Skip to main content

Prerequisites Checklist

Use this checklist to confirm your environment is fully prepared before proceeding to validation and deployment.

Common (All Clouds)

  • Onehouse account created — see Account Setup
  • Onehouse request ID received from the Onehouse team
  • Cloud account access with administrator-level permissions
  • VPC / VNet created
  • Private subnets across at least two availability zones
  • NAT Gateway configured for outbound internet access from private subnets
  • Storage service endpoint configured (S3 / GCS / Azure Blob) to avoid routing data traffic through NAT
  • Terraform state bucket onehouse-customer-bucket-<RequestIdPrefix> created in the deployment region
  • Lakehouse storage bucket created in the same region as your deployment
  • Terraform 1.11.0 installed

AWS

  • VPC CIDR is /16
  • At least 2 private subnets (/20 per subnet) across 2 AZs
  • At least 2 public subnets (for NAT Gateway)
  • Internet Gateway attached to VPC
  • NAT Gateway deployed in public subnet(s)
  • S3 VPC Gateway Endpoint created
  • S3 Gateway Endpoint policy configured for container image registries and lakehouse buckets
  • AWSServiceRoleForAmazonEKS exists in your account
  • AWSServiceRoleForAmazonEKSNodegroup exists in your account
  • AWSServiceRoleForAutoScaling exists in your account
  • Security groups / NACLs allow inbound access to EKS cluster endpoint from Onehouse control plane NAT IPs (54.153.81.1/32, 184.169.135.156/32)
  • Domain allowlist configured (only if egress firewall is in use)
  • VPC peering set up for data sources in separate VPCs (if applicable)
  • AWS credentials with administrator permissions available for Terraform

Google Cloud

  • Dedicated GCP project created for Onehouse resources
  • VPC CIDR is /16
  • Private subnet is /20
  • Two secondary IP ranges reserved in subnet: /20 for pods, /24 for services
  • NAT Gateway configured for outbound internet access
  • Private Google Access enabled on subnet
  • Terraform executor service account (terraform@<project>.iam.gserviceaccount.com) with Owner/Editor permissions
  • Service account JSON key file downloaded
  • Cloud Resource Manager API enabled
  • Kubernetes Engine API enabled
  • VPC firewall rules allow inbound access to GKE cluster endpoint from Onehouse control plane NAT IP (54.153.81.1/32)
  • Domain allowlist configured (only if egress firewall is in use)
  • VPC peering set up for data sources in separate VPCs/projects (if applicable)
  • gcloud CLI, yq, jq, curl installed

Azure

  • Azure subscription with permissions to create managed identities and role assignments
  • VNet CIDR is /16
  • Node subnet is /20 with Microsoft.Storage service endpoint enabled
  • Pod CIDR is /16 and Service CIDR is /16
  • NAT Gateway configured for outbound internet access
  • NSG / VNet firewall rules allow inbound access to AKS cluster endpoint from Onehouse control plane NAT IP (54.153.81.1/32)
  • Domain allowlist configured (only if egress firewall is in use)
  • VNet peering set up for data sources in separate VNets (if applicable)
  • Onehouse storage account resource ID received from Onehouse team
  • Customer storage account resource ID(s) ready (if providing your own data storage)
  • Resource group available (existing or will be created)
  • Azure CLI authenticated to the correct subscription

Next Step

Once all applicable items are checked, proceed to Deploy Customer Stack.