documentation
Get Started Free
  • Get Started Free
  • Courses
      What are the courses?

      Video courses covering Apache Kafka basics, advanced concepts, setup and use cases, and everything in between.

      Learning pathways (21)
      New Courses
      NewApache Flink® 101
      NewBuilding Flink® Apps in Java
      NewKafka® for .NET Developers
      NewPractical Event Modeling
      NewHybrid and Multicloud Architecture
      NewMastering Production Data Streaming Systems with Apache Kafka®
      Featured Courses
      Kafka® 101
      Kafka® Connect 101
      Kafka Streams 101
      Schema Registry 101
      ksqlDB 101
      Data Mesh 101
  • Learn
      Pick your learning path

      A wide range of resources to get you started

      Start Learning
      Articles

      Deep-dives into key concepts
      Patterns

      Architectures for event streaming
      FAQs

      Q & A about Kafka® and its ecosystem
      100 Days of Code

      A self-directed learning path
      Blog

      The Confluent blog
      Podcast

      Our podcast, Streaming Audio
      Coding in Motion

      Build a real-time streaming app
      NewApache Kafka® on the Go

      One-minute guides to Kafka's core concepts
  • Build
      Design. Build. Run.

      Build a client app, explore use cases, and build on our demos and resources

      Start Building
      Language Guides

      Build apps in your favorite language
      Tutorials

      Hands-on stream processing examples
      Demos

      More resources to get you started
  • Community
      Join the Community

      Confluent proudly supports the global community of streaming platforms, real-time data streams, Apache Kafka®️, and its ecosystems

      Learn More
      Meetups & Events

      Kafka and data streaming community
      Ask the Community

      Community forums and Slack channels
      Community Catalysts

      Sharing expertise with the community
      DevX Newsletter

      Bi-weekly newsletter with Apache Kafka® resources, news from the community, and fun links.
      Current 2023

      View sessions and slides from Current 2023
      Kafka Summit 2023

      View sessions and slides from Kafka Summit 2023
      Current 2022

      View sessions and slides from 2022
      Data Streaming Awards

      Nominate amazing use cases and view previous winners
Courses
What are the courses?

Video courses covering Apache Kafka basics, advanced concepts, setup and use cases, and everything in between.

Learning pathways (21)
New Courses
NewApache Flink® 101
NewBuilding Flink® Apps in Java
NewKafka® for .NET Developers
NewPractical Event Modeling
NewHybrid and Multicloud Architecture
NewMastering Production Data Streaming Systems with Apache Kafka®
Featured Courses
Kafka® 101
Kafka® Connect 101
Kafka Streams 101
Schema Registry 101
ksqlDB 101
Data Mesh 101
Learn
Pick your learning path

A wide range of resources to get you started

Start Learning
Articles

Deep-dives into key concepts
Patterns

Architectures for event streaming
FAQs

Q & A about Kafka® and its ecosystem
100 Days of Code

A self-directed learning path
Blog

The Confluent blog
Podcast

Our podcast, Streaming Audio
Coding in Motion

Build a real-time streaming app
NewApache Kafka® on the Go

One-minute guides to Kafka's core concepts
Build
Design. Build. Run.

Build a client app, explore use cases, and build on our demos and resources

Start Building
Language Guides

Build apps in your favorite language
Tutorials

Hands-on stream processing examples
Demos

More resources to get you started
Community
Join the Community

Confluent proudly supports the global community of streaming platforms, real-time data streams, Apache Kafka®️, and its ecosystems

Learn More
Meetups & Events

Kafka and data streaming community
Ask the Community

Community forums and Slack channels
Community Catalysts

Sharing expertise with the community
DevX Newsletter

Bi-weekly newsletter with Apache Kafka® resources, news from the community, and fun links.
Current 2023

View sessions and slides from Current 2023
Kafka Summit 2023

View sessions and slides from Kafka Summit 2023
Current 2022

View sessions and slides from 2022
Data Streaming Awards

Nominate amazing use cases and view previous winners
Get Started Free
Confluent Documentation
  1. Home
  2. Cloud
  3. Manage Networking on Confluent Cloud
  4. Networking with AWS
  5. Use AWS PrivateLinks

