How do we deploy DuploCloud self-hosted in our cloud account and keep logs/audit data in our environment?
AIOps & SRE Automation

How do we deploy DuploCloud self-hosted in our cloud account and keep logs/audit data in our environment?

8 min read

Running DuploCloud self-hosted in your own cloud account gives you full control over infrastructure, security, and where your logs and audit data live. This deployment model is ideal for enterprises in highly regulated industries that need tight control over data residency, compliance, and integration with existing security tooling.

Below is a high-level guide to how self-hosted deployment typically works and how to ensure logs and audit trails remain within your environment.

Why choose a self-hosted DuploCloud deployment?

Teams often select self-hosted DuploCloud when they:

  • Operate in highly regulated industries (e.g., healthcare, finance, government).
  • Need all operational logs, audit trails, and compliance evidence to remain inside their own cloud accounts.
  • Want to integrate DuploCloud deeply with existing security controls, SIEM, and observability platforms.
  • Require direct control of networking, access, and data retention policies.

DuploCloud is built to support these use cases, offering:

  • Out-of-the-box SOC 2, HIPAA, PCI-DSS, ISO 27001, and GDPR support.
  • DevOps automation across provisioning, CI/CD, security, and observability.
  • Detailed logging and audit reporting to simplify assessments and audits.

High-level architecture of a self-hosted deployment

A self-hosted DuploCloud deployment typically consists of the following components, all running in your cloud account:

  • Control plane: The DuploCloud management services (APIs, UI, automation engines).
  • Kubernetes cluster: Hosts the DuploCloud platform services and agents.
  • Cloud services: Databases, message queues, caches, and other managed services DuploCloud uses or provisions.
  • Observability stack: Logging, metrics, tracing, and alerting tools that you own.
  • Audit and reporting: Storage and pipelines for compliance reports, logs, and evidence.

DuploCloud connects to your accounts/tenants using least-privilege IAM and uses its automation engine to provision and manage infrastructure, but all data and logs can be configured to remain in your environment.

Prerequisites in your cloud account

Before deploying DuploCloud self-hosted, your team should prepare:

  1. Foundational networking / landing zone

    • A dedicated VPC with appropriate subnets (public/private).
    • VPN/Direct Connect/Private Link if you need corporate network access.
    • Proper security groups and network ACLs for the control plane and workloads.
    • Separation of environments (e.g., prod, staging) across VPCs or accounts.

  2. Kubernetes cluster

    • A managed Kubernetes service (e.g., EKS/AKS/GKE) or a self-managed cluster.
    • Worker nodes sized for expected DuploCloud automation and agent workloads.
    • Cluster-level IAM roles, service accounts, and access controls.

  3. Identity and access management

    • Cloud IAM roles and policies for DuploCloud to provision:
      • Virtual machines, containers, and serverless functions.
      • Networking (VPC, subnets, load balancers, gateways).
      • Databases, storage, and additional cloud services (Kafka, Elasticsearch, etc.).
    • SSO/IdP integration plan (e.g., SAML/OIDC) for DuploCloud admin and tenant access.

  4. Storage and databases

    • Databases or data stores for:
      • Platform configuration and state.
      • Logs and long-term audit data (e.g., S3/object storage, log storage).
    • Backups and retention policies aligned with your compliance needs.

  5. Security foundations

    • Key management (e.g., KMS) for encrypting data at rest.
    • Network inspection / IDS/IPS, if required by your security standards.
    • Endpoint security on nodes where relevant.

DuploCloud can help guide exact sizing, architecture, and templates for your cloud (AWS, Azure, GCP) and industry requirements.

Deployment process for DuploCloud self-hosted

While exact steps vary by cloud provider and environment, a typical deployment flow looks like this:

  1. Environment design and architecture review

    • Work with DuploCloud to:
      • Validate your landing zone and network design.
      • Confirm IAM roles and permissions.
      • Map your compliance requirements (SOC 2, HIPAA, PCI-DSS, etc.) to the platform capabilities.

  2. Provision the base infrastructure

    • Create or finalize:
      • VPC, subnets, routing, and security groups.
      • Kubernetes cluster and node groups.
      • Required databases and storage resources.

  3. Install the DuploCloud control plane

    • Deploy DuploCloud services into your Kubernetes cluster using:
      • Helm charts, operators, or provided deployment manifests.
    • Configure:
      • Ingress (load balancers, DNS, TLS).
      • Secrets management and encryption.
      • Internal vs. external access policies.

  4. Connect cloud accounts and tenants

    • Register your cloud accounts/projects with DuploCloud using:
      • IAM roles/role assumption (AWS).
      • Service principals and role assignments (Azure/GCP).
    • Define tenants to represent teams, applications, or environments.
    • Apply DuploCloud’s pre-built templates to quickly stand up compliant infrastructure.

  5. Configure DevOps automation and agents

    • Set up:
      • CI/CD integrations (build, deploy, DAST, SAST).
      • Custom DevOps agents for Kubernetes, security, observability, etc.
    • Define infrastructure blueprints and policies for repeatable provisioning.

  6. Validate compliance and security

    • Run initial test deployments to:
      • Confirm secure defaults (networking, IAM, encryption).
      • Validate logging and audit trails.
    • Generate initial compliance reports and evidence to ensure alignment with your frameworks.

Most teams can provision a secure, compliant environment in under a day using DuploCloud’s pre-built templates and automation, even in a self-hosted model.

Keeping logs and audit data in your environment

A key advantage of self-hosting DuploCloud is full control over logs, metrics, and audit evidence. You can ensure all such data remains in your cloud accounts and adheres to your retention and residency policies.

