Prerequisites
Before you can deploy Ververica Cloud: Bring Your Own Cloud, you must meet the prerequisites and environment setup such as configuring S3 buckets. By doing so, you ensure proper OpenID Connect (OIDC) integration and create necessary IAM roles and policies. Verify the following prerequisites:
- Infrastructure and Compatibility
- Capacity (Sizing) Requirements
- Network Access Requirements
- Identity and Access Management (IAM) Requirements
These requirements apply to both the Ververica agent and the workspaces it manages.
Infrastructure and Compatibility Requirements
Ensure your setup meets the supported infrastructure requirements and verify IMDSv1 is available on your worker nodes.
| Requirement | Specification |
|---|---|
| Kubernetes Distribution | EKS |
| Kubernetes Version | ≥ 1.28 |
| EKS Deployment Type | EC2 |
| EC2 Operating System | Linux |
| EC2 Instance Families | m5, m6, m5.metal, etc. |
| Supported Storage Class | gp2, gp3 |
Amazon EKS
-
Control Plane to Worker Nodes
Required network configuration must support inbound traffic from the EKS cluster control plane on TCP port 443 toward all EKS worker nodes.
Without this rule, the control plane cannot reach the webhook service, causing resource creation to hang or timeout.
-
Intra-Node Communication (Security Group Self-Access)
Cluster internal traffic between pods on different worker nodes (e.g., JobManager ↔ TaskManager, TaskManager ↔ TaskManager) must be allowed by your node security group.
- AWS EKS: Inbound traffic from the same security group is not implicitly permitted. You must add an explicit rule that allows all traffic (or at least the required TCP ports) with the source set to the node group’s own security group. This ensures webhook pods, Flink components, and future workloads can communicate across nodes without sporadic connection failures.
Capacity (Sizing) Requirements
Ensure your capacity meets the minimum requirements.
| Requirement | Specification |
|---|---|
| Persistent Volume Claims (PVC) Per Workspace | 2 PVCs per workspace |
| PVC Capacity | 5 GB per volume |
| Network Security Policy | Allow outbound traffic to app.ververica.cloud |
| Pod CPU Requests (Per Workspace) | 3 vCPU per workspace |
| Pod Memory Requests (Per Workspace) | 18 GB per workspace |
| Agent Components CPU/Memory (Combined) | 2 vCPU, 4 GiB memory (limits) |
Network Requirements (Whitelisting)
If your cluster or network environment restricts outbound traffic by default (for example, through DNS filtering, firewall rules, or a proxy), you must explicitly allow HTTPS egress and DNS resolution for the following domains:
agent.ververica.cloud- communicates with the Ververica Control Planeapp.ververica.cloud- allows each workspace’s console agent to connectregistry.ververica.cloud- pulls container images for Agent componentscdn.ververica.cloud- downloads Flink engine artifacts
If access to these endpoints is blocked or is not resolvable via DNS, the Ververica agent will remain pending and fail to register.
Note: You do not need to allow all outbound traffic. Instead, you can add specific rules or allowlists to permit HTTPS connections only to these required domains. This approach maintains a more restricted security posture while still enabling the Ververica Agent and its components to function.
IAM Requirements
If you are not using the CloudFormation script, ensure you have set up the correct IAM roles, permissions, and S3 bucket configurations.
If you are using the CloudFormation script, proceed to creating AWS resources.