ClickHouse · Blargian · May 15, 2026
@@ -0,0 +1,57 @@
+---
+title: 'Billable AWS services'
+slug: /cloud/reference/byoc/billable-aws-services
+sidebar_label: 'Billable AWS services'
+keywords: ['BYOC', 'bring your own cloud', 'AWS', 'billing', 'cost', 'EKS', 'EC2', 'S3', 'NAT Gateway', 'PrivateLink']
+description: 'AWS services provisioned by ClickHouse BYOC, classified as mandatory or optional, with notes on which ones contribute to your AWS bill'
+doc_type: 'reference'
+---
+
+ClickHouse BYOC provisions a self-contained data plane in your AWS account. This page lists every AWS service the deployment uses, classifies each as mandatory or optional, and notes which ones contribute to your AWS bill.
+
+:::note
+AWS infrastructure costs are billed by AWS directly to your account and are independent of your ClickHouse Cloud subscription.
+:::
+
+## Mandatory services {#mandatory-services}
+
+These services are provisioned in every BYOC deployment.
+
+| Service | Purpose | Billable? |
+|---------|---------|-----------|
+| **Amazon EKS** | Managed Kubernetes control plane that runs the ClickHouse data plane. | Yes — per cluster-hour |
+| **Amazon EC2** (worker instances via EKS managed node groups) | Compute for ClickHouse server pods, ClickHouse Keeper, and platform add-ons. Memory-optimized instance families by default. | Yes — per instance-hour |
+| **Amazon EBS** (gp3 volumes) | Local storage for node OS, container images, and ClickHouse server logs. | Yes — per GB-month + IOPS/throughput |
+| **Amazon S3** | Primary ClickHouse table storage, backups, and platform telemetry. Bucket policies enforce `BucketOwnerEnforced`, public-access block, and SSE. | Yes — storage + request + data transfer |
+| **Amazon VPC** (VPC, subnets, route tables, security groups, internet gateway) | Network isolation for the data plane. Three private and three public subnets across AZs. | No — VPC resources themselves are free |
+| **NAT Gateway + Elastic IP** (one per AZ) | Outbound internet egress from private subnets (control plane connectivity, image pulls, telemetry). | Yes — per hour + data processing |
+| **VPC Endpoint for S3** (gateway endpoint) | Private S3 access without traversing NAT. | No — gateway endpoints are free |
+| **Elastic Load Balancing (NLB)** | Client traffic ingress to ClickHouse services. Created by the in-cluster AWS Load Balancer Controller. Default: internal-facing. | Yes — per LCU-hour + data processed |
+| **AWS IAM** (roles, policies, OIDC provider, Pod Identity associations) | Cross-account access for ClickHouse Cloud, IRSA for in-cluster controllers (cert-manager, external-dns, load-balancer-controller, cluster-autoscaler, EBS CSI driver, state-exporter). | No |
+| **Amazon CloudWatch Logs** | EKS control plane logs (api, audit, authenticator, controllerManager, scheduler). | Yes — ingestion + storage |
+
+## Optional services {#optional-services}
+
+These services are provisioned only when the corresponding feature is enabled.
+
+| Service | Enabled when | Billable? |
+|---------|--------------|-----------|
+| **AWS PrivateLink** (VPC Endpoint Service) | You enable PrivateLink connectivity for client traffic instead of, or in addition to, the NLB. | Yes — per VPC endpoint-hour + data processed |
+| **VPC Peering Connection** | You request peering between the BYOC VPC and another VPC in your account. | No for the connection itself. Cross-AZ and cross-Region data transfer is billable. |
+
+## Data transfer charges {#data-transfer-charges}
+
+Even when individual resources are free, AWS data transfer charges apply:
+
+- **Cross-AZ traffic** between EKS nodes and across replicas in multi-AZ deployments.
+- **Egress to the internet** through NAT Gateway, for control plane heartbeat, telemetry, and image pulls.
