Nuon BYOC allows you to run a stand-alone, single-tenant instance of Nuon in your own AWS account. This gives you full
control over your data, networking, and compliance requirements.
To get started, contact sales
Prerequisites
AWS Account
You will need an AWS account. A VPC and other network infrastructure will be created during the installation. Ensure
your user has admin permissions, and that the account has not reached it’s quota limits for VPCs, EIPs, and Internet
Gateways.
Nuon’s resource requirements are not compatible with AWS Free Tier. You will need a paid account.
DNS (Optional)
We can automatically provision a root domain for you at <install-id>.nuon.run. But you can also use your domain as the root instead, via DNS delegation. For example, if you wanted to host Nuon BYOC at nuon.my-domain.com, complete the following steps.
- Before installation, create the DNS zone
my-domain.com if it does not already exist.
- Provide
nuon.my-domain.com as the value for the Root Domain input.
- Once Nuon BYOC has fully provisioned, the domains of DNS servers for the install will be available in the outputs.
- Create an NS record named
nuon.my-domain.com, using the DNS server domains as the value.
- Once propagation is complete, the Nuon Dashboard should be reachable at
app.nuon.my-domain.com.
The Nuon Dashboard uses cookies for authentication, and they will be shared on all subdomains of the provided root domain. We strongly recommend creating a Nuon-specific subdomain to avoid leaking auth cookies.
GitHub App
Create a GitHub App so Nuon can clone code for components from private repos.
-
Go to GitHub App Settings and click New GitHub App
-
Configure the app with these settings:
| Setting | Value |
|---|
| GitHub App name | Choose any name (e.g., “Nuon BYOC”) |
| Homepage URL | https://app.<your-root-domain> |
| Setup URL | https://app.<your-root-domain>/connect |
| Redirect on Update | Checked |
| Webhook | Unchecked |
- Set permissions:
| Permission | Access |
|---|
| Contents | Read-only |
-
Under “Where can this GitHub App be installed?”, select Only on this account (unless you need to access repos in
other GitHub organizations)
-
Click Create GitHub App
-
After creation, scroll to the bottom and click Generate a private key. Save this PEM file - you’ll need it later.
-
Note your App ID and Client ID from the app settings page.
Identity Provider
Nuon must be configured to use your IdP for authentication.
Nuon BYOC only supports Google as an IdP at this time. We will be adding support for more IdPs in the future.
Google
To use Google as your IdP, set up a client in Google Auth Platform. You will need a Google Cloud Platform account.
- Log into your Google Cloud Platform console.
- Navigate to Google Auth Platform, and open the “Clients” tab.
- Create a new client named “Nuon BYOC”.
- Save the client ID and secret.
- Add an authorized redirect URI with the value,
https://auth.<your-root-domain>/auth.
Auth0 (DEPRECATED)
Nuon BYOC previously required Auth0 for authentication, but this dependency has been removed. This documentation is retained for anyone still using Auth0, but new Nuon BYOC installs should use the new IdP integration documented above.
module "byoc_auth0" {
source = "github.com/nuonco/byoc-auth0"
# Your Auth0 tenant domain
auth0_domain = "your-tenant.auth0.com"
# The root domain for your BYOC install
public_domain = "<your-root-domain>"
# Your Nuon install ID
install_id = "<your-install-id>"
install_name = "<your-install-name>"
}
- Go to Actions > Library in your Auth0 dashboard
- Click Create Action > Build from scratch
- Name it
AddScope and select the latest runtime
- Replace the code with:
exports.onExecutePostLogin = async (event, api) => {
const email = event.user.email;
api.accessToken.setCustomClaim(`email`, email);
};
- Deploy the action
- Go to Actions > Triggers > Post Login
- Drag the
AddScope action into the flow and save
Create an API with the following settings.
