Reuse Confluent Cloud Connections With External Services

Note

Early access to Connections

Connections in Confluent Cloud are available as an early access feature. An early access feature is a component of Confluent Cloud introduced to gain feedback. This feature should be used only for evaluation and non-production testing purposes or to provide feedback to Confluent, particularly as it becomes more widely available in follow-on preview editions.

Early Access Program features are intended for evaluation use in development and testing environments only, and not for production use. Early Access Program features are provided: (a) without support; (b) “AS IS”; and (c) without indemnification, warranty, or condition of any kind. No service level commitment will apply to Early Access Program features. Early Access Program features are considered to be a Proof of Concept as defined in the Confluent Cloud Terms of Service. Confluent may discontinue providing preview releases of the Early Access Program features at any time in Confluent’s sole discretion.

Connections in Confluent Cloud are resources that you configure to establish the parameters necessary for connecting to third-party services. Each Connection includes:

• Endpoint information (such as the URL or address of the external service)
• Authentication information (such as credentials or identity provider details)

Connections handle sensitive data securely (keeping passwords obfuscated and protected) and allow reuse across different applications, such as Flink AI and Flink UDFs, provided that proper permissions are granted.

When to use connections

Use connections when you need to:

• Integrate with AI/ML services: Connect to services like OpenAI, Amazon Bedrock, or Azure OpenAI for real-time data enrichment and AI processing.
• Store and retrieve data: Connect to databases like MongoDB, Couchbase, or search engines like Elastic for data storage and retrieval.
• Reuse configurations: Share connection settings across multiple Flink applications without duplicating sensitive credentials.
• Maintain security: Centrally manage authentication credentials and apply consistent security policies.
• Enable vector operations: Connect to vector databases like Pinecone for similarity search and retrieval-augmented generation (RAG) workflows.

Connections are particularly useful in streaming scenarios where you need to enrich real-time data with external services or store processed results in external services.

Connection details

A reusable connection in Confluent Cloud includes the following information:

• Service
• REST endpoint
• Authentication method

Service

The service is the type of external service to connect to. These services include AI/ML services and databases. Each service has a unique service code (connection type). For a listing of supported external services and configuration parameters, see External Services for Confluent Cloud Connections.

REST endpoint

The specific REST endpoint or address for the external service. You can get the REST endpoint for a connection from the service provider’s documentation.

Examples of endpoints for supported services:

• OpenAI: https://api.openai.com/v1/chat/completions
• Amazon Bedrock: https://bedrock-runtime.us-east-1.amazonaws.com
• Azure OpenAI: https://your-resource.openai.azure.com/openai/deployments/your-model/chat/completions
• MongoDB: mongodb+srv://cluster0.example.mongodb.net
• Pinecone: https://your-index-name.svc.environment.pinecone.io
• Elastic: https://your-deployment.es.region.cloud.es.io

Authentication method

The authentication method defines how the connection is authenticated to the external service. Choose an authentication method based on your security requirements:

Security strength	Authentication methods
High	AWS Identity and Access Management (IAM) Azure managed identities Google CloudWorkload Identity Federation OAuth 2.0 authorization code grant (credential-less/managed identity)
Moderate	Username/password stored in: • AWS Secrets Manager • Azure Key Vault • Google Secrets Manager OAuth 2.0 client credentials grant OAuth 2.0 authorization code grant with stored credentials
Low	Username/password Service accounts

Connection resource scope

Connection resources are scoped to their parent Confluent Cloud environment. Only applications in the same Confluent Cloud environment can be granted access to a connection resource.

• Connection resources cannot be shared across Confluent Cloud environments.
• Connection resources are regional, meaning they are specific to a supported Confluent Cloud region. Applications in different regions cannot access the same connection resource.
• When using private networking, a connection can use networking resources (including networks and access points) in the same Confluent Cloud environment.

Prerequisites

Before creating a connection, ensure you have the following:

• Service provider account: An active account with the external service you want to connect to.
• Authentication credentials: Valid credentials for the service (API keys, access keys, or service account credentials).
• Endpoint information: The correct REST endpoint URL for your service instance.
• Network access: Appropriate network connectivity between Confluent Cloud and the external service.
• Required permissions: One of the Confluent Cloud roles listed in the Security section below.

Note

Some services may require additional setup, such as creating API keys, configuring IAM roles, or enabling specific service features. Refer to the service provider’s documentation for detailed setup instructions.

Security

To create a connection, you need to be granted one of the following Confluent Cloud RBAC roles:

• OrganizationAdmin
• EnvironmentAdmin
• CloudClusterAdmin
• FlinkAdmin
• FlinkDeveloper

When a user with one of these roles creates a connection, they can optionally assign a ResourceOwner role to another user.

Security best practices

• Use the highest security authentication method available for your service.
• Regularly rotate API keys and access credentials.
• Apply the principle of least privilege when configuring service permissions.
• Monitor connection usage through Confluent Cloud audit logs.
• Use private networking when available to reduce exposure over the public internet.

Note

All endpoints require authentication and appropriate permissions. Sensitive fields (such as API keys) are obfuscated in responses.

Next steps

1. Plan your integration: Identify which external services you need to connect to and review their authentication requirements.
2. Set up credentials: Obtain the necessary API keys, access keys, or configure managed identities for your chosen services.
3. Create connections: Follow the instructions in Manage Connections with External Services in Confluent Cloud to create and configure your connections.
4. Test your setup: Verify connectivity and authentication before using connections in production applications.
5. Implement security: Apply best practices for credential management and access control.

Related content

• External Services for Confluent Cloud Connections
• Manage Connections with External Services in Confluent Cloud
• AWS IAM Role-Based Authorization Quick Start for Confluent Cloud
• How to generate vector embeddings for RAG (GenAI) with Flink SQL in Confluent Cloud [Confluent Developer]
• Flink AI: Real-Time ML and GenAI Enrichment of Streaming Data with Flink SQL on Confluent Cloud [Confluent Blog]