Skip to main content

Prerequisites

Before you can deploy Ververica Cloud: Bring Your Own Cloud, you must meet the prerequisites and environment setup such as configuring S3 buckets. By doing so, you ensure proper OpenID Connect (OIDC) integration and create necessary IAM roles and policies. Verify the following prerequisites:

  • Infrastructure and Compatibility
  • Capacity (Sizing) Requirements
  • Network Access Requirements
  • Identity and Access Management (IAM) Requirements

These requirements apply to both the Ververica agent and the workspaces it manages.

Infrastructure and Compatibility Requirements

Ensure your setup meets the supported infrastructure requirements and verify IMDSv1 is available on your worker nodes.

RequirementSpecification
Kubernetes DistributionEKS
Kubernetes Version≥ 1.28
EKS Deployment TypeEC2
EC2 Operating SystemLinux
EC2 Instance Familiesm5, m6, m5.metal, etc.
Supported Storage Classgp2, gp3

Amazon EKS

  1. Control Plane to Worker Nodes

    Required network configuration must support inbound traffic from the EKS cluster control plane on TCP port 443 toward all EKS worker nodes.

    Without this rule, the control plane cannot reach the webhook service, causing resource creation to hang or timeout.

  2. Intra-Node Communication (Security Group Self-Access)

    Cluster internal traffic between pods on different worker nodes (e.g., JobManager ↔ TaskManager, TaskManager ↔ TaskManager) must be allowed by your node security group.

    • AWS EKS: Inbound traffic from the same security group is not implicitly permitted. You must add an explicit rule that allows all traffic (or at least the required TCP ports) with the source set to the node group’s own security group. This ensures webhook pods, Flink components, and future workloads can communicate across nodes without sporadic connection failures.

Capacity (Sizing) Requirements

Ensure your capacity meets the minimum requirements.

RequirementSpecification
Persistent Volume Claims (PVC) Per Workspace2 PVCs per workspace
PVC Capacity5 GB per volume
Network Security PolicyAllow outbound traffic to app.ververica.cloud
Pod CPU Requests (Per Workspace)3 vCPU per workspace
Pod Memory Requests (Per Workspace)18 GB per workspace
Agent Components CPU/Memory (Combined)2 vCPU, 4 GiB memory (limits)

Network Requirements (Whitelisting)

If your cluster or network environment restricts outbound traffic by default (for example, through DNS filtering, firewall rules, or a proxy), you must explicitly allow HTTPS egress and DNS resolution for the following domains:

  • agent.ververica.cloud - communicates with the Ververica Control Plane
  • app.ververica.cloud - allows each workspace’s console agent to connect
  • registry.ververica.cloud - pulls container images for Agent components
  • cdn.ververica.cloud - downloads Flink engine artifacts

If access to these endpoints is blocked or is not resolvable via DNS, the Ververica agent will remain pending and fail to register.

Note: You do not need to allow all outbound traffic. Instead, you can add specific rules or allowlists to permit HTTPS connections only to these required domains. This approach maintains a more restricted security posture while still enabling the Ververica Agent and its components to function.

IAM Requirements

If you are not using the CloudFormation script, ensure you have set up the correct IAM roles, permissions, and S3 bucket configurations.

If you are using the CloudFormation script, proceed to creating AWS resources.