Skip to main content
Nuon BYOC allows you to run a stand-alone, single-tenant instance of Nuon in your own AWS account. This gives you full control over your data, networking, and compliance requirements. To get started, contact sales

Prerequisites

AWS Account

You will need an AWS account. A VPC and other network infrastructure will be created during the installation. Ensure your user has admin permissions, and that the account has not reached it’s quota limits for VPCs, EIPs, and Internet Gateways. The following regions have been tested and confirmed to support Nuon BYOC.
  • us-east-1
  • eu-west-1
Nuon’s resource requirements are not compatible with AWS Free Tier. You will need a paid account.

DNS

Root DNS

You will need to expose the Nuon APIs and Dasboard to be able to able to use is, which requires settings up DNS. For example, if you wanted to host Nuon BYOC at nuon.my-domain.com, complete the following steps.
  1. Before installation, create the DNS zone my-domain.com if it does not already exist.
  2. Provide nuon.my-domain.com as the value for the Root Domain input.
  3. Once Nuon BYOC has fully provisioned, the domains of the DNS servers for the install will be available in the outputs.
  4. Create an NS record named nuon.my-domain.com, using the DNS server domains as the value.
  5. Once propagation is complete, the Nuon Dashboard should be reachable at app.nuon.my-domain.com.
Nuon will provision the following subdomains under the domain you configure. Only the runner API needs to be exposed to the Internet. The rest of the subdomains can all be private to your network.
SubdomainServicePublic
appThe vendor dashboard
apiThe control plane API, used by the Vendor Dashboard and the CLI
adminThe admin API. Exposes functionality for administration of the control plane
runnerThe API used by runners to communicate with the control plane.true
The Nuon Dashboard uses cookies for authentication, and they will be shared on all subdomains of the provided root domain. We strongly recommend creating a Nuon-specific subdomain to avoid leaking auth cookies.

Delegation DNS

If you do not want your users to have to have to set up DNS when installing your app, you can optionally configure your apps to use DNS delegation. A unique subdomain will be created for each install under a shared subdomain. In Nuon Cloud, for example, we use nuon.run. Installs created in Cloud will can given a subdomain based on their install ID, such as inl160z2xmng8w1jnq0xxhelln.nuon.run. You don’t need to use this feature, but the control plane does require you to configure a domain it can use in the event that you do.

GitHub App

Create a GitHub App so Nuon can clone code for components from private repos.
  1. Go to GitHub App Settings and click New GitHub App
  2. Configure the app with these settings:
SettingValue
GitHub App nameChoose any name (e.g., “Nuon BYOC”)
Homepage URLhttps://app.<your-root-domain>
Setup URLhttps://app.<your-root-domain>/connect
Redirect on UpdateChecked
WebhookUnchecked
  1. Set permissions:
PermissionAccess
ContentsRead-only
  1. Under “Where can this GitHub App be installed?”, select Only on this account (unless you need to access repos in other GitHub organizations)
  2. Click Create GitHub App
  3. After creation, scroll to the bottom and click Generate a private key. Save this PEM file - you’ll need it later.
  4. Note your App ID and Client ID from the app settings page.

Identity Provider

Nuon must be configured to use your IdP for authentication.
Nuon BYOC only supports Google as an IdP at this time. We will be adding support for more IdPs in the future.

Google

To use Google as your IdP, set up a client in Google Auth Platform. You will need a Google Cloud Platform account.
  1. Log into your Google Cloud Platform console.
  2. Navigate to Google Auth Platform, and open the “Clients” tab.
  3. Create a new client named “Nuon BYOC”.
  4. Save the client ID and secret.
  5. Add an authorized redirect URI with the value, https://auth.<your-root-domain>/auth.

Auth0 (DEPRECATED)

