# Application Deployment

This page covers how the managed platform is deployed and how you deploy your applications. It also clarifies the boundary between HashSphere responsibilities and customer responsibilities.

### HashSphere platform deployment (managed)

Deployment and operation of HashSphere instances is performed by the HashSphere team. For the platform component breakdown, see [Architecture Overview](https://docs.hashsphere.com/managed-service/architecture-overview).

HashSphere endpoints are private. They are exposed into the customer VPC using:

* AWS VPC endpoints (PrivateLink patterns)
* GCP Private Service Connect

There is no public internet access to HashSphere endpoints.

This can be depicted as follows:

<figure><img src="https://2074645427-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1lwtTuSxq9S9wuqIw74y%2Fuploads%2FDkQL2HuEGDgwuLFknBon%2Fimage.png?alt=media&#x26;token=a43c6241-dd64-4008-b398-440731b6e77e" alt=""><figcaption></figcaption></figure>

HashSphere endpoints do not enforce application-level authorization by default. They assume any workload in the customer VPC can reach them.

If you need fine-grained control, place a customer-managed proxy or API gateway in front of the endpoints.

To maintain segregation of duties, customers do not have access to internal HashSphere platform operations. Customers use the [HashSphere Console](https://docs.hashsphere.com/operations/hashsphere-console) for platform health visibility.

During onboarding, the HashSphere team can bootstrap initial accounts. Control of customer-owned accounts is passed to the customer.

### Customer application deployment

Use a standard CI/CD pipeline for application deployment. Treat HashSphere like any other production dependency.

#### Off-ledger components

Deploy your off-ledger services in your own VPC. These services call HashSphere via the private endpoints.

Customer operations teams deploy and operate customer services. The HashSphere team does not deploy customer components.

#### On-ledger components

Customers deploy and manage on-ledger components, for example:

* Administration and user account set up and funding
* HTS Token definition and deployment
* HCS topic configuration
* Smart contract deployment and management
* HFS configuration

For account bootstrap guidance, see [Creating Initial Accounts](https://docs.hashsphere.com/development/creating-initial-accounts).