CLOUD

  • Overview
  • Get Started
    • Overview
    • Quick Start
    • Kafka API Quick Start
    • Manage Schemas Quick Start
    • Deploy Free Clusters
    • Tutorials and Examples
      • Overview of Confluent Cloud Examples
      • Example: Create Fully-Managed Services
      • Example: Build an ETL Pipeline
      • Confluent Replicator to Confluent Cloud Configurations
  • Manage Kafka Clusters
    • Overview
    • Cluster Types
    • Manage Configuration Settings
    • Cloud Providers and Regions
    • Resilience
    • Copy Data with Cluster Linking
      • Overview
      • Quick Start
      • Use Cases and Tutorials
        • Share Data Across Clusters, Regions, and Clouds
        • Disaster Recovery and Failover
        • Create Hybrid Cloud and Bridge-to-Cloud Deployments
        • Use Tiered Separation of Critical Workloads
        • Migrate Data
        • Manage Audit Logs
      • Configure, Manage, and Monitor
        • Configure and Manage Cluster Links
        • Manage Mirror Topics
        • Manage Private Networking
        • Manage Security
        • Monitor Metrics
      • FAQ
      • Troubleshooting
    • Copy Data with Replicator
      • Quick Start
      • Use Replicator to Migrate Topics
    • Resize a Dedicated Cluster
    • Multi-tenancy and Client Quotas for Dedicated Clusters
      • Overview
      • Quick Start
    • Use Self-managed Encryption Keys
      • Protect Data at Rest using Self-managed Encryption Keys
      • Use Self-managed Encryption Keys on AWS
      • Use Self-managed Encryption Keys on Azure
      • Use Self-managed Encryption Keys on Google Cloud
      • Use Confluent CLI for Self-managed Encryption Keys
      • Use BYOK API for Self-managed Encryption Keys
      • Revoke Access to Data at Rest
      • Best Practices
    • Create Cluster Using Terraform
    • Create Cluster Using Pulumi
    • Connect Confluent Platform and Cloud Environments
      • Overview
      • Connect Self-Managed Control Center to Cloud
      • Connect Self-Managed Clients to Cloud
      • Connect Self-Managed Connect to Cloud
      • Connect Self-Managed REST Proxy to Cloud
      • Connect Self-Managed ksqlDB to Cloud
      • Connect Self-Managed MQTT to Cloud
      • Connect Self-Managed Schema Registry to Cloud
      • Connect Self-Managed Streams to Cloud
      • Example: Autogenerate Self-Managed Component Configs for Cloud
  • Build Client Applications
    • Overview
    • Connect with Confluent (Partner Integration)
    • Client Quick Start
    • Configuration Settings
    • Kafka Consumer
    • Kafka Producer
    • Guides
      • Python Client
      • .NET Client
      • Go Client
      • Java Client
      • C++ Client
      • JMS Client
    • Examples
      • Overview
      • C/C++ Example
      • .NET Example
      • Go Example
      • Spring Boot Example
      • Java Example
      • KafkaProducer Example
      • Python Example
      • REST Example
      • Node.js Example
      • Clojure Example
      • Groovy Example
      • Kafka Connect Datagen Example
      • kafkacat Example
      • Kotlin Example
      • Ruby Example
      • Rust Example
      • Scala Example
    • Architecture
    • Test
    • Monitor
    • Optimize and Tune
      • Overview
      • Configuration Settings
      • Throughput
      • Latency
      • Durability
      • Availability
  • Manage Accounts and Access
    • Resource Hierarchy
      • Overview
      • Organizations
        • Overview
        • Manage Multiple Organizations
      • Environments
      • Confluent Resource Names (CRNs)
    • Manage Accounts
      • Service Accounts
      • User Accounts
    • Authenticate
      • Overview
      • Use API Keys
        • Overview
        • Best Practices
        • Troubleshoot
      • Use OAuth
        • Overview
        • Add an OAuth/OIDC identity provider