Nuon BYOC previously required Auth0 for authentication, but this dependency has been removed. This documentation is retained for anyone still using Auth0, but new Nuon BYOC installs should use the new IdP integration documented above.
To use Auth0 for authentication, you will need to configure an API, applications, and a custom action in your Auth0 tenant. Nuon provides a Terraform module to automate Auth0 configuration. We recommend this over manual configuration. Apply the following Terraform to use it. 
module "byoc_auth0" {
  source = "github.com/nuonco/byoc-auth0"
  # Your Auth0 tenant domain
  auth0_domain = "your-tenant.auth0.com"
  # The root domain for your BYOC install
  public_domain = "<your-root-domain>"
  # Your Nuon install ID
  install_id   = "<your-install-id>"
  install_name = "<your-install-name>"
}
After applying, the module outputs the values you will need for the install inputs. If you prefer to configure Auth0 manually, follow the steps below. Add an action to enrich the access token with the user’s email.
  1. Go to Actions > Library in your Auth0 dashboard
  2. Click Create Action > Build from scratch
  3. Name it AddScope and select the latest runtime
  4. Replace the code with:
exports.onExecutePostLogin = async (event, api) => {
  const email = event.user.email;
  api.accessToken.setCustomClaim(`email`, email);
};
  1. Deploy the action
  2. Go to Actions > Triggers > Post Login
  3. Drag the AddScope action into the flow and save
Create an API with the following settings.
SettingValue
NameAPI Gateway <your-install-id>
Identifierapi.<your-root-domain>
Maximum Access Token Lifetime2592000
Implicit/Hybrid Flow Access Token Lifetime86400
Allow Skipping User Consenttrue
The Identifier must match your API URL exactly. It cannot be changed after creation.
Create a Single Page Application for the Dashboard UI.
SettingValue
NameNuon App - <your-install-name>
Allowed Callback URLshttps://app.<your-root-domain>/api/auth/callback
Allowed Logout URLshttps://app.<your-root-domain>
Allowed Web Originshttps://app.<your-root-domain>
Allow Cross-Origin Authenticationtrue
Maximum Refresh Token Lifetime31557600
Allow Refresh Token Rotationtrue
Rotation Overlap Period0
Create a Native Application for CLI authentication.
SettingValue
NameNuon CTL API - <your-install-name>
DescriptionFor BYOC Nuon Install <your-install-id>
Allow Cross-Origin Authenticationtrue
Device Code (Advanced > Grant Types)Checked
Finally, you can optionally enable additional identity providers. Okta Create an OIDC Application in Okta.
  1. In Okta, create a new OIDC application
  2. Set the Sign In Redirect to <your-auth0-tenant>/login/callback
  3. Set Trusted Origins to <your-root-domain>
  4. Note the Client ID and Client Secret
Create an Enterprise Connection in Auth0.
  1. Go to Authentication > Enterprise > Okta Workforce > Create
  2. Configure:
    • Connection name: Choose a unique name
    • Okta domain: Your Okta tenant domain
    • Client ID/Secret: From Step 1
  3. Enable Sync user profiles at each login
  4. Set User Mapping:
{
  "attributes": {
    "email": "${context.tokenset.email}"
  },
  "mapping_mode": "use_map"
}

Inputs

After configuring all dependencies, update your install inputs in the customer dashboard.

Authentication Configuration

InputValue
Auth Provider Typegoogle
Auth Client ID[secret]
Auth Client Secret[secret]
Auth Redirect URLhttps://auth.<your-root-domain>/auth
If using the deprecated Auth0 integration, you will need to provide these inputs instead.
InputValue
Auth0 Issuer URLYour Auth0 tenant URL
Auth0 AudienceYour Auth0 API identifier
Auth0 Client ID - CTL APIYour Auth0 native app client ID
Auth0 Client ID - Dashboard UIYour Auth0 SPA client ID

GitHub Configuration

InputValue
Github App NameName of your GitHub app
Github App IDID of your GitHub app
Github App Client IDClient ID from your GitHub app

DNS Configuration

InputValue
Root DomainYour custom domain, or <your-install-id>.nuon.run for Nuon-provided domain

Database Configuration (Optional)

Adjust instance sizes for RDS, Temporal, and ClickHouse clusters if needed.

Secrets

When provisioning the CloudFormation stack, provide these secrets:
SecretValue
github_app_keyYour base64-encoded GitHub App PEM key
auth_client_secretThe client secret from your Auth0 SPA
The GitHub App PEM key must be base64 encoded because AWS CloudFormation doesn’t preserve newlines in text fields.To encode your PEM key:
base64 -i your-github-app-key.pem

Provision

Once all inputs and secrets are configured
  1. Return to your install in the Nuon dashboard
  2. Click Reprovision Install from the Manage menu
  3. Wait for the provision workflow to complete

Configure DNS (Optional)

To host your BYOC Nuon instance under a custom domain, configure DNS for your root domain to point to the Route53 Zone created in the sandbox. After the sandbox provisions, you’ll receive:
  • A Zone ID for your public domain
  • Nameserver records to add to your domain’s DNS
Create NS records in your domain’s DNS pointing to the Route53 nameservers provided.
See Creating a subdomain that uses Amazon Route 53 as the DNS service for detailed instructions.

Verify Installation

After successful provisioning, verify your installation is working by visiting these URLs.
ServiceURL
Dashboardhttps://app.<your-root-domain>
CTL APIhttps://api.<your-root-domain>
Runner APIhttps://runner.<your-root-domain>
You can also verify the API is responding by curling it directly. 
curl https://api.<your-root-domain>/health