Skip to main content

Azure Event Hubs

This document describes how to securely connect a Ververica Cloud (VVC) workspace to an Azure Event Hubs namespace using a private connection.

This process uses a User-Assigned Managed Identity (UAMI) and a Federated Credential to implement Azure AD Workload Identity. This pattern allows the Ververica Cloud to authenticate to Azure without using client secrets or other stored credentials.

Prerequisites

Before you begin, ensure you have the following:

  • An active Azure subscription where you can create resources. The Microsoft.Storage and Microsoft.Network resource providers must be registered.
  • An existing resource group to deploy the resources into.
  • Permissions in Azure to create Storage Accounts, User-Assigned Managed Identities, and create and assign custom RBAC roles at the subscription scope (e.g., Owner or User Access Administrator).
  • Access to your Ververica Cloud workspace to retrieve identity provider values and create the final connection.
  • Azure resources in the same region as your Ververica Cloud workspace’s data‑plane. Private Link is regional; it cannot span Azure regions.

Phase 1: Provision Core Azure Resources

First, create the Event Hubs namespace and the managed identity that will represent your Ververica workload.

Step 1: Create an Event Hubs Namespace

  1. In the Azure Portal, navigate to Event Hubs and click + Create.

  2. On the Basics tab, provide the following details:

    • Subscription: Select your subscription.
    • Resource group: Choose an existing group or create a new one.
    • Namespace name: Enter a globally unique name (e.g., vvc-prod-telemetry-ns).
    • Region: Select the Azure region for your namespace.
    • Pricing tier: You must select Standard or Premium. Private Link is not available on the Basic tier.
      • Standard: Use for enabling private endpoint access.
      • Premium: Use if you require network isolation via VNet injection in addition to private endpoints.

  3. Click Review + Create, then Create.

Step 2: Create a User-Assigned Managed Identity (UAMI)

info

To configure multiple private connections (for Event Hubs, Blob, etc.), you must reuse the same UAMI for every Azure resource.

  1. In the Azure Portal, search for and select Managed Identities.

  2. Click + Create.

  3. On the Basics tab, provide the following details:

    • Subscription: Select the same subscription used for your Event Hub.
    • Resource group: Select the same resource group.
    • Region: Select the same region.
    • Name: Provide a descriptive name (e.g., vvc-eventhub-connector-uami).

  4. Click Review + Create, then Create.

Phase 2: Establish the Trust Relationship

Next, grant the UAMI permission to access the Event Hub and configure the federated credential to establish trust with Ververica Cloud.

Step 3: Grant the UAMI Permissions to the Event Hub

  1. Navigate to your newly created Event Hubs Namespace.
  2. From the left menu, select Access control (IAM).
  3. Click + Add and select Add role assignment.
  4. In the Role tab, search for and select Azure Event Hubs Data Owner. This role provides comprehensive permissions needed for the connection.
  5. Go to the Members tab. For Assign access to, select Managed identity.
  6. Click + Select members and search for the UAMI you created in Step 2 (e.g., vvc-eventhub-connector-uami). Select it and click Select.
  7. Click Review + assign to grant the permission.

Step 4: Create the Federated Credential

This step links the UAMI to a specific service account in your Ververica Kubernetes environment, allowing it to request Azure tokens.

  1. In your Ververica Cloud workspace, navigate to ConfigurationsPrivate Connections.

  2. Under the Azure Identity Provider section, copy the following values:

  • Cluster Issuer URL
  • Namespace
  • Service Account

  1. In the Azure Portal, navigate back to your User-Assigned Managed Identity.

  2. From the left menu, select Federated credentials and click + Add Credential.

  3. For the Federated credential scenario, select Kubernetes accessing Azure resources.

  4. Paste the values you copied from Ververica Cloud into the corresponding fields:

    • Cluster issuer URL: Paste the Cluster Issuer URL value.
    • Namespace: Paste the Namespace value.
    • Service account name: Paste the Service Account value.

  5. Provide a Name for the credential (e.g., vvc-federation-link).

  6. Click Add to save the credential.

Phase 3: Finalize the Connection in Ververica Cloud

Finally, register the identity provider in Ververica Cloud and create the connection.

Step 5: Register the Azure Identity in Ververica

  1. In the Azure Portal, navigate to your UAMI's Properties page.
  2. Copy the Client ID and Tenant ID.
  3. In your Ververica Cloud workspace (ConfigurationsPrivate Connections), paste the values into the Azure Identity Provider Client ID and Current Azure Identity Provider Tenant ID fields, respectively.
  4. Click Save. The status should change to Ready.

Step 6: Create the Private Connection

  1. In the same Private Connections tab in Ververica, click + New Private Connection.

  2. Configure the connection details:

    • Connector Type: Select Azure Event Hub.
    • Connection Name: Enter a descriptive name (e.g., user-eventhub-connection).
    • Service Name: Paste the Resource ID of your Event Hubs Namespace.
      • To find the Resource ID: In the Azure Portal, go to your Event Hubs Namespace, select JSON View from the top-right of the Overview page, and copy the id value.

  3. Click Save. The connection status will transition and should eventually show as Created. This may require a page refresh.

Step 7: Verify the Connection in Azure

  1. Navigate back to your Event Hubs Namespace in the Azure Portal.
  2. From the left menu, under Settings, select Networking.
  3. Click the Private endpoint connections tab.
  4. You should see a new private endpoint listed with its Connection state as Approved. This confirms that the secure tunnel between Ververica Cloud and your Event Hub is established.
On this page