Self-hosting your CI/CD infra

Alex EagleAlex Eagle
2 min read

Aspect Workflows is the Software-as-a-Service product that runs Bazel developer workflows, such as continuous integration and delivery, with the speed and cost benefits promised by this advanced tool. But it’s not like most Cloud-hosted SaaS that runs on an account the vendor provides. Instead we deploy into our customers cloud accounts, sometimes called “Bring Your Own Cloud” (BYOC). In this post I’ll explain why we do it this way, and how our customers benefit.

Enhanced Security

Customer cloud accounts have security protocols to isolate networks on Virtual Private Clouds (VPCs), enforce custom IAM roles, and firewall applications to prevent unintended access. CI/CD systems are core to the software supply-chain, so vulnerabilities matter! Self-hosted CI infrastructure is subject to the same policies.

It requires less trust from the vendor. While Aspect is SOC2 certified of course, there are always other security and business risks of relying on a vendor to operate the infrastructure. The reduced risk in self-hosting has advantages in legal and procurement processes as well.

Self-hosted infrastructure-as-code (IaC) also allows your security scanning tools to operate over the vendor’s infrastructure definitions, including any co-maintenance policies granted to the vendor’s on-call engineers.

Data Control and Compliance

Data is retained in the customer’s cloud, and is subject to the access auditing, encryption, and retention policies enforced by their platform team. This is especially useful in industries where regulations like GDPR, HIPAA, FINRA require constraints around data management.

Cloud Pricing

Many companies have a cloud contract that reserves some capacity to get a better pricing agreement. Others like startups have credits given by the cloud sales team or from their investors. Sometimes there’s a requirement to utilize all the compute credits or reservations.

Hosting CI infrastructure in the customers cloud account lets them save on hosting costs, compared with a vendor-hosted model.

Honest Billing

Running tests can be resource-intensive, and you want to be able to run as many as you need. When a vendor meters their service based on usage, it’s difficult to budget for predicted SaaS costs.

In the case of Build & Test, the vendor should be expected to reduce the cloud compute costs by optimizing use of caching and right-sized, elastic-scaling instances. If the vendor is rewarded for consuming compute, they have a perverse incentive to use more resources rather than less.

Self-hosting infrastructure puts the resource billing under the customers control, and allows them to scrutinize the optimizations the vendor provides.

Low-latency, high-bandwidth integrations

Running infrastructure in the customers cloud makes it much more straightforward to introduce components developed in-house or by other vendors. For example, a Build system infrastructure should be network-adjacent to a remote development cluster or remote IDE backends.

0
Subscribe to my newsletter

Read articles from Alex Eagle directly inside your inbox. Subscribe to the newsletter, and don't miss out.

SaaSCloudci-cdIAM,MFA,Access key ID,Secret access keyData ComplianceCloud Computing

Written by

Alex Eagle
Alex Eagle

Fixing Bazel!