Skip to main content

About Ververica Cloud: Bring Your Own Cloud

The Ververica Cloud: Bring Your Own Cloud (BYOC) deployment option enables organizations to leverage their existing cloud agreements, resources, or preferred regions while utilizing a fully-managed service. This is ideal for organizations with a zero-trust security strategy or companies optimizing spend across multiple cloud vendors.

Is BYOC the Right Option for You?

Ververica’s BYOC deployment is ideal for enterprises that:

  • Want to retain full control over their cloud infrastructure.
  • Prefer or require full observability of their data.
  • Have specific security, governance, or compliance needs.
  • Are adopting a zero-trust security strategy.
  • Use multi-cloud or hybrid cloud architectures.
  • Have preferential pricing or spend commitments with cloud providers.
  • Need a flexible, scalable solution for real-time stream processing.
  • Want to leverage (VERA), the engine revolutionizing Apache Flink for their streaming and batch processing projects, and will benefit from a managed Flink offering within their own cloud environment.

What is the BYOC Framework?

The image below illustrates the security and operational framework of Veverica's BYOC deployment model. The VERA engine serves as the runtime for deployment or session cluster jobs.

BYOC Architecture

Core Components

The BYOC deployment option includes four key components:

  • Control Plane
  • Data Plane
  • Agent Services
  • Platform Services

Control Plane

The control plane provides centralized management for tenant workspaces through a clear separation from the data plane. Residing in Ververica's managed cloud account, the control plane securely interfaces with users through a public-facing load balancer that routes requests to available microservices.

  • You can manage all tenant workspaces through a unified interface, providing a centralized view of data, systems, and processes (a single pane of glass).
  • The control plane stores only metadata, which is securely exchanged between the control and data planes.

Data Plane

The distributed data plane consists of Ververica’s cloud-native microservices deployed directly into your (customer) cloud account using your own cloud resources.

  • Your data is stored in your cloud (controlled by you).
  • A separate agent, platform, and engine services handle each BYOC tenant workspace you create.
  • Data plane artifacts are deployed as containers orchestrated by Kubernetes.
  • Each tenant workspace is attached to dedicated object storage for the data you provided. Ververica manages data in this object storage instance, based on object storage API level (least-privilege) access policies.

Agent Services

An agent serves as a framework or container that organizes and manages a collection of cloud-native microservices. These microservices, including components like the API Gateway, Controller, Webhook, and Manager, are designed to handle specific tasks independently. The decoupled nature of these services allows them to operate autonomously, making the system more modular, scalable, and resilient. Each microservice focuses on a distinct function, such as routing requests (API Gateway), orchestrating operations (Controller), handling event triggers (Webhook), or managing configurations (Manager). The

The agent establishes a client connection from your cloud to Ververica Cloud: Bring Your Own Cloud, manages Ververica services within it, and allows you full control and observability.

  • An agent handles one or more BYOC tenant workspaces.
  • Agent services are managed by customers via helm/kubectl tooling.

Platform Services

The platform services enable centralized management of tenant workspaces using the control plane, accessible through the platform console.

Core Capabilities

The Ververica Cloud: Bring Your Own Cloud deployment option empowers organizations to maintain operational flexibility, optimize costs, and ensure compliance while aligning with modern security and infrastructure needs, including:

  • Leverage cost savings through existing cloud partnerships.
  • Ensure data sovereignty by keeping data within your cloud environment.
  • Retain logical tenancy at the workspace level to enable cost-optimized separation of business concerns.
  • Adopt a zero-trust security model with fine-grained access controls.
  • Avoid vendor or regional lock-in with flexible, multi-cloud options.
  • Pay only for what is used with a pay-as-you-go, capacity-based pricing structure.
  • Access the platform securely over the public internet.
  • Benefit from marketplace integration with a single, consolidated billing approach.

Data Processing

All data processing and data movement happens within the customer cloud (inside the customer cloud account), keeping processing and data movement local and entirely under your control.

Security Model

The BYOC deployment option uses zero-trust, first-design principles to ensure you control security policies and have full observability. The key security features include:

  • Least-Privilege Access Model: Grants only the minimum necessary permissions to each component or user. This reduces the risk of unauthorized access or misuse. For example, only specific processes can read or write to certain data locations.
  • Identity-Based Authentication: Access to resources and services is controlled based on verified identities, ensuring that only authenticated users or systems can interact with the platform.
  • Isolation: Isolates different components of the system (user infrastructure and Ververica's services) from one another, reducing the impact of potential issues or security breaches.
  • Fine-Grained Authorization Policies: Users can define detailed rules specifying who or what has access to specific resources or actions. For example, one service might only have access to read a database, while another can modify it.
  • Short-Lived Credentials: Credentials are temporary and expire after a short duration, limiting the window for potential misuse if they are compromised.
  • User-Controlled Security Policies: Users can define and enforce their own security policies, such as encryption standards, access controls, and compliance measures.
  • Full Observability: Users have complete visibility into the system's performance, activities, and security status, enabling them to monitor and troubleshoot effectively.

How Can BYOC Help You Comply with Zero Trust?

The Zero Trust model is reshaping how organizations approach security, emphasizing the idea that breaches should always be considered possible, trust should never be implicit, and verification is always required. Ververica's BYOC deployment option is designed to meet these Zero Trust specifications, ensuring security at every level of your cloud infrastructure.

Before deploying BYOC, Ververica recommends reviewing the following principles and considerations to guide your Zero Trust design.

Policy Control, Observability, and Sovereignty Principles

In a zero-trust architecture, you retain full control over policy administration, observability, and security policies. The vendor is treated as a third party to ensure compliance with NIST 800-207.

