The Data Path Is the Customer's
Application traffic flows over networking the customer controls, and your control plane never sits in its path.
A BYOC system carries two kinds of traffic, and your architecture must keep them on separate rails. The control path carries reconciliation, health, and lifecycle operations between your control plane and the agent in the customer account, under the constraints of Commandment II. The data path carries end users and applications talking to the deployed product, and it belongs entirely to the customer. Route it through networking the customer controls, end to end. Your control plane must never sit on the data path, terminate it, or proxy it. Because no vendor component is in the path, your control plane is architecturally incapable of observing application data, and a security review can verify that incapability by reading the network topology.
Let the customer choose how the product is reached, across the full exposure spectrum. Fully private: internal load balancers reachable only inside the VPC. Cross-network private: VPC peering into a consumer's network, or a PrivateLink-style endpoint service that exposes the product itself, so a downstream consumer mounts the database or API as a private endpoint in their own VPC with zero internet exposure. Hybrid: a dedicated interconnect or VPN back to a corporate network. Public: an internet-facing endpoint with the customer's own WAF and edge controls in front. Your control plane provisions whichever shape the customer selects, records it as desired state, and reconciles drift. Give the fully private shapes the same first-class support as the shapes that are easy to demo.
Draw the control plane's boundary precisely. It holds the endpoint specification: exposure type, DNS names, certificate references, routing policy. It must never hold the private keys that terminate product TLS, and it must never operate a component that application bytes traverse. Terminate TLS for the product on infrastructure inside the customer account, with certificates and keys the customer owns. Everything an application byte touches, from listener to workload, lives in the customer account.
Separating the rails decouples the failure and trust domains. A control-plane outage leaves data traffic untouched: running workloads keep serving through customer-side load balancers while reconciliation waits. A data-path incident, such as a DDoS against a public endpoint or a peering misconfiguration, gives an attacker no hop toward the control plane, because the two paths share no component.
Apply one test at every design review: trace a byte of application data from the end user to the workload. If at any point it traverses infrastructure you operate, a shared gateway, a vendor-side proxy, a global router, the architecture has re-centralized the traffic BYOC exists to keep inside the customer account. When you need traffic telemetry, collect it from customer-side load balancers and export aggregates over OpenTelemetry on the control path. Inserting a proxy to gain that visibility puts you back on the data path and voids the guarantee.