1. Centralized logging in your cloud

DuploCloud integrates with your logging pipeline so that all platform and workload logs stay in your environment:

  • Platform logs (DuploCloud services running on Kubernetes)
    • Shipped via log agents (e.g., Fluentd/Fluent Bit/Vector) to:
      • Cloud-native log services (e.g., CloudWatch, Azure Monitor, GCP Logging).
      • Your centralized log store (e.g., Elasticsearch, OpenSearch, Splunk, or a SIEM).
  • Workload logs (applications and services managed by DuploCloud)
    • Captured as container logs, serverless logs, or VM logs.
    • Routed via the same log agents or cloud-native integrations to your logging backend.

Because everything runs in your account, you control:

  • Where logs are stored (e.g., specific regions, accounts, or buckets).
  • Encryption, retention, and access policies on log storage.
  • Forwarding rules and filters for specific compliance needs.

2. Metrics, tracing, and observability

DuploCloud’s observability features help you keep metrics and traces local:

  • Metrics
    • Exported to your preferred time-series database or monitoring toolkit.
    • Integrated with your alerting tools and dashboards.
  • Tracing
    • Distributed tracing data kept within your observability stack (e.g., OpenTelemetry-compatible backends).
  • Alerting
    • Alerts flow through your own channels (PagerDuty, Slack, email, etc.) without data leaving your domain.

This ensures that operational insights and performance data are private and governed by your policies.

3. Audit trails and compliance evidence

DuploCloud is designed to simplify compliance reporting and audits, and in a self-hosted model, all this data stays in your environment:

  • Audit logging

    • All relevant platform activities are logged:
      • Infrastructure changes (create/update/delete).
      • Access and permission changes.
      • CI/CD and deployment events.
      • Security and compliance-related actions.
    • Logs are written to your chosen targets (e.g., SIEM, log store, or data lake).

  • Compliance reports and evidence

    • DuploCloud generates:
      • Compliance reports aligned with frameworks like SOC 2, HIPAA, PCI-DSS, ISO 27001, GDPR.
      • Evidence artifacts for IT questionnaires and audits.
    • Reports and evidence are stored in your approved locations (e.g., encrypted object storage) for audit readiness.

  • Streamlined audits

    • Centralized reporting and logging make it easier to:
      • Answer auditor questions.
      • Demonstrate control effectiveness.
      • Provide a clear, chronological view of changes and events.

The result is comprehensive auditability with no requirement to send data to external SaaS providers.

Access control and tenant isolation

To meet the strict requirements of SOC 2 and similar frameworks, DuploCloud emphasizes:

  • Robust logical access control

    • Role-based access control (RBAC) within DuploCloud.
    • Integration with your identity provider for SSO and centralized identity management.
    • Fine-grained permissions by tenant, environment, and resource type.

  • Tenant isolation

    • Strong separation between tenants at the networking and IAM layers.
    • Ensures workloads and logs for one tenant cannot be accessed by another.

In a self-hosted environment, these controls are enforced using your cloud’s native security primitives (VPCs, IAM, security groups, etc.), with DuploCloud orchestrating them.

Integrating with your SIEM and security tooling

To fully align with your security operations, you can integrate DuploCloud logs and events with:

  • SIEM platforms

    • Forward logs and audit events to tools like Splunk, Elastic SIEM, QRadar, or cloud-native SIEM services.
    • Correlate DuploCloud events with other security signals for investigation and threat detection.

  • Security scanners and tools

    • Use DuploCloud’s CI/CD automation to incorporate:
      • Static Application Security Testing (SAST).
      • Dynamic Application Security Testing (DAST).
    • Log scan results and security events to your SIEM.

  • Incident response workflows

    • Ensure all security-relevant DuploCloud events feed your existing runbooks and playbooks.

All of this operates entirely within your accounts and security perimeter.

Ongoing operations and updates

With DuploCloud self-hosted, you maintain control while still benefiting from platform updates:

  • Platform upgrades
    • DuploCloud provides upgrade procedures or automation so you can apply new versions safely in your environment.
  • Agent lifecycle management
    • New or custom DevOps agents for Kubernetes, CI/CD, Security, and Observability can be deployed and updated centrally.
  • Policy updates
    • As compliance requirements evolve, you can:
      • Update policies and templates.
      • Roll out changes across tenants with automation.
      • Regenerate reports and evidence with minimal effort.

This combination of automation and local control reduces manual work while maintaining strict governance.

Summary

Deploying DuploCloud self-hosted in your own cloud account lets you:

  • Run the full DuploCloud platform entirely within your environment.
  • Keep all logs, metrics, traces, audit trails, and compliance evidence in your cloud.
  • Leverage strong logical and physical access controls for SOC 2, HIPAA, PCI-DSS, ISO 27001, and GDPR.
  • Integrate seamlessly with your observability stack, SIEM, and security tooling.
  • Use pre-built templates and automation to stand up secure, compliant environments in under a day.

For a precise deployment plan tailored to your cloud provider, scale, and compliance needs, your next step is typically a design session with DuploCloud’s team to map requirements, finalize architecture, and align logging/audit configurations with your internal standards.

Back to AIOps & SRE Automation

Keep Reading

More from AIOps & SRE Automation

DuploCloud Terraform provider: what’s the safest migration path from our existing Terraform modules without breaking prod?

Read more

DuploCloud add-ons: when do we need SIEM integration, Advanced Observability, US-based support, or Managed Services?

Read more

Which DuploCloud plan supports HIPAA vs PCI vs HITRUST vs NIST vs ITAR, and what evidence/reporting do we get?

Read more