        • Use identity pools and filters
        • Manage the JWKS URI
        • Configure OAuth clients
        • Access Kafka REST APIs
        • Use Confluent STS tokens with REST APIs
        • Best Practices
      • Use Single Sign-on (SSO)
        • Single Sign-on (SSO)
        • Enable SAML SSO
        • Just-in-time User Provisioning
        • Enable Group Mapping
      • Authentication Security Protections
    • Control Access
      • Role-Based Access Control
        • Role-based Access Control (RBAC)
        • Predefined RBAC Roles
        • Manage Role Bindings
        • Use ACLs with RBAC
      • Access Control Lists
      • Use the Confluent CLI with multiple credentials
    • Access Management Tutorial
  • Manage Topics
    • Overview
    • Work With Topics
    • Use the Message Browser
    • Share Streams
      • Overview
      • Provide Stream Shares
      • Consume Stream Shares
  • Govern Data Streams
    • Overview
    • Stream Governance
      • Packages, Features, and Limits
      • Data Portal
      • Track Data with Stream Lineage
      • Manage Stream Catalog
        • Stream Catalog User Guide
        • REST API Catalog Usage Guide
        • GraphQL API Catalog Usage Guide
    • Manage Schemas
      • Overview
      • Manage Schemas
      • Delete Schemas and Manage Storage
      • Use Broker-Side Schema Validation
      • Schema Linking
      • Schema Registry Tutorial
    • Fundamentals
      • Key Concepts
      • Schema Evolution and Compatibility
      • Schema Formats
        • Formats, Serializers, and Deserializers
        • Avro
        • Protobuf
        • JSON Schema
      • Data Contracts
      • Security
    • Reference
      • Schema Registry REST API Usage Examples
      • Clusters API Quick Start
      • Use AsyncAPI to Describe Topics and Schemas
      • Maven Plugin
    • FAQ
  • Connect to External Systems
    • Overview
    • Install Connectors
      • ActiveMQ Source
      • AlloyDB Sink
      • Amazon CloudWatch Logs Source
      • Amazon CloudWatch Metrics Sink
      • Amazon DynamoDB Sink
      • Amazon Kinesis Source
      • Amazon Redshift Sink
      • Amazon SQS Source
      • Amazon S3 Sink
      • Amazon S3 Source
      • AWS Lambda Sink
      • Azure Blob Storage Sink
      • Azure Blob Storage Source
      • Azure Cognitive Search Sink
      • Azure Cosmos DB Sink
      • Azure Cosmos DB Source
      • Azure Data Lake Storage Gen2 Sink
      • Azure Event Hubs Source
      • Azure Functions Sink
      • Azure Log Analytics Sink
      • Azure Service Bus Source
      • Azure Synapse Analytics Sink
      • Databricks Delta Lake Sink
        • Set up Databricks Delta Lake (AWS)
        • Configure and launch the connector
      • Datadog Metrics Sink
      • Datagen Source (development and testing)
      • Elasticsearch Service Sink
      • GitHub Source
      • Google BigQuery Sink (Legacy)
      • Google BigQuery Sink V2
      • Google Cloud BigTable Sink
      • Google Cloud Dataproc Sink
      • Google Cloud Functions Sink
      • Google Cloud Spanner Sink
      • Google Cloud Storage Sink
      • Google Cloud Storage Source
      • Google Cloud Pub/Sub Source
      • HTTP Sink
      • HTTP Source
      • IBM MQ Source
      • InfluxDB 2 Sink
      • InfluxDB 2 Source
      • Jira Source
      • Microsoft SQL Server CDC Source (Debezium)
      • Microsoft SQL Server Sink (JDBC)
      • Microsoft SQL Server Source (JDBC)
      • MongoDB Atlas Sink
      • MongoDB Atlas Source
      • MQTT Sink
      • MQTT Source
      • MySQL CDC Source (Debezium)
      • MySQL Sink (JDBC)
      • MySQL Source (JDBC)
      • New Relic Metrics Sink
      • Oracle CDC Source
        • Connector Features
        • Horizontal Scaling
        • Oracle Database Prerequisites
        • Configure and Launch the connector