| Setting | Value |
|---|
| Name | API Gateway <your-install-id> |
| Identifier | api.<your-root-domain> |
| Maximum Access Token Lifetime | 2592000 |
| Implicit/Hybrid Flow Access Token Lifetime | 86400 |
| Allow Skipping User Consent | true |
The Identifier must match your API URL exactly. It cannot be changed after creation.
| Setting | Value |
|---|
| Name | Nuon App - <your-install-name> |
| Allowed Callback URLs | https://app.<your-root-domain>/api/auth/callback |
| Allowed Logout URLs | https://app.<your-root-domain> |
| Allowed Web Origins | https://app.<your-root-domain> |
| Allow Cross-Origin Authentication | true |
| Maximum Refresh Token Lifetime | 31557600 |
| Allow Refresh Token Rotation | true |
| Rotation Overlap Period | 0 |
| Setting | Value |
|---|
| Name | Nuon CTL API - <your-install-name> |
| Description | For BYOC Nuon Install <your-install-id> |
| Allow Cross-Origin Authentication | true |
| Device Code (Advanced > Grant Types) | Checked |
- In Okta, create a new OIDC application
- Set the Sign In Redirect to
<your-auth0-tenant>/login/callback
- Set Trusted Origins to
<your-root-domain>
- Note the Client ID and Client Secret
Create an Enterprise Connection in Auth0.
- Go to Authentication > Enterprise > Okta Workforce > Create
- Configure:
- Connection name: Choose a unique name
- Okta domain: Your Okta tenant domain
- Client ID/Secret: From Step 1
- Enable Sync user profiles at each login
- Set User Mapping:
{
"attributes": {
"email": "${context.tokenset.email}"
},
"mapping_mode": "use_map"
}
Authentication Configuration
| Input | Value |
|---|
| Auth Provider Type | google |
| Auth Client ID | [secret] |
| Auth Client Secret | [secret] |
| Auth Redirect URL | https://auth.<your-root-domain>/auth |
If using the deprecated Auth0 integration, you will need to provide these inputs instead.| Input | Value |
|---|
| Auth0 Issuer URL | Your Auth0 tenant URL |
| Auth0 Audience | Your Auth0 API identifier |
| Auth0 Client ID - CTL API | Your Auth0 native app client ID |
| Auth0 Client ID - Dashboard UI | Your Auth0 SPA client ID |
GitHub Configuration
| Input | Value |
|---|
| Github App Name | Name of your GitHub app |
| Github App ID | ID of your GitHub app |
| Github App Client ID | Client ID from your GitHub app |
DNS Configuration
| Input | Value |
|---|
| Root Domain | Your custom domain, or <your-install-id>.nuon.run for Nuon-provided domain |
Database Configuration (Optional)
Adjust instance sizes for RDS, Temporal, and ClickHouse clusters if needed.
Secrets
When provisioning the CloudFormation stack, provide these secrets:
| Secret | Value |
|---|
github_app_key | Your base64-encoded GitHub App PEM key |
auth_client_secret | The client secret from your Auth0 SPA |
The GitHub App PEM key must be base64 encoded because AWS CloudFormation doesn’t preserve newlines in text fields.To encode your PEM key:base64 -i your-github-app-key.pem
Provision
Once all inputs and secrets are configured
- Return to your install in the Nuon dashboard
- Click Reprovision Install from the Manage menu
- Wait for the provision workflow to complete
To host your BYOC Nuon instance under a custom domain, configure DNS for your root domain to point to the Route53 Zone
created in the sandbox.
After the sandbox provisions, you’ll receive:
- A Zone ID for your public domain
- Nameserver records to add to your domain’s DNS
Create NS records in your domain’s DNS pointing to the Route53 nameservers provided.
Verify Installation
After successful provisioning, verify your installation is working by visiting these URLs.
| Service | URL |
|---|
| Dashboard | https://app.<your-root-domain> |
| CTL API | https://api.<your-root-domain> |
| Runner API | https://runner.<your-root-domain> |
curl https://api.<your-root-domain>/health