+- **Egress to the ClickHouse Cloud control plane** over the encrypted overlay (Tailscale).
+- **Egress to client networks** through the NLB or PrivateLink endpoint.
+
+See [AWS data transfer pricing](https://aws.amazon.com/ec2/pricing/on-demand/#Data_Transfer) for current rates.
+
+## Related {#related}
+
+- [BYOC architecture](/cloud/reference/byoc/architecture) — components ClickHouse Cloud deploys in your account
+- [BYOC network security](/cloud/reference/byoc/reference/network_security) — how the data plane connects to ClickHouse Cloud
+- [BYOC privilege](/cloud/reference/byoc/reference/privilege) — IAM roles created during BYOC setup
@@ -0,0 +1,41 @@
+---
+title: 'BYOC cost model (AWS)'
+slug: /cloud/reference/byoc/cost-model-aws
+sidebar_label: 'Cost model (AWS)'
+keywords: ['BYOC', 'bring your own cloud', 'AWS', 'cost', 'billing', 'TCO', 'pricing', 'EC2', 'S3', 'EBS']
+description: 'How ClickHouse Cloud charges and AWS infrastructure charges combine into total cost of ownership for a BYOC deployment'
+doc_type: 'reference'
+---
+
+A ClickHouse BYOC deployment generates two independent bills:
+
+1. **ClickHouse Cloud charges** — billed by ClickHouse for your ClickHouse services, based on total memory allocation.
+2. **AWS infrastructure charges** — billed by AWS directly to your AWS account for every resource the BYOC deployment provisions there.
+
+This page describes how each is calculated and how they combine into total cost of ownership (TCO).
+
+## ClickHouse Cloud charges {#clickhouse-cloud-charges}
+
+ClickHouse Cloud charges are based on total memory allocation. [Contact the team](https://clickhouse.com/cloud/bring-your-own-cloud) to understand how this applies to your setup.
+
+## AWS infrastructure charges {#aws-infrastructure-charges}
+
+AWS bills your account directly for every resource provisioned by BYOC. ClickHouse doesn't mark up or resell AWS capacity. See [Billable AWS services](/cloud/reference/byoc/billable-aws-services) for the full mandatory and optional service inventory.
+
+The dominant cost drivers, in typical descending order of contribution to a BYOC bill, are:
+
+1. **Amazon EC2** — worker instances backing the EKS managed node groups. Standard Graviton families (for example, `m7g`) are used by default. Family and count scale with your service's allocated memory and node group autoscaling.
+2. **Amazon S3** — storage of ClickHouse table data and backups in your buckets. Charged per GB-month plus per-request and inter-region transfer fees.
+3. **Amazon EBS** — gp3 volumes attached to worker nodes for OS, container images, and ClickHouse logs.
+4. **NAT Gateway and cross-AZ data transfer** — egress from private subnets, plus traffic between availability zones (multi-AZ deployments replicate data across AZs).
+5. **Amazon EKS** — flat per cluster-hour control plane fee.
+6. **Elastic Load Balancing (NLB)** — per LCU-hour for client ingress traffic.
+7. **CloudWatch Logs, Route 53, KMS, VPC endpoints** — generally a small fraction of the total bill, but vary with workload.
+
+For current AWS list prices, see the per-service pricing pages on [aws.amazon.com](https://aws.amazon.com/pricing/).