        • SMT examples
        • DDL Changes
        • Troubleshooting
      • Oracle Database Sink (JDBC)
      • Oracle Database Source (JDBC)
      • PagerDuty Sink
      • Pinecone Sink
      • PostgreSQL CDC Source (Debezium)
      • PostgreSQL Sink (JDBC)
      • PostgreSQL Source (JDBC)
      • RabbitMQ Source
      • RabbitMQ Sink
      • Redis Sink
      • Salesforce Bulk API Source
      • Salesforce Bulk API 2.0 Sink
      • Salesforce Bulk API 2.0 Source
      • Salesforce CDC Source
      • Salesforce Platform Event Sink
      • Salesforce Platform Event Source
      • Salesforce PushTopic Source
      • Salesforce SObject Sink
      • ServiceNow Sink
      • ServiceNow Source
      • SFTP Sink
      • SFTP Source
      • Snowflake Sink
      • Solace Sink
      • Splunk Sink
      • Zendesk Source
    • Install Custom Plugins and Custom Connectors
      • About Custom Connectors
      • Quick Start
      • Manage Custom Connectors
      • Limitations and Support
      • API and CLI
    • Networking, DNS, and Service Endpoints
    • Confluent Cloud API for Managed and Custom Connectors
    • Manage Public Egress IP Addresses
    • Preview Connector Output
    • Configure Single Message Transforms
    • View Connector Events
    • Manage Service Accounts
    • Configure RBAC
    • View Errors in the Dead Letter Queue
    • Connector Limits
    • Transforms List
      • Single Message Transforms for Confluent Platform
      • Cast
      • Drop
      • DropHeaders
      • EventRouter (Debezium)
      • ExtractField
      • ExtractTopic
      • Filter (Apache Kafka)
      • Filter (Confluent)
      • Flatten
      • GzipDecompress
      • HeaderFrom
      • HoistField
      • InsertField
      • InsertHeader
      • MaskField
      • MessageTimestampRouter
      • RegexRouter
      • ReplaceField
      • SetSchemaMetadata
      • TimestampConverter
      • TimestampRouter
      • TombstoneHandler
      • TopicRegexRouter
      • ValueToKey
      • Custom transformations
  • Process Data Streams
    • Flink SQL Overview
    • Get Started with Flink SQL
      • Get Started
      • Quick Start with Cloud Console
      • Quick Start with SQL Shell
    • How-To Guides
      • How-to Guides
      • Aggregate a Stream in a Tumbling Window
      • Convert the Serialization Format of a Topic
    • Concepts
      • Stream Processing Concepts
      • Compute Pools
      • Statements
      • Determinism in Continuous Queries
      • Dynamic Tables
      • Timely Stream Processing
      • Time Attributes
    • Operate and Deploy
      • Operate and Deploy
      • Manage statement life cycle with the Confluent CLI
      • Monitor Statements
      • Grant Role-Based Access
      • Generate a HAR file for Troubleshooting
    • Reference
      • Flink SQL Reference
      • SQL Syntax
      • Statements
        • Overview
        • ALTER TABLE
        • CREATE TABLE
        • DESCRIBE
        • RESET
        • SET
        • SHOW
        • USE CATALOG
        • USE DATABASE
      • Queries
        • DML Queries
        • Deduplication
        • Group Aggregation
        • INSERT INTO FROM SELECT
        • INSERT VALUES
        • Joins
        • LIMIT
        • Pattern Recognition
        • ORDER BY
        • OVER Aggregation
        • SELECT
        • Set Logic
        • Top-N
        • Window Aggregation
        • Window Deduplication
        • Window Join
        • Window Top-N
        • Window Table-Valued Function
        • WITH
      • Functions
        • Functions
        • Aggregate
        • Collections
        • Comparison
        • Conditional
        • Datetime
        • Hashing
        • JSON
        • Numeric
        • String
      • Data Types
      • Time Zone
      • Serialize and Deserialize Data
      • Reserved Keywords
      • Notable Limitations in Public Preview
