The architecture: one control plane, your own data plane
RequestRocket is built around a separation between the control plane and the data plane.
The control plane is where you manage everything: creating proxies, storing credentials, defining rules and filters, reviewing request logs, and configuring telemetry. It runs in RequestRocket’s central environment and is how you interact with the platform — via the management console or the Core API.
The data plane is where your API traffic actually flows. It’s the gateway engine that receives inbound requests, authenticates them, evaluates rules, forwards them to your target, applies filters to the response, and returns the result. In the standard multi-tenant configuration, the data plane runs in RequestRocket’s shared regional infrastructure across supported AWS regions.
Dedicated managed and self-hosted deployments give you your own data plane — while the control plane stays exactly where it is. You continue using the same management console, the same Core API, the same credentials and proxy configuration. The only thing that changes is where traffic is processed.
How regions work with dedicated deployments
Every proxy and credential in RequestRocket is assigned to a region via the proxyRegion and credentialRegion fields. These fields determine which data plane deployment handles the traffic and stores the encrypted secrets.
When your dedicated deployment is provisioned, a custom subdomain is assigned to your organisation — for example, acme.rr.net. This subdomain registers as a new deployment region in your account, appearing alongside the standard shared regions in the /endpoints API:
GET /endpoints[
{ "region": "us-east-1", "endpoint": "https://us-east-1.requestrocket.com" },
{ "region": "eu-west-1", "endpoint": "https://eu-west-1.requestrocket.com" },
{ "region": "acme-prod", "endpoint": "https://acme.rr.net" }
]From this point forward, you use "proxyRegion": "acme-prod" and "credentialRegion": "acme-prod" to route traffic and store secrets on your dedicated infrastructure — exactly like any other region:
POST /clients/{clientId}/proxies
{
"proxyName": "payments-api",
"proxyRegion": "acme-prod",
"proxyProxyCredentialId": "<credential-id>",
"proxyTargetId": "<target-id>",
"proxyTargetCredentialId": "<target-credential-id>",
"proxyDefaultRuleEffect": "deny"
}No new API calls, no new concepts, no parallel configuration system. Just a new region value.
Dedicated managed deployment
Your data plane runs on isolated infrastructure managed by RequestRocket. We provision, operate, and maintain the gateway engine — you get the full RequestRocket feature set on infrastructure that’s dedicated to your organisation and not shared with other tenants.
This is the right option for:
- Organisations with enterprise security requirements that prohibit shared infrastructure.
- Compliance scenarios where data isolation at the infrastructure layer — not just logical separation — is required.
- Teams that need to process traffic within a specific network boundary that shared regional deployments can’t satisfy.
Your control plane access, management console, and API credentials don’t change. Only the proxyRegion and credentialRegion values update to reflect your dedicated region.
Fully self-hosted deployment
Self-hosted data planes runs entirely within your own infrastructure — your cloud account, your VPC, your compute. RequestRocket provides the data plane software; you own and operate the deployment. The control plane continues to run centrally, so you keep the same management interface and Core API.
This is appropriate for:
- Organisations with regulatory obligations that require all request processing to happen within their own cloud accounts.
- High-security environments where all network egress paths must be under direct organisational control.
- Teams with air-gapped or private connectivity requirements that managed deployments can’t accommodate.
Your self-hosted data plane registers with the central control plane and appears as a region in your account, the same as a dedicated managed deployment. The credential and proxy API is identical:
POST /clients/{clientId}/credentials
{
"credentialType": "target",
"credentialAuthType": "bearer",
"credentialName": "internal-service-key",
"credentialRegion": "acme-self-hosted",
"credentialSecret": {
"token": "internal_service_token_xxxxxxxx"
}
}Secrets are encrypted with AES-256-GCM and stored within your own infrastructure. They never leave your environment.
Choosing the right deployment model
| Requirement | Multi-tenant | Dedicated managed | Self-hosted |
|---|---|---|---|
| Fastest to set up | ✓ | ||
| Fully managed operations | ✓ | ✓ | |
| Dedicated data plane infrastructure | ✓ | ✓ | |
| Data plane within own cloud account | ✓ | ||
| Regional data residency | ✓ | ✓ | ✓ |
| Same control plane and API | ✓ | ✓ | ✓ |
| Business tier required | ✓ | ✓ |
What doesn’t change
Regardless of deployment model, the full RequestRocket feature set is consistent across the data plane:
- All
credentialAuthTypevalues:key,bearer,basic,jwt,jwtVerify,oauth2,custom,none. - Authorization rules with path, method, header, query, request body, and JWT claim matching.
- Response filters with payload redaction and field-level
retain/destroyoperations. - Telemetry at client and proxy level.
- Request log with full audit trail.
- Async proxy API with retry and backoff.
The control plane — your proxies, credentials, rules, filters, and their configuration — is managed centrally regardless of which data plane handles the traffic.
Getting access
Dedicated managed and self-hosted options are available on Business tier. Contact us at hello@requestrocket.com to discuss your deployment requirements, or view the pricing page for plan details.