Key Questions to Consider:

  • Who controls the vendor-customer connectivity policies?
  • Who owns and controls data access policies?
  • How can all parties gain full observability at all levels?

Ververica provides an agent that operates within your cloud, establishing a one-way connection to the control plane. This setup ensures you maintain full control over connectivity with Ververica’s control plane. The agent integrates seamlessly with your existing security and observability tools, such as AWS VPC Flow Logs. All data processing and movement occur locally within your cloud, fully decoupled from third-party control planes, ensuring complete data sovereignty.

Least-Privilege Access

The principles of least privilege (PoLP) dictates that users, applications, systems, or processes should only have the minimum access needed to perform their specific tasks or functions. This reduces the potential damage from accidental errors, security breaches, or malicious activity.

Key Questions to Consider:

  • How much control does the vendor need to have in your technology stack?
  • How does vendor insure a least-privilege access design?
  • Who owns observability and other auxiliary systems?

When considering which services vendors like Ververica should have access to, the answer should always be the bare minimum required for the vendor's services to function. You must scrutinize designs closely by repeatedly asking: "Does the vendor truly need this access to deliver its core business function?

When considering the access rights of external vendors like Ververica, ensure they have the bare minimum permissions required to deliver core services. Avoid granting overly broad permissions to prevent expanding the trust surface unnecessarily. For instance, avoid giving vendors control over networking, compute, or storage services unless absolutely necessary, as this expands the potential attack surface.

In shared IaaS or CaaS environments, granular access control is more challenging, but it’s critical to limit vendor access to the minimum necessary.

Kubernetes Workloads

Kubernetes is the industry standard for orchestrating containerized workloads. Ververica’s data plane software is designed to integrate with existing Kubernetes infrastructure without requiring elevated privileges. By creating non-privileged Kubernetes namespaces for each tenant, Ververica ensures that integration with your monitoring tools is seamless and portable.

You can collect logs and metrics from the containers within these Kubernetes clusters while maintaining tenant-specific isolation. Communication with the control plane occurs through agents for each tenant, ensuring a secure, isolated environment for each workload.

Breach Isolation

Planning for a breach is essential to meeting zero-trust requirements. Breach isolation involves detecting and containing unauthorized access or data exfiltration without affecting other components of the system.

Key Questions to Consider:

  • How can you ensure breach isolation, identity-based authentication, and dynamic authorization?
  • Who owns authentication and authorization services?
  • How can you enforce granular access control?

Ververica ensures breach isolation by maintaining complete separation of service chains between tenants. Each Ververica tenant (workspace) is assigned its own dedicated access, managed through Role-Based Access Control (RBAC). This includes a dedicated agent, a specific set of services, and exclusive data storage. A single service chain is designed to serve only one tenant, ensuring complete isolation. This design guarantees that a breach in one tenant does not impact others.

Key measures for breach isolation include:

  • Authentication and authorization services are fully owned and managed by you, not Ververica, giving you full security control.
  • Dynamic authorization with ephemeral or rotating access tokens mitigates the risks associated with credential breaches.
  • Granular access control policies are under your control, allowing you to define specific third-party access URLs and API calls for tenant storage.

Ververica integrates with cloud-native services for authentication and authorization, such as OpenID Connect (OIDC) and security token services. This approach avoids managing these services while ensuring that you retain full control over your data and security policies.

Ververica’s BYOC deployment option provides the flexibility and security needed to meet Zero Trust principles. By maintaining full control over policies, observability, access rights, and breach isolation, Ververica enables you to ensure that your cloud infrastructure meets the highest security standards, while keeping your data and services isolated from third-party vendors.

Operational Responsibilities

The BYOC deployment option uses a shared responsibility model. You manage and are in full control of infrastructure cloud resources, services and integrations, while Ververica manages its own cloud-native services.

BYOC Shared Responsibility

This image depicts the separation of responsibilities. Ververica manages the control plane. Customers manage the data plane.

Customer Responsibilities

Customers maintain a high degree of operational responsibility for the underlying infrastructure and service integrations within their own cloud environments. While Ververica manages essential cloud-native services and operational tasks, customers are fully accountable for managing their own resources, configuring their environment, and ensuring compliance with their organizational security and operational standards. The responsibilities include:

  • Managing cloud infrastructure (e.g., EKS, EC2, VPC, etc.).
  • Setting up and maintaining compute instances, storage, networking, metrics, and logging systems.
  • Managing services and integrations, including custom requirements.
  • Implementing zero-trust security policies, including agent configuration.

Ververica Responsibilities

Ververica is responsible for maintaining and managing key components of the deployment framework to ensure seamless operations and integration with customer infrastructure. Ververica oversees cloud-native services and supports customers by reducing operational complexity and maintaining high availability. The responsibilities include:

  • Managing and distributing agent, platform, and engine containers via helm charts.
  • Maintaining metadata in the control plane and overseeing lifecycle updates to Ververica services.
  • Ensuring smooth integration and lifecycle management of cloud-native services.

Strategic Benefits

With this deployment option, organizations can realize strategic benefits:

  • Optimize spend by using existing cloud spend agreements or credits without incurring additional costs for vendor lock-in.
  • Implement a zero-trust security architecture so teams can fully define encryption, access policies, and data handling tailored to their security posture.
  • Switch or scale vendors across cloud regions as business priorities shift without rebuilding entire environments.

Related Topics

  • Go to Getting Started to learn how to get up and running with Ververica Cloud: Bring Your Own Cloud.
  • Learn about the Ververica Unified Streaming Data Platform interface and how to get the most value from it.
On this page