Skip to main content

Create Azure Resources

To prepare your Azure environment for deploying the Ververica Agent on an Azure AKS cluster, complete the following steps.

  • Create and configure your cluster.
  • Create and configure your object storage to store runtime artifacts and Flink checkpoints.
  • Enable Kubernetes OIDC (OpenID Connect).
  • Set up the managed identity and CORS roles that securely manage the Ververica Agent.

After these steps are complete, your environment is configured for a deployment of the Ververica Agent.

Create Kubernetes Cluster

Create an Azure Kubernetes Service (AKS) cluster.

warning

Ensure your cluster has outbound access to the Ververica services listed in the Network Requirements (Whitelisting) section of the previous chapter.

Create Storage Account and Storage Container

Create a storage account and a storage container for runtime artifacts and Flink checkpoints with the following configuration.

  • Hierarchical namespace: Enabled
  • Public network access: Enabled
  • Public network access scope: Enabled from all networks
  • Resource sharing (CORS): Add the following allowed methods, headers, and URLs in the Storage Account > Settings > Resource sharing (CORS) > Blob Service section.

Methods: GET, POST, PUT, DELETE

URLs:

  • https://agent.ververica.cloud
  • https://app.ververica.cloud
  • https://registry.ververica.cloud
  • https://cdn.ververica.cloud

Allowed Headers: *

Create a storage container in your storage account.

Enable Kubernetes OIDC

Your Azure AKS cluster provides an OpenID Connect (OIDC) provider URL that allows the Ververica Agent to configure pod permissions using a Managed Identity.

Enable OIDC on your AKS cluster and obtain its OIDC provider.

Example:

export RESOURCE_GROUP=<Your resource group>
export CLUSTER_NAME=<Your AKS cluster name>

# Enable OIDC Issuer and Workload Identity
az aks update -g ${RESOURCE_GROUP} -n ${CLUSTER_NAME} --enable-oidc-issuer --enable-workload-identity

# Retrieve the OIDC Issuer URL
export CLUSTER_OIDC_PROVIDER=`az aks show -n ${CLUSTER_NAME} -g ${RESOURCE_GROUP} --query "oidcIssuerProfile.issuerUrl" -otsv`

Create a Managed Identity and Role Assignment

You must create a user-assigned managed identity for your AKS cluster, configure workload identity federation using your cluster’s OIDC issuer, grant access to your Azure Storage Account, and save the identity’s Client ID for later configuration in Ververica Cloud.

Ensure you have retrieved the OIDC issuer URL from the previous step, as it is required when creating the federated credential.

  1. Create a Kubernetes namespace named vv-agent. This namespace hosts the Ververica Agent components inside your AKS cluster and is referenced in the workload identity federation configuration.
  2. Create a user-assigned managed identity named vv-tenant-<Your AKS Cluster Name> in your Azure resource group and tag it with pyxis.io.managed=true. This identity is assumed by the Ververica Agent to securely access Azure resources without storing credentials.
  3. Create a federated identity credential named vvc-tenant on the managed identity. Use your cluster’s OIDC issuer URL and the Kubernetes subject system:serviceaccount:vv-agent:pyxis-admin. This configuration links the managed identity to your AKS cluster’s OIDC provider and allows the service account in the vv-agent namespace to authenticate to Azure using workload identity federation without requiring secrets.
  4. Assign the Azure role "Storage Blob Data Contributor" to the managed identity using its Principal ID, scoped to your designated Azure Storage Account. This role assignment must be scoped at the storage account level within your subscription and resource group so that Ververica can read and write job artifacts, checkpoints, and state data while following the principle of least privilege.
  5. Retrieve and save the managed identity’s Client ID. The Client ID is required later when configuring your BYOC deployment in Ververica Cloud.

Example:

# Environment Variables
export SUBSCRIPTION_ID=<The subscription ID of your resource group>
export STORAGE_ACCOUNT_NAME=<Your storage account name>
export RESOURCE_GROUP=<Your resource group>
export CLUSTER_NAME=<Your AKS cluster name>
# CLUSTER_OIDC_PROVIDER should be set from the previous step

export VV_AGENT_NAMESPACE="vv-agent"
export VV_TENANT_MANAGED_IDENTITY="vv-tenant-${CLUSTER_NAME}"

# Creation of the managed identity
az identity create -g ${RESOURCE_GROUP} -n ${VV_TENANT_MANAGED_IDENTITY} --tags pyxis.io.managed=true

# Create Federated Credential
az identity federated-credential create \
  --identity-name ${VV_TENANT_MANAGED_IDENTITY} \
  --resource-group ${RESOURCE_GROUP} \
  --name vvc-tenant \
  --issuer ${CLUSTER_OIDC_PROVIDER} \
  --subject system:serviceaccount:${VV_AGENT_NAMESPACE}:pyxis-admin \
  --audiences api://AzureADTokenExchange

# Role assignment
export VV_TENANT_IDENTITY_PRINCIPAL_ID=`az identity show -g ${RESOURCE_GROUP} -n ${VV_TENANT_MANAGED_IDENTITY} --query "principalId" -otsv`

SCOPE="/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP}/providers/Microsoft.Storage/storageAccounts/${STORAGE_ACCOUNT_NAME}"

az role assignment create --assignee ${VV_TENANT_IDENTITY_PRINCIPAL_ID} --role "Storage Blob Data Contributor" --scope ${SCOPE}

# Extraction of the value of managed identity client ID
export VVC_TENANT_MANAGED_IDENTITY_CLIENT_ID=`az identity show -g ${RESOURCE_GROUP} -n ${VV_TENANT_MANAGED_IDENTITY} --query "clientId" -otsv`

# Save this ID for later
echo ${VVC_TENANT_MANAGED_IDENTITY_CLIENT_ID}

Next Steps

On this page