    • Get Help
    • Build Data Pipelines with Stream Designer
      • Stream Designer for Confluent Cloud
      • Quick Start for Stream Designer
      • Create a Join Pipeline
      • Create an Aggregation Pipeline
      • Import a Recipe Into a Pipeline
      • Import and Export a Pipeline
      • Edit and Update a Pipeline
      • Role-Based Access Control for Pipelines
      • Troubleshoot a Pipeline in Stream Designer
      • Manage Pipelines With the CLI
      • Manage Pipelines With the REST API
      • Manage Pipeline Secrets
    • Create Stream Processing Apps with ksqlDB
      • Create Stream Processing Apps with ksqlDB
      • Enable ksqlDB Integration with Schema Registry
      • ksqlDB Cluster API Quick Start
      • Monitor ksqlDB
      • Manage ksqlDB by using the Confluent CLI
      • Manage Connectors With ksqlDB
      • Develop ksqlDB Applications
      • Pull Queries
      • Quick Start
      • Grant Role-Based Access
  • Manage Networking
    • Networking in Confluent Cloud
    • Networking on AWS
      • Public Networking on AWS
      • Confluent Cloud Network on AWS
      • AWS PrivateLink
        • AWS PrivateLink for Dedicated Clusters
        • AWS PrivateLink for Enterprise Clusters
      • VPC Peering on AWS
      • AWS Transit Gateway
    • Networking on Azure
      • Public Networking on Azure
      • Confluent Cloud Network on Azure
      • Azure Private Link
      • VNet Peering on Azure
    • Networking on Google Cloud
      • Public Networking on Google Cloud
      • Confluent Cloud Network on Google Cloud
      • Google Cloud Private Service Connect
      • VPC Peering on Google Cloud
    • Connectivity for Confluent Resources
      • Schema Registry in Private Networking
      • Public Egress IP Address for Connectors and Cluster Linking
      • Cluster Linking in AWS PrivateLink
      • Follower Fetching in AWS VPC Peering
    • Use Confluent Cloud with Private Networking
    • Test Connectivity
  • Log and Monitor
    • Audit Logs
      • Concepts
      • Understand Audit Log Records
      • Event Schema
      • Auditable Event Methods
        • Connector
        • Custom connector plugin
        • Flink
        • Kafka Cluster Authentication and Authorization
        • Kafka Cluster Management
        • ksqlDB Cluster Authentication and Authorization
        • Networking
        • Notifications Service
        • OAuth/OIDC Identity Provider and Identity Pool
        • Organization
        • Pipeline (Stream Designer)
        • Role-based Access Control (RBAC)
        • Schema Registry Authentication and Authorization
        • Schema Registry Management and Operations
      • Access and Consume Audit Log Records
      • Retain Audit Logs
      • Best Practices
      • Troubleshoot
    • Metrics
    • Manage Notifications
    • Monitor Consumer Lag
    • Monitor Dedicated Clusters
      • Monitor Cluster Load
      • Manage Performance and Expansion
      • Track Usage by Team
    • Observability for Kafka Clients to Confluent Cloud
  • Manage Billing
    • Overview
    • Marketplace Consumption Metrics
    • Use AWS Pay As You Go
    • Use AWS Commits
    • Use Azure Pay As You Go
    • Use Azure Commits
    • Use GCP Pay As You Go
    • Use GCP Commits
    • Marketplace Organization Suspension and Deactivation
  • Manage Service Quotas
    • Service Quotas
    • List Service Quotas using Confluent CLI
    • Service Quotas API
  • APIs
    • Confluent Cloud APIs
    • Kafka Admin and Produce APIs
    • Connect API
    • Metrics API
    • Stream Catalog REST API Usage
    • GraphQL API
    • Service Quotas API
    • Stream Designer Pipelines API
    • Public API Terms of Use
  • Confluent CLI
  • Release Notes & FAQ
    • Release Notes
    • FAQ
    • Upgrade Policy
    • Compliance
  • Support
  • Glossary