+
+## Related {#related}
+
+- [Billable AWS services](/cloud/reference/byoc/billable-aws-services) — full inventory of AWS services BYOC provisions
+- [AWS service limits and quotas](/cloud/reference/byoc/aws-service-limits) — quotas to verify before deployment
+- [BYOC architecture](/cloud/reference/byoc/architecture) — components ClickHouse Cloud deploys in your account
@@ -0,0 +1,48 @@
+---
+title: 'Managing AWS service limits and quotas'
+slug: /cloud/reference/byoc/aws-service-limits
+sidebar_label: 'AWS service limits and quotas'
+keywords: ['BYOC', 'bring your own cloud', 'AWS', 'service quotas', 'service limits', 'EC2', 'EKS', 'VPC', 'EBS']
+description: 'AWS service quotas to verify before BYOC onboarding, how to request increases, and what to monitor as services scale'
+doc_type: 'reference'
+---
+
+A successful BYOC deployment depends on having sufficient AWS service quotas (formerly called *service limits*) in your AWS account. AWS applies default per-Region quotas to most services. Many of these defaults are below what a production BYOC deployment needs, especially in newly created or lightly used AWS accounts.
+
+This page provides a pre-deployment quota checklist, instructions for requesting increases, and ongoing monitoring guidance to prevent quota exhaustion as your services scale.
+
+## Pre-deployment quota checklist {#pre-deployment-quota-checklist}
+
+Before initiating BYOC onboarding, verify the following quotas in the AWS Region where you plan to deploy. Quotas are per Region and per account.
+
+### Required quotas {#required-quotas}
+
+| Service | Quota name | BYOC requirement | Default | Action |
+|---------|------------|------------------|---------|--------|
+| **EC2** | Running On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances | ≥ peak vCPU of your service tier × 1.5 (headroom for autoscaling and MBB upgrades) + 100 vCPU cores for system and Keeper workload | Often 32–256 vCPU on new accounts | **Request increase** to match the BYOC requirement |
+| **EC2 (VPC)** | VPCs per Region | ≥ 1 (BYOC creates 1 dedicated VPC) | 5 | Verify available |
+| **EC2 (VPC)** | Elastic IPs per Region | ≥ 3 (one per AZ for NAT Gateway) | 5 | Verify available. Request increase if running multiple BYOC deployments in the same Region. |
+| **EC2 (VPC)** | NAT Gateways per AZ | ≥ 1 | 5 | Verify available |
+| **EC2 (VPC)** | Internet Gateways per Region | ≥ 1 | 5 | Verify available |
+| **EC2 (VPC)** | Subnets per VPC | ≥ 6 (3 public + 3 private) | 200 | No action |
+| **EC2 (VPC)** | Security groups per VPC | ≥ 10 | 2,500 | No action |
+| **EKS** | Clusters per Region | ≥ 1 | 100 | No action |
+| **EKS** | Managed node groups per cluster | ≥ 4 | 30 | No action |
+| **EKS** | Nodes per managed node group | ≥ peak node count for your service tier | 450 | No action |
+| **S3** | Buckets per account | ≥ 4 (data, backup, billing, monitoring) | 100 (increases supported up to 1,000) | Verify headroom for other workloads |
+| **EBS** | Storage for General Purpose SSD (gp3) | ≥ peak ClickHouse log + OS volume × node count | 50 TiB | Verify available |
+| **Elastic Load Balancing** | Network Load Balancers per Region | ≥ 1 per ClickHouse service | 50 | Verify available |
+| **CloudWatch Logs** | Log groups per Region | ≥ 5 | 1,000,000 | No action |
+
+### Quotas to verify if optional features are enabled {#optional-feature-quotas}
+
+| Feature enabled | Service | Quota |
+|-----------------|---------|-------|
+| AWS PrivateLink | EC2 (VPC) | VPC endpoint services per Region (default 20) — request an increase per concurrent PrivateLink-enabled service. |
+| VPC Peering | EC2 (VPC) | Active VPC peering connections per VPC (default 50). |
+
+## Related {#related}
+
+- [Billable AWS services](/cloud/reference/byoc/billable-aws-services) — full inventory of AWS services BYOC provisions
+- [BYOC cost model (AWS)](/cloud/reference/byoc/cost-model-aws) — how ClickHouse Cloud and AWS charges combine
+- [BYOC architecture](/cloud/reference/byoc/architecture) — components ClickHouse Cloud deploys in your account