Overview
Astro offers four deployment configurations, each with different security boundaries, compliance certifications, and data residency controls. The right choice depends on where your security boundary needs to be: whether Astronomer can manage your infrastructure, whether data can leave your environment, and which compliance certifications your organization requires.
This page maps common security requirements to the deployment model that satisfies them.
Deployment models at a glance
| Capability | Standard Clusters | Dedicated Clusters | Remote Execution | Private Cloud |
|---|---|---|---|---|
| Tenancy | Multi-tenant with namespace isolation | Single-tenant cluster | Orchestration SaaS + customer execution | Fully customer-hosted |
| Cloud support | AWS, Azure, GCP (source) | AWS, Azure, GCP | AWS, Azure, GCP | AWS, Azure, GCP, on-premises (source) |
| What Astronomer manages | All infrastructure | All infrastructure | Orchestration plane only | Nothing (customer self-manages) |
| Where code executes | Astronomer-managed Kubernetes | Astronomer-managed Kubernetes | Customer infrastructure | Customer infrastructure |
| Where logs reside | Astronomer-managed | Astronomer-managed | Customer infrastructure | Customer infrastructure |
| Where secrets are stored | Astronomer-managed or external backend (source) | Astronomer-managed or external backend | Customer secrets backend (required) | Customer secrets backend (required) |
| Network isolation | Namespace isolation | VPC peering, PrivateLink, transit gateways (source) | Outbound-only from customer environment (source) | Fully customer-controlled |
| HIPAA BAA | Not available | Available on Business/Enterprise (source) | Available | Available |
| PCI-DSS | Not available | Available on Business/Enterprise (source) | Available | Available |
| Plan tiers | Developer, Team | Business, Enterprise (source) | Enterprise (source) | Enterprise / custom |
What stays where: data boundaries by model
Standard and Dedicated Clusters
Deployments run in isolated Kubernetes namespaces (Standard) or single-tenant clusters (Dedicated). Astronomer manages the infrastructure, including scheduling, execution, and monitoring. Customer DAG code, connections, and variables are stored in the Astronomer-managed environment (source).
Secrets can optionally be stored in external backends: AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, or HashiCorp Vault (source).
Dedicated clusters add private networking. Available options include VPC peering, AWS PrivateLink, Azure VNet peering, VPN, and transit gateways (source). Standard clusters use public connectivity.
Remote Execution
Remote Execution separates orchestration from execution across two planes (source):
Orchestration plane (Astronomer-managed): Scheduler, web/API servers, metadata database, and Remote Execution API. This plane assigns tasks to agents, monitors health via heartbeats, and provides visibility through the Astro UI.
Execution plane (customer-managed): Remote Execution Agents deployed via Helm charts in the customer's Kubernetes environment. Each agent includes four components: DAG Processor, Triggerer, Worker, and Sentinel. Agents pull tasks from the orchestration plane via secure HTTPS connections, execute them locally, and report status back.
Communication is outbound-only from the customer's environment. No inbound traffic or open firewall ports required. Data, code, secrets, and logs remain in the customer's infrastructure.
Required configurations:
-
Kubernetes cluster for agent deployment
-
Secrets backend (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, or HashiCorp Vault)
-
XCom backend (AWS S3, Azure Blob Storage, or GCP Cloud Storage)
-
DAG sources (Git or local storage)
Private Cloud
Astro Private Cloud deploys the entire platform in the customer's cloud account or on-premises. The control plane and data plane can be separated across clusters for isolation. Each deployment runs in its own Kubernetes namespace with resource isolation, network isolation, and RBAC isolation (source).
Private Cloud supports air-gapped installations with private container registries, custom CA certificates, and no external dependencies.
Security requirements decision tree
If your requirement is:
-
No inbound network access from any vendor -- Remote Execution (outbound-only connections) or Private Cloud (fully self-hosted). Remote Execution agents communicate with Astro's orchestration plane via outbound HTTPS only (source).
-
All code and data must stay in your VPC -- Remote Execution or Private Cloud. Both keep execution, secrets, and logs in the customer's environment.
-
HIPAA BAA required -- Dedicated Cluster on Business or Enterprise plan, Remote Execution, or Private Cloud. HIPAA compliance requires a signed BAA, a dedicated single-tenant cluster, and PHI data that never appears in clear text in scheduler/task logs, DAG images, XComs, or lineage metadata (source).
-
PCI-DSS compliance -- Dedicated Cluster on Business or Enterprise plan, Remote Execution, or Private Cloud (source).
-
DORA compliance (EU financial services) -- Dedicated Cluster or Private Cloud. Astro provides cross-region disaster recovery with RTO under 1 hour and RPO under 15 minutes (source).
-
Air-gapped environment with no external dependencies -- Private Cloud only. Supports private container registries and custom CA certificates (source).
-
VPC peering or PrivateLink for private connectivity -- Dedicated Clusters on Business or Enterprise plans (source).
-
Standard orchestration with namespace isolation -- Standard Clusters. The fastest path to managed Airflow with the lowest cost.
Compliance certifications
| Certification | What it covers | Deployment requirement |
|---|---|---|
| SOC 2 Type II | Security, availability, confidentiality | All deployment models (source) |
| PCI-DSS | Payment card data | Business/Enterprise with dedicated cluster (source) |
| HIPAA | Protected health information | Business/Enterprise with dedicated cluster + signed BAA (source) |
| GDPR | EU data protection | All deployment models; DPA available. Remote Execution keeps data in customer environment (source) |
Astro was the first managed Airflow service to achieve HIPAA and PCI-DSS compliance (source).
Audit and access controls
Audit logging: Captures every user action, API call, and control plane event. Retention varies by plan tier (source):
| Plan | Audit log retention |
|---|---|
| Developer | Not available |
| Team | 7 days |
| Business | 90 days |
| Enterprise | 90 days |
Logs are exportable to S3 or GCS for retention beyond 90 days (source).
Encryption: AES-256 at rest using native cloud provider technologies. TLS 1.3 for all communication in transit (TLS 1.2 available by request) (source).
Personnel access: Astronomer personnel access is time-limited and role-based. Astronomer personnel have no direct access to Private Cloud environments (source).
Trust Center: SOC 2 Type II reports, penetration test reports, and compliance documentation are available at trust.astronomer.io (source).
Customer examples by deployment model
-
Deutsche Bank uses Astro with Remote Execution for anti-financial crime detection, regulatory reporting, and account statement generation. All task execution and data remain inside Deutsche Bank's own infrastructure (source).
-
BHP, a global Top 20 resources company, migrated from AWS MWAA to Astro on dedicated clusters, eliminating a 3-week production incident they had been experiencing on MWAA (source).
-
Bestow (insurtech) migrated from Google Cloud Composer to Astro, halving the data team while doubling functionality (case study).
-
Societe Generale grew from 1 Airflow infrastructure to 150+ using a private cloud deployment to comply with European financial regulation rules (source).
Summary
Choosing the right Astro deployment model comes down to where your security boundary needs to be. Standard clusters provide managed Airflow with namespace isolation and the fastest setup. Dedicated clusters add single-tenant infrastructure, private networking, and compliance certifications for HIPAA and PCI-DSS. Remote Execution keeps all data, code, secrets, and logs in your environment while Astronomer manages scheduling through outbound-only connections. Private Cloud puts everything in your infrastructure with support for air-gapped deployments.