Prerequisites
This document outlines the prerequisites and environment setup — such as configuring S3 buckets, ensures proper OpenID Connect (OIDC) integration, and creates necessary IAM roles and policies. You’ll then learn how to install the Ververica Agent, verify its successful registration with the Ververica Control Plane, and create a new BYOC workspace.
Agent and Instance Metadata Service (IMDS)
If you are deploying on Amazon EKS, ensure that IMDSv1 is enabled on your EC2 worker nodes. Currently, the Ververica Agent requires IMDSv1 access; if IMDSv2 is set to Required (disabling IMDSv1 entirely), the Agent will fail to initialize and produce 401 errors when running in EKS.
You can correct this by modifying each instance’s metadata options to set IMDSv2 to Optional:
- Open Actions → Instance Settings → Modify instance metadata options in the Amazon EC2 console.
- Under IMDSv2, choose Optional.
- Save the changes.
If your EKS cluster creates additional worker nodes automatically, be sure to update the nodegroup launch configuration or template to enable IMDSv1 for new nodes.
The requirement are split into two parts:
- Supported Infrastructure and Compatibility
- Minimum Capacity (Sizing) Requirements
These requirements apply to both the Ververica Agent and the workspaces it manages.
Supported Infrastructure and Compatibility
| Requirement | Specification |
|---|---|
| Kubernetes Distribution | EKS |
| Kubernetes Version | ≥ 1.28 |
| EKS Deployment Type | EC2 |
| EC2 Operating System | Linux |
| EC2 Instance Families | m5, m6, m5.metal, etc. |
| Supported Storage Class | gp2, gp3 |
Minimum Capacity (Sizing) Requirements
| Requirement | Specification |
|---|---|
| Persistent Volume Claims (PVC) Per Workspace | 2 PVCs per workspace |
| PVC Capacity | 5 GB per volume |
| Network Security Policy | Allow outbound traffic to app.ververica.cloud |
| Pod CPU Requests (Per Workspace) | 3 vCPU per workspace |
| Pod Memory Requests (Per Workspace) | 18 GB per workspace |
| Agent Components CPU/Memory (Combined) | 2 vCPU, 4 GiB memory (limits) |
Network Access Requirements
If your cluster or network environment restricts outbound traffic by default (for example, through DNS filtering, firewall rules, or a proxy), you must explicitly allow HTTPS egress and DNS resolution for the following domains:
agent.ververica.cloudapp.ververica.cloudregistry.ververica.cloudcdn.ververica.cloud
These domains are essential for:
- Communicating with the Ververica Control Plane (
agent.ververica.cloud). - Allowing each workspace’s console agent to connect (
app.ververica.cloud). - Pulling container images for Agent components (
registry.ververica.cloud). - Downloading Flink engine artifacts (
cdn.ververica.cloud).
If access to these endpoints is blocked or not resolvable via DNS, the Ververica Agent will remain pending and fail to register.
Note: You do not need to allow all outbound traffic. Instead, you can add specific rules or allowlists to permit HTTPS connections only to these required domains. This approach maintains a more restricted security posture while still enabling the Ververica Agent and its components to function.