AWS PrivateLink for Enterprise Clusters¶

Confluent Cloud supports private connectivity for Enterprise Kafka clusters using PrivateLink Attachment. When you use PrivateLink Attachment, your Enterprise cluster is only accessible from tenant-specific private endpoints. Public access is blocked with PrivateLink Attachment.

Confluent Cloud uses the following private networking resources for Enterprise clusters. These resources are regional and do not have a mapping to specific availability zones.

PrivateLink Attachment

The PrivateLink Attachment (PrivateLinkAttachment) resource represents a reservation to establish a PrivateLink connection from your VPC to regional services in a Confluent Cloud environment.

A PrivateLink Attachment belongs to an Environment in the Confluent resource hierarchy.

PrivateLink Attachment Connection
A PrivateLink Attachment Connection (PrivateLinkAttachmentConnection) is a registration of VPC interface endpoints that are allowed to connect to Confluent Cloud. A PrivateLink Attachment Connection belongs to a specific PrivateLink Attachment.

You can use Confluent Cloud UI, Confluent REST API, or Terraform to establish a PrivateLink connectivity for an Enterprise cluster.

The high-level workflow is:

  1. In Confluent Cloud, create a PrivateLinkAttachment.

  2. In AWS, create a VPC Endpoint to the PrivateLinkAttachment service.

  3. In Confluent Cloud, create a PrivateLinkAttachmentConnection.

  4. Set up a DNS resolution.

  5. Create a Kafka client in your VPC using the bootstrap endpoint of your Enterprise Kafka cluster. This Kafka client can live in Virtual Machine or similar compute infrastructure.

  6. Validate produce/consume traffic is successful.

    Once you create a PrivateLinkAttachment resource and establish a PrivateLink, you can securely send and receive traffic through the PrivateLink between your VPC and Confluent Cloud.

Requirements and considerations¶

  • You can connect to only one environment from a single VPC or from an on-prem network.
  • The following regions are supported:
    • us-east-1
    • us-east-2
    • us-west-2
    • eu-west-1
    • eu-central-1
    • ap-south-1
    • ap-southeast-2
    • ap-southeast-1
    • af-south-1
  • Fully-managed Confluent Cloud connectors can connect to sources or sinks using public IP addresses. Sources or sinks in the customer network with private IP addresses are not supported. An exception to this is the Amazon S3 Sink connector which can connect to an Amazon S3 bucket from a private network.
  • Confluent Cloud Console components, like topic management, require additional configuration to function as they use cluster endpoints. To use all features of the Confluent Cloud Console with AWS PrivateLink, see Use Confluent Cloud with Private Networking.

Create a PrivateLink Attachment¶

When you create a PrivateLink Attachment in an environment and in a region, the PrivateLink Attachment resource provides connectivity to all Enterprise Kafka clusters within the environment for the specific cloud region.

  1. In the Confluent Cloud Console, select an environment for the PrivateLink Attachment.
  2. In the Network management tab in the environment, click Add network configuration.
  3. Select For Enterprise Clusters and click Continue.
  4. Select AWS, select Region, and click Continue.
  5. Provide the PrivateLink Attachment name in the Network name field and click Add network configuration.

The PrivateLink Attachment will be provisioned and move to the Waiting for connection state.

A PrivateLink Attachment can be in one of the following states:

  • WAITING FOR CONNECTION: The PrivateLink Attachment is waiting for a connection to be created.
  • READY: AWS PrivateLink connectivity is ready to be used.
  • EXPIRED: A valid connection has not been provisioned within the allotted time. A new PrivateLink Attachment must be provisioned.

  1. Send a request to create a PrivateLink Attachment resource:

    REST request

    POST https://api.confluent.cloud/networking/v1/private-link-attachments

    REST request body

    {
  "spec":
  {
    "display_name": "<name of this resource>",
    "cloud": "<provider type>",
    "region": "<region>",
    "environment":
    {
      "id": "<environement id>"
    }
  }
}

    In the REST response, status.phase should be set to PROVISIONING because a VPC Endpoint Service has not yet been allocated.

  2. Check the status of the new PrivateLink Attachment:

    REST request

    GET https://api.confluent.cloud/networking/v1/private-link-attachments/<platt-id>

    REST response example

    {
  "status":
  {
    "phase": "WAITING_FOR_CONNECTIONS",
    "error_code": "",
    "error_message": "",
    "cloud":
    {
      "kind": "AwsPrivateLinkAttachmentStatus",
      "vpc_endpoint_service_id": "com.amazonaws.vpce.us-east-1.vpce-svc-123abcc1298abc123",
    }
  }
}

    status.phase is WAITING_FOR_CONNECTIONS because a VPC Endpoint has not been associated with this PrivateLink Attachment resource yet.

    The status.cloud object has information about the vpc_endpoint_service that you must connect your PrivateLink Attachment endpoint to.

Create a VPC Endpoint¶

In AWS, create an endpoint that is associated with the PrivateLink Service ID of the PrivateLink Attachment you created in Create a PrivateLink Attachment.

