Skip to main content

Prerequisites

Before you deploy Ververica Cloud: Bring Your Own Cloud on Azure, you must meet specific prerequisites regarding your cloud infrastructure. This ensures that the Ververica Agent operates correctly, manages resources, and communicates with the Ververica Cloud Control Plane.

Verify the following prerequisites:

  • Infrastructure and Compatibility: Kubernetes distribution, version, and VM size.
  • Capacity (Sizing) Requirements: PVCs, CPU, and memory requirements.
  • Identity and Access: Managed Identity and permissions.
  • Networking: Outbound access to Ververica endpoints.

Infrastructure and Compatibility Requirements

To deploy Ververica Cloud: Bring Your Own Cloud on Azure, ensure your environment meets the following requirements:

  • Kubernetes distribution: Azure Kubernetes Service (AKS)
  • Kubernetes version: 1.32.6 or later
  • AKS deployment type: VMSS
  • Workload pool OS SKU: Linux or Azure Linux
  • VM size: D32s v5
  • Supported storage class: Premium SSD

Capacity (Sizing) Requirements

Ensure your capacity meets the minimum requirements:

  • Persistent volume claims (PVC) per workspace: 2 PVCs per workspace
  • PVC capacity: 5 GB per volume
  • Pod CPU requests (per workspace): 3 vCPU per workspace
  • Pod memory requests (per workspace): 18 GB per workspace
  • Agent components CPU/memory (combined): 6 vCPU, 16.25 GiB memory (limits)

Identity and Access Management Requirements

Ensure you have set up the correct Managed Identity, CORS rules, and Blob Storage configurations:

  • Managed Identity: Create a Managed Identity with permissions to orchestrate Kubernetes resources, connect to Ververica Cloud, and access storage.
  • CORS rules: Configure Cross-Origin Resource Sharing (CORS) rules on your storage account to allow the Ververica UI to access logs and artifacts.
  • Blob storage: Configure a storage account with a hierarchical namespace and a Blob container with read/write access for the Ververica Agent and Flink pods.

Network Requirements (Whitelisting)

If your cluster or network environment restricts outbound traffic by default (for example, through DNS filtering, firewall rules, or a proxy), you must explicitly allow HTTPS egress and DNS resolution for the following domains:

  • agent.ververica.cloud - communicates with the Ververica Control Plane
  • app.ververica.cloud - allows each workspace’s console agent to connect
  • registry.ververica.cloud - pulls container images for Agent components
  • cdn.ververica.cloud - downloads Flink engine artifacts

If access to these endpoints is blocked or cannot be resolved via DNS, the Ververica agent remains pending and fails to register.

note

You do not need to allow all outbound traffic. Instead, you can add specific rules or allowlists to permit HTTPS connections only to these required domains. This approach maintains a more restricted security posture while still enabling the Ververica Agent and its components to function.

On this page