# Setup BYOC with Azure {% hint style="info" %} **Note**: groundcover BYOC is available only to users subscribed to one of our [paid plans](https://www.groundcover.com/pricing). {% endhint %} ## Intro ### BYOC general overview **groundcover BYOC** is a managed enterprise solution for installing groundcover’s observability infrastructure in a customer-owned cloud environment. To set up **groundcover BYOC**, you need to create an isolated subscription within your Azure organization. groundcover's control plane will automatically manage the project resources, establishing, configuring, and maintaining the infrastructure and workloads within the subscription. These include Azure Managed Groups, VNet, AKS, and LB services. ### Security of groundcover Control-Plane groundcover Control-Plane is a secure reconciliation controller designed to manage enterprise BYOC infrastructure environments. It is compliant with ISO-27001 and SOC-2 standards. The control plane can securely access the isolated subscription service's principal within the customer organization using a cross-tenant federation chain. It is important to note that the BYOC setup does not require access to customer production data or workloads and is not granted such access. ## Setup Guide ### Chapter 0 - Create a workspace {% hint style="success" %} If you've previously set up a workspace with groundcover, skip this step {% endhint %} Follow the steps in the link below to signup and create a workspace in groundcover: [login-and-create-a-workspace](https://docs.groundcover.com/getting-started/login-and-create-a-workspace "mention") ### Chapter 1 - BYOC Backend #### Step 1: Create a new Azure subscription under your organization Create a new Azure subscription called `groundcover-byoc` (suggested name) for groundcover deployment.\ \ **Step 2: Install the groundcover-managed application into the Azure tenant containing the subscription**\\ 1. Select "Tenant Properties" in Azure Portal\ ![](https://2771001740-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUHgqKYgCiRKdOpWQdi52%2Fuploads%2Fgit-blob-79d13ff2c281e57946a6951b791dbd739af1a4af%2Fimage%20\(88\).png?alt=media) 2. Copy the tenant ID (this information will be used later in the guide)\ ![](https://2771001740-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUHgqKYgCiRKdOpWQdi52%2Fuploads%2Fgit-blob-8b81a723684b6b6cca7a3ec31a1218afef518333%2Fimage.png?alt=media) 3. Paste the tenant ID into the following link, replacing `` with the copied value.\ \ `https://login.microsoftonline.com//oauth2/authorize?client_id=81c2dd72-dd18-442e-a2bb-546c00fe63dd&response_type=code&redirect_uri=https%3A%2F%2Fgroundcover.com` 4. Follow the **oauth2** link from a privileged browser session. 5. You will be presented with a permission request screen, choose "Accept for the organisation" box and click "Accept" **Step 3: Grant the application access to** `groundcover-byoc` subscription 1. From search for "Subscription". 2. Pick `groundcover-byoc` subscription and choose "Access Control (IAM)"\ ![](https://2771001740-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUHgqKYgCiRKdOpWQdi52%2Fuploads%2Fgit-blob-230ebc7ac01c81fbe4d1ccd2fea797b031f1b966%2Fimage.png?alt=media) 3. Choose "Add > Role Assignment"

4. On the roles screen select "Privileged administrator roles", pick the **Owner** role and click "Next"\ ![](https://2771001740-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUHgqKYgCiRKdOpWQdi52%2Fuploads%2Fgit-blob-8ddbeafc544eba5a89adc82b4a065bc483fb69f2%2Fimage.png?alt=media) 5. On the Members screen\ ![](https://2771001740-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUHgqKYgCiRKdOpWQdi52%2Fuploads%2Fgit-blob-6a2fdc048c7d1748ebe50cad1dd9828615434d19%2Fimage.png?alt=media) 1. Click "Select Members" 2. Popup modal should appear allowing you to add new members permissions into the subscription.\ ![](https://2771001740-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUHgqKYgCiRKdOpWQdi52%2Fuploads%2Fgit-blob-d020d6ef88f099491b7c4348314876bcef26f5d5%2Fimage.png?alt=media) 3. Search for `groundcover-managed`\ ![](https://2771001740-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUHgqKYgCiRKdOpWQdi52%2Fuploads%2Fgit-blob-7e08481c284fb7c6cbb7639b2b9d423702215f3e%2Fimage.png?alt=media) 4. Select the service principal and click "Select"\ ![](https://2771001740-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUHgqKYgCiRKdOpWQdi52%2Fuploads%2Fgit-blob-c4762d4f972746ecc8793e1167a4eb0f4605ae54%2Fimage.png?alt=media) 6. `groundcover-managed` now appears in the list of members that are able to gain permissions on the subscription object. Click Next\ ![](https://2771001740-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUHgqKYgCiRKdOpWQdi52%2Fuploads%2Fgit-blob-1f503162f99a8cedf3f0cc74fc18d290c20a3e55%2Fimage.png?alt=media) 7. In Conditions select the second option **Allow user to assign all roles except privileged administrator roles Owner, UAA, RBAC (Recommended)** , then Next. \ ![](https://2771001740-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUHgqKYgCiRKdOpWQdi52%2Fuploads%2FVpsSOgdkOEe9M2XMtIrI%2FScreenshot%202025-12-02%20at%2011.20.45.png?alt=media\&token=f1774800-f037-4ed1-a55b-2b2e638c420b) 8. Click Review and Assign\ ![](https://2771001740-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUHgqKYgCiRKdOpWQdi52%2Fuploads%2Fgit-blob-801b3f9811b81ab2eccda9d9ee945b463d1bdd27%2Fimage.png?alt=media) #### Step 4: Enable Quotas for Azure Database for PostgreSQL Flexible Server {% hint style="info" %} If your region is not in the below - skip this step {% endhint %} If the region you are setting up BYOC on is one of the following: * Canada East * East US * Germany West Central * Qatar Central You need to enable PostgreSQL flexible server for the region by navigating to Help + Support -> Create a support request. Enter the following description -> **Go**

Choose the first option then **Next** -> **Create a support request** In the next page choose **Azure service** and then the **groundcover-byoc** subscription created at the beggining, and the **Azure Database for PostgreSQL Flexible Server** quota type, then click **Next**.

In **Request Details** click on **Enter Details**.\ Then enter the following details - the Location is based on the location where you BYOC deployment will run.

Click **Save and Continue**, Enter your contact details -> **Next -> Create.** It usually takes up to a day for the request to be approved, once it's approved we can continue to the next steps. #### Step 5: Share the integration details with groundcover After completing the previous steps, share the service the \ and \ (created in the previous steps) with your dedicated integration manager at groundcover. ### Chapter 2 - Backend Reconciliation At this stage, our automation kicks in. Please allow **approximately 2 hours** for the initial reconciliation loop to stabilize. ### Chapter 3 - Sensor Deployment Once stabilized, your integration manager will share with you (using a private channel) the `byoc-values.yaml` that should be used during sensor deployment on production workload, in the following manner: ```bash groundcover deploy -f byoc-values.yaml ``` Please see [API Key Secret](https://docs.groundcover.com/customization/customize-deployment/api-key-secret) for additional information. ## Start using groundcover You can now log in to [app.groundcover.com](https://app.groundcover.com) to use groundcover, with total data control and privacy.