Self-Hosting¶
Self-hosting is available for Enterprise and Partner tier customers who require complete isolation from the LightPane managed infrastructure. You run the entire LightPane stack in your own AWS account. LightPane has zero access to your environment.
When to self-host¶
Self-hosting is the right choice when:
- Regulatory requirements mandate that no third party has access to your infrastructure metadata
- Data residency rules require all processing to happen in your own account or region
- Security policy prohibits shared infrastructure or third-party-managed environments
- Air-gapped environments have no outbound connectivity to LightPane services
For most customers, the dedicated infrastructure model (Business tier and above) provides sufficient isolation without the operational overhead of self-hosting.
What you receive¶
LightPane provides a complete deployment package:
| Component | Format |
|---|---|
| Lambda function code | ZIP packages |
| Lambda layers (GCP SDK, dependencies) | ZIP packages |
| Service definitions | JSON definition files |
| CloudFormation template | YAML — provisions the full infrastructure stack |
| DynamoDB table definitions | Included in CloudFormation template |
| API Gateway configuration | Included in CloudFormation template |
| IAM role definitions | Included in CloudFormation template |
| Deployment and update scripts | Shell scripts |
| Configuration guide | Documentation |
What you provide¶
| Component | Your responsibility |
|---|---|
| AWS account | Not in the LightPane Organisation — fully yours |
| DNS | Your own domain and hosted zone |
| TLS certificates | ACM certificates for your domain |
| Secrets | JWT signing keys, password peppers (generated during setup) |
| Initial admin user | Created during first deployment |
Architecture¶
The self-hosted stack is identical to the managed dedicated stack:
Your AWS Account
├── API Gateway (HTTP API)
├── CloudFront distribution + WAF
├── Lambda functions
│ ├── Service discovery
│ ├── Key management
│ └── User authentication
├── Lambda layers
│ ├── GCP SDK
│ ├── Service definitions
│ └── Dependencies
├── DynamoDB tables
│ ├── Users
│ ├── Sessions
│ ├── Access grants
│ └── Account groups
├── S3 cache bucket
├── Secrets Manager
│ ├── JWT signing key
│ └── Password pepper
└── CloudWatch Logs and Alarms
Updates¶
LightPane provides updated deployment packages for:
- New Lambda code (bug fixes, features, performance improvements)
- New service definitions (additional cloud services and attributes)
- Updated Lambda layers (dependency updates)
You pull updates from a secure artifact repository and deploy at your own pace. There is no automatic update mechanism — you control when and how updates are applied.
Version pinning
Self-hosted deployments can pin to a specific version while evaluating updates in a staging environment before applying to production.
Support model¶
Self-hosted deployments include:
- Documentation-based setup and operational guidance
- Release notes and migration guides for each update
- Advisory support for deployment and configuration questions
LightPane support does not have access to your environment. Troubleshooting is collaborative — you provide logs and configuration details, LightPane provides guidance.
Next steps¶
- Deployment Guide — step-by-step deployment instructions