Managed vs. Self-Hosted CI/CD

This is an article from DZone's 2022 DevOps Trend Report.

For more:

Read the Report

Continuous integration/continuous deployment (CI/CD) pipelines have matured from new forms of automation to mission-critical systems. DevOps teams rely on pipelines to deliver value to their customers by tightening developer feedback loops and standardizing processes. When a system becomes more valuable and important, it tends to increase in complexity. It must support more users, be more reliable, and perform, despite the increased load. Soon the CI/CD system built for one team has grown to support every business line in the firm. 

Should your CI/CD system be self-hosted or a managed service? You may be asking yourself this as you review an existing CI/CD system or prepare to build a new one. Which approach will work best for you? 

Managing Your Systems vs. Outsourcing to SaaS

When you outsource an internal system to a managed service provider, you’re giving up control over the systems the application runs on. Sometimes this is an advantage. Having fewer systems can mean reduced headaches, less capital outlay, and the potential for a smaller headcount. But it also means relying on someone else to do the work. Let’s compare four key systems support areas: 

 Table 1:  Self-Hosted vs. Managed Services: Advantages and Disadvantages

Security 

All of your IT infrastructures must be secure, but CI/CD holds your application code and configs as well as information about the users that can deploy them. It needs the highest level of security you have to offer. 

Security Advantages and Risks of Managed Services 

When you outsource an application, you’re outsourcing the security with it. You’re not responsible for doing the work, but you’re still accountable for the outcome. Even if the cloud provider is authenticating users against your directory services, you’re trusting them with enforcing access to some of your most precious data. Should you? 

“Cloud” is another word for “someone else’s computer,” and “managed services” means “on the Internet.” Your staff will have convenient access from anywhere, regardless of whether your offices are open or accessible. This is a tremendous convenience that also has disaster recovery benefits. But it increases your attack surface and puts your fate in the hands of an external company. 

Security Advantages and Risks of Self-Hosted

If you keep your CI/CD system in-house, you’re responsible for its security. You know your system’s requirements and your user community, which may be an advantage. But maybe a managed provider has more security knowledge and experience on their staff than you do. One thing you can do is keep your CI/CD system off the Internet. You can lock it down so it’s only accessible from behind a firewall, or even go as far as isolating to internal networks and your VDI infrastructure. But that’s no guarantee of safety, and you’ll be giving up the convenience that an Internet-accessible managed service offers. 

Regardless of where you locate your CI/CD, you still need to worry about supply-chain attacks. Many managed CI/CD providers offer vulnerability scanning and penetration testing solutions. If you keep your pipelines in-house, you’re taking on responsibilities for that, too. 

Control

When someone else manages your CI/CD pipeline, you have less control. Is it a worthwhile tradeoff? How much are you willing to relinquish? Will ceding control to a managed service hamper how you use your pipelines? What benefits do you receive in return for ceding some control? 

Advantages To Controlling Your Resources

When you’re in control, you’re responsible for defining all policies regarding how your CI/CD systems are used, run, and administered. For example, if your development teams want custom plugins for your CI/CD platform, the decision is yours. A managed provider may only allow approved plugins or have an onerous approval process that holds up progress. You also control your destiny regarding where you put your CI/CD servers and source code. 

As we covered in the security section, managed services are accessible via the Internet: 

• The managed CI/CD system needs to access your source control repositories. For some providers, your code needs to be in a managed repository like GitHub, GitLab, or Stash. Is this compatible with your intellectual property policies? Keeping your CI/CD in-house means you can keep your code there, too.  
• You may be able to retain control over your code by opening access to your private repos instead of moving to a managed solution, but this opens up new risks.
• Your users will need to manage a new set of credentials for the managed service, or you’ll need to expose your directory services to the provider.

Putting Your Destiny in Someone Else’s Hands

What happens when someone else controls your CI/CD systems? 

• The managed providers control their pricing.
• The vendor is responsible for protecting your data and maintaining redundant systems and up-to-date backups.
• Connections between cloud CI/CD providers and cloud source control providers are secure and easy to manage.
• Most cloud vendors integrate easily with public OAuth providers like Google and GitHub, so it’s easy to integrate cloud services. 
• Your requirements will change, and so will the vendor. How much effort will it take to move your pipeline back in-house or to another vendor if it becomes necessary? 
• Similarly, what happens when you outgrow the vendor? 
• Does the vendor support all the integrations you need? Will they keep up with new products? 

Cost  

We’ve alluded to costs and potential cost savings several times so far. Let’s look at how you should evaluate managed vs. self-hosted CI/CD costs. Managed CI/CD systems are priced per user and per minute for CI/CD operations. You probably have a handle on how many users you’ll have, but how can you estimate minutes? What happens when a process spins out of control? Accurately estimating month-to-month costs is difficult at best. Large enterprises may have some leverage to keep costs under control by negotiating flat pricing based on a minimum spend. Smaller companies may not. 

Self-hosted CI/CD means you’re responsible for licensing the software required to run your systems. While the major CI/CD platforms are open source, the more popular and useful enterprise editions have licenses for which you will be required to pay. Then there’s also the cost of buying and maintaining hardware or cloud systems. Hardware requires a capital investment, colocation space (including power), and maintenance. Cloud systems have a monthly fee, and while there’s no hardware to maintain, they must be monitored, updated, and fixed from time to time. 

Conclusion

As cloud computing grows more prevalent, managed solutions for core functions like CI/CD become more attractive. In many cases, moving to managed services allows development teams to focus on their application domain, get more done, and perhaps even save some money. But choosing between managed or self-hosted CI/CD is difficult because there are many moving parts. Which option is best depends on your specific situation. 

The wrong call can waste a great deal of time, effort, and money. Before you decide which path to take, it’s critical that you consider all of the tradeoffs and advantages of both approaches.  

This is an article from DZone's 2022 DevOps Trend Report.

For more:

Read the Report