  1. In the AWS Management Console, go to the the VPC dashboard.
  2. Verify that DNS hostnames and DNS resolution are enabled.
    1. In the navigation menu under VIRTUAL PRIVATE CLOUD, click Your VPCs.
    2. Select your VPC and click Edit VPC settings.
    3. Under DNS settings, verify that Enable DNS resolution and Enable DNS hostnames are selected and then click Save.
  3. In the navigation menu under VIRTUAL PRIVATE CLOUD, click Endpoints, and click Create endpoint.
  4. In Name tag, specify the name of the endpoint.
  5. In Service category, select Other endpoint services.
  6. In the Service name field, specify the PrivateLink Service ID of the PrivateLink Attachment you created in Create a PrivateLink Attachment.
  7. In the VPC field, specify the ID of this VPC.
  8. Uncheck the Enable DNS name setting under Additional settings (only appearing after the VPC is selected).
  9. In Subnets, select the subnets in which to create an endpoint network interface.
  10. Select or create a security group for the VPC Endpoint.
    • Add three inbound rules for each of ports 80, 443, and 9092 from your desired source (your VPC CIDR). The Protocol should be TCP for all three rules.
    • Port 80 is not required, but is available as a redirect only to https/443, if desired.
  11. Click Create endpoint.
  12. Note that the VPC endpoint ID created.
aws ec2 create-vpc-endpoint --vpc-id <id of this VPC> \
  --service-name <privatelink attachment service id> \
  --subnet-ids <subnet IDs for the endpoint> \
  --region <region to use> \
  --private-dns-enabled false \
  --vpc-endpoint-type Interface

Note that the VPC endpoint ID is created.

For example, using the information in status.cloud.vpc_endpoint_service_i in the PrivateLink Attachment status:

aws ec2 create-vpc-endpoint --vpc-id vpc-097799943f9fc059d \
  --service-name com.amazonaws.vpce.us-east-1.vpce-svc-123abcc1298abc123 \
  --subnet-ids subnet-7b16de0c \
  --region us-east-1 \
  --private-dns-enabled false \
  --vpc-endpoint-type Interface

Create a PrivateLink Attachment Connection¶

Create a PrivateLink Attachment Connection (PrivateLinkAttachmentConnection) resource in Confluent Cloud. A PrivateLink Attachment Connection represents a VPC Interface Endpoint in your VPC.

The name of the VPC Endpoint Service is not required. Confluent will check which VPC Endpoint Service is associated with the PrivateLink Attachment that has a pending VPC Endpoint with the given ID.

  1. In Confluent Cloud Console, in the Network management tab in the environment, click the PrivateLink Attachment you want to add a connection to.

    Make sure the PrivateLink Attachment is in the correct region of the VPC Private Endpoint.

  2. Click + Add connection.

  3. Specify the connection name and the Private Endpoint ID.

    The Private Endpoint ID is the id of the VPC Endpoint that was created in Create a VPC Endpoint.

  4. Click Finish.

The PrivateLink Attachment and PrivateLink Attachment Connection should now move to the READY state once the VPC Endpoint connection is accepted.

  1. Send a request to create a PrivateLink Attachment Connection resource:

    REST request

    POST https://api.confluent.cloud/networking/v1/private-link-attachment-connections

    REST request body

    {
  "spec":
  {
    "display_name": "<PrivateLinkAttachmentEndpoint name>",
    "cloud":
    {
      "kind": "AwsPrivateLinkAttachmentConnection",
      "vpc_endpoint_id": "<VPC Private Endpoint ID>",
    },
    "environment":
    {
      "id": "<Environment ID>",
    },
    "private_link_attachment":
    {
      "id": "<PrivateLinkAttachment>",
    }
  }
}

    REST response example

    {
  "api_version": "networking/v1",
  "kind": "PrivateLinkAttachmentConnection",
  "id": "plattc-xyzuvw",
  "status": {
    "phase": "PROVISIONING",
    "error_code": "",
    "error_message": "",
  }
}

    status.phase is PROVISIONING because a VPC Endpoint connection has not yet been accepted.

