., CloudWatch Logs, Azure Monitor, GCP Logging).
      • A self-managed Elasticsearch or OpenSearch cluster in your account.
    • Ensure:
      • Log storage is in your own buckets/disks.
      • Appropriate retention policies are applied per compliance requirements.
      • Access is restricted via IAM and tenant-aware controls.

  2. Set up metrics and traces

    • Use your preferred metrics backend (e.g., CloudWatch Metrics, Prometheus, Azure Monitor).
    • Configure traces to go to a tracing backend deployed in your environment (e.g., Jaeger, Zipkin, or a managed observability tool you control).
    • All telemetry endpoints should be internal (in-VPC/VNet) or private endpoints.

  3. Configure alerting within your environment

    • DuploCloud can integrate with your alerting tools (e.g., SNS, PagerDuty, email, Slack).
    • Ensure alerting pipelines are configured to use endpoints and services you manage.

  4. Integrate with your SIEM and audit tools

    • Route logs and events to your SIEM (e.g., Splunk, Elastic SIEM, Azure Sentinel, or a similar tool running in your cloud).
    • DuploCloud’s Audit & Reporting features (compliance reports, evidence, IT questionnaires) should read from these sources that live in your environment.
    • All evidence and audit artifacts should be stored in storage resources under your control (e.g., encrypted S3 buckets or storage accounts).

4. Enable compliance automation and continuous monitoring

DuploCloud supports out-of-the-box frameworks such as:

  • SOC 2
  • HIPAA
  • PCI-DSS
  • ISO 27001
  • GDPR

and also allows custom policies to be configured.

To take advantage of this in a self-hosted setup:

  1. Apply security and compliance templates

    • Use DuploCloud’s pre-built templates to enforce baseline configurations across:
      • Networking (VPC/VNet, subnets, security groups)
      • Workloads (Kubernetes, serverless, databases)
      • CI/CD and deployment pipelines (SAST, DAST integrations)

  2. Configure continuous compliance monitoring

    • Enable continuous checks against required controls and policies.
    • Store scan results, findings, and remediation tasks in your own environment.
    • Integrate with your ticketing system (e.g., Jira) using secure, internal connectivity.

  3. Streamline audits with centralized reporting

    • Use DuploCloud’s detailed reporting and logging to:
      • Generate compliance reports directly from your log and metric stores.
      • Collect evidence and audit trails automatically.
    • Since all logs and evidence are hosted in your environment, auditors can review them without data leaving your cloud.

Keeping all logs and audit data in your environment: key best practices

To ensure your self-hosted deployment meets strict compliance and security standards:

  1. No external log export

    • Disable or avoid any configuration that exports logs to third-party SaaS outside your account unless explicitly required and approved.
    • Use private or VPC endpoints for any external integrations where possible.

  2. Encrypt everything at rest and in transit

    • Use your cloud provider’s encryption services (KMS-managed keys) for:
      • Logs
      • Databases
      • Object storage used for evidence and reports
    • Enforce TLS everywhere for in-cluster and cross-service communication.

  3. Enforce strict IAM and tenant access controls

    • Leverage DuploCloud’s tenant model for logical and physical access control.
    • Ensure that only authorized roles can access logs and audit data per least-privilege principles.

  4. Standardize retention and deletion policies

    • Define and enforce log retention policies based on SOC 2, HIPAA, PCI-DSS, and GDPR requirements.
    • Implement automated lifecycle policies for log and evidence storage.

  5. Regularly test audit-readiness

    • Use DuploCloud’s reports and evidence collection to run internal “mock audits.”
    • Validate that all required logs, events, and configuration histories are available and easy to retrieve.

How DuploCloud helps DevOps teams manage this at scale

Self-hosting DuploCloud in your own cloud account while keeping logs and audit data in your environment gives you:

  • DevOps automation

    • Automated provisioning, CI/CD, and observability for Kubernetes, serverless, databases, and more.
    • Event-driven automation that reacts to infrastructure and application changes.

  • Custom agent development

    • Ability to build specialized agents for Kubernetes, CI/CD, security, and observability.
    • Manage your “agentic workforce” in a unified dashboard, running fully inside your environment.

  • Continual compliance and simplified audits

    • Continuous monitoring against SOC 2, HIPAA, PCI-DSS, ISO 27001, and GDPR.
    • Detailed reporting and logging that simplifies audit preparation and reduces human error, all based on data stored in your cloud.

Summary

To deploy DuploCloud self-hosted in your cloud account and keep logs/audit data in your environment, you:

  1. Provision a secure landing zone (VPC/VNet, subnets, IAM, VPN).
  2. Deploy the DuploCloud platform (management plane) into your own compute resources.
  3. Configure observability (logging, metrics, tracing, alerting) so all data is stored in your own logging and SIEM tools.
  4. Enable and tune compliance automation and reporting to work exclusively with data in your environment.
  5. Apply best practices for encryption, access control, retention, and audit-readiness.

This architecture lets you take advantage of DuploCloud’s DevOps automation and compliance capabilities while maintaining complete control over where your infrastructure, logs, and audit evidence live.

Back to AIOps & SRE Automation

Keep Reading

More from AIOps & SRE Automation

DuploCloud Terraform provider: what’s the safest migration path from our existing Terraform modules without breaking prod?

Read more

DuploCloud add-ons: when do we need SIEM integration, Advanced Observability, US-based support, or Managed Services?

Read more

Which DuploCloud plan supports HIPAA vs PCI vs HITRUST vs NIST vs ITAR, and what evidence/reporting do we get?

Read more