SQL Execution Control
VeloDB BYOC separates administrative control-plane operations from production query execution. Warehouse compute, data access, and query processing run inside the customer-managed BYOC environment, while the VeloDB control plane provides deployment, lifecycle management, monitoring, support, and platform administration.
This page explains how SQL execution is handled in BYOC deployments, how SQL Studio access can be governed, and which deployment options are available for organizations with strict security, compliance, regulatory, or data residency requirements.
Control Plane and Query Execution
In a BYOC deployment, the VeloDB control plane manages operational workflows such as provisioning, scaling, upgrades, monitoring, alerting, and support coordination. Production query execution is performed by VeloDB services deployed in the customer's cloud account.
This separation means:
- Query processing occurs in the customer-managed BYOC environment.
- Data access and result generation occur in the customer data plane.
- Control-plane services manage administrative and operational workflows.
- SQL access can be governed separately from operational console access.
This model helps customers keep production data under their cloud-account controls while still using the VeloDB control plane for centralized operations.
SQL Studio Access
SQL Studio provides a browser-based interface for authorized users to submit SQL statements and view query results.
When SQL Studio is enabled, it acts as a client interface for accessing a target VeloDB deployment. Depending on the deployment architecture and access model selected by the customer, SQL requests may be routed through VeloDB-managed access services that help provide authenticated user access to the BYOC environment.
Because many organizations apply strict policies to production query access, VeloDB provides controls that can restrict, disable, or isolate SQL Studio access while preserving operational management through the VeloDB Console.
Organization-Level Disablement
VeloDB supports organization-level disablement of SQL Studio query execution. This control is administered through VeloDB Support and is not currently exposed as a self-service organization setting.
Upon customer request, VeloDB can disable SQL Studio query execution for an organization. When this control is enabled:
- Users cannot execute SQL statements through the VeloDB Console or SQL Studio interface.
- Query requests cannot be initiated through SQL Studio.
- Query results cannot be retrieved through SQL Studio.
- Administrative and operational management functionality remains available through the VeloDB Console.
This option is intended for organizations whose internal security policies prohibit production query access through vendor-operated user interfaces, while still allowing authorized teams to use operational management capabilities.
Access Control Mechanisms
VeloDB provides multiple access controls that can be used independently or together to govern SQL Studio access.
Role-Based Access Control
SQL Studio access is governed through role-based access control (RBAC). Organizations can limit query execution privileges to authorized users and align access with operational responsibilities, separation-of-duties requirements, and internal governance policies.
For the broader identity and permission model, see Identity and Access.
IP Access Restrictions
Organizations can restrict console access to approved source networks, such as corporate network ranges, VPN egress ranges, private connectivity environments, or other trusted IP addresses.
IP-based restrictions provide an additional layer of protection by limiting where SQL Studio access can originate while preserving centralized administrative access to the platform.
Private SQL Studio Deployment
For customers with enhanced security, compliance, sovereignty, or data residency requirements, VeloDB supports deployment of SQL Studio components within the customer-controlled environment.
Under this deployment model:
- SQL query execution remains within the customer environment.
- Query requests do not traverse the shared VeloDB SaaS control plane.
- Query results do not traverse the shared VeloDB SaaS control plane.
- Customers control network access, authentication controls, and operational governance for SQL Studio access.
- Production query traffic remains within customer-controlled infrastructure boundaries.
This model is commonly used by organizations that require strict separation between operational management services and production query traffic, or that have regulatory requirements governing where production data may be accessed or processed.
Recommended Production Configurations
For production environments with strict security, compliance, or governance requirements, VeloDB recommends one of the following approaches.
Disable SQL Studio Access
Organizations may request organization-level disablement of SQL Studio query execution while continuing to use the VeloDB Console for operational management.
RBAC and IP access restrictions can be used with this option to further limit administrative access to authorized personnel and approved networks.
Use Private SQL Studio Deployment
Organizations requiring complete separation between production query traffic and shared vendor-operated services may deploy SQL Studio within their own environment and manage access through customer-controlled networking, identity, authentication, and security controls.
This option provides the highest degree of customer control over SQL access and can help align query access with internal security and compliance requirements.
Control Summary
| Control | Availability |
|---|---|
| Organization-level SQL Studio disablement | Available upon request |
| Role-based access control | Supported |
| IP access restrictions | Supported |
| Private SQL Studio deployment | Supported |
| Separation of control-plane operations and query execution | Supported |
| Restriction of SQL access to approved users and networks | Supported |
These controls help customers align SQL access capabilities with internal security, compliance, and governance requirements while maintaining transparency about how production query traffic is handled in BYOC deployments.
Support and Evidence
Organization-level SQL Studio disablement is available through VeloDB Support.
Configuration examples, deployment guidance, and architecture details can be provided upon request as part of a security review, compliance assessment, or production readiness evaluation.