  2. Check the status of the new PrivateLink Attachment Connection:

    REST request

    GET https://api.confluent.cloud/networking/v1/private-link-attachment-connections/<platt-id>

    REST response example

    {
  "api_version": "networking/v1",
  "kind": "PrivateLinkAttachmentConnection",
  "id": "plattc-xyzuvw",
  "status": {
    "phase": "READY",
    "error_code": "",
    "error_message": "",
    "cloud": {
      "kind": "AwsPrivateLinkAttachmentConnectionStatus",
      "phase": "READY",
      "vpc_endpoint_service": "com.amazonaws.vpce.us-east-1.vpce-svc-123abcc1298abc123",
      "vpc_endpoint_id": "vpce-bbbbbb2222222333"
    }
  }
}
    • status.phase is READY because a VPC Endpoint connection has been accepted.
    • status.cloud has an object of kind AwsPrivateLinkConnectionStatus.
    • vpc_endpoint_id reflects the value vpce-bbbbbb2222222333 that the customer registered.

Set up DNS resolution¶

Set up a Route53 Private Hosted Zone in your AWS VPC for DNS resolution.

  1. In Confluent Cloud, verify that the status of the PrivateLink Attachment Connection is READY.

  2. In Confluent Cloud, browse to Cluster Overview > Networking of the Enterprise cluster, and click the PrivateLink Attachment to get the DNS domain value of Confluent Cloud.

    The value is in the <region>.aws.private.confluent.cloud pattern.

  3. In the AWS Route 53 console, create a Route53 Private Hosted Zone:

    1. Specify the following values:
      • Domain name: Confluent Cloud DNS domain value from the previous step
      • Type: Private hosted zone
      • VPC ID: VPC ID where you added the VPC Endpoint
    2. Click Create hosted zone to associate the Private Hosted Zone with your VPC.

  4. Create a DNS record for the Hosted Zone you created above.

    1. Click Create Record from within the previously created Hosted Zone.
    2. Specify the following values:
      • Record name: *
      • Record type: CNAME
      • Value: DNS Name of your VPC Interface Endpoint
    3. Click Create Record.

Connectivity scenarios¶

Below are a few connectivity scenarios that are supported for Enterprise clusters in Confluent Cloud.

Scenario: Access one environment from one VPC¶

../_images/EnterpriseSKU-access-1env-from-1VPC.png

The following resources are configured:

  • PLATT-prod as a PrivateLink Attachment for accessing Kafka clusters in the env-prod environment.
  • PLATTC-123 as a PrivateLink Attachment Connection for the vpce-1 VPC endpoint in VPC-1
  • ProdApp as a Kafka client bootstrapped with lkc-123.us-west-2.aws.private.confluent.cloud
  • phz-1 as a Route53 Private Hosted Zone with the regional wildcard *.us-west-2.aws.private.confluent.cloud

The following steps are performed:

  1. ProdApp attempts to access lkc-123 in the env-prod environment. A DNS query for lkc-123.us-west-2.aws.private.confluent.cloud resolves against phz-1 and returns vpce-1.
  2. Application sends traffic to vpce-1.
  3. vpce-1 forwards traffic to PLATT-prod, and lkc-123 can be accessed since PLATTC-123 is associated with vpce-1.

Scenario: Access one environment from many VPC’s¶

../_images/EnterpriseSKU-access-1env-from-manyVPCs.png

The following resources are configured:

  • PLATT-abc as a PrivateLink Attachment for accessing Kafka clusters in the env-prod environment
  • PLATTC-123 as a PrivateLink Attachment Connection for the vpce-1 VPC endpoint in VPC-1
  • PLATTC-456 for the vpce-2 VPC endpoint in VPC-2
  • ProdApp-1 as a Kafka client bootstrapped with lkc-123.us-west-2.aws.private.confluent.cloud
  • ProdApp-2 as a Kafka client bootstrapped with lkc-456.us-west-2.aws.private.confluent.cloud
  • phz-1 as a Route53 Private Hosted Zone with the regional wildcard *.us-west-2.aws.private.confluent.cloud
  • phz-2 as a Route53 Private Hosted Zone with the regional wildcard *.us-west-2.aws.private.confluent.cloud

The following steps are performed:

  1. ProdApp-1 attempts to access lkc-123 in the env-prod environment. A DNS query for lkc-123.us-west-2.aws.private.confluent.cloud resolves against phz-1 and returns vpce-1.
  2. ProdApp-1 sends traffic to vpce-1.
  3. vpce-1 forwards traffic to PLATT-abc, and lkc-123 can be accessed since PLATTC-123 is associated with vpce-1.
  4. ProdApp-2 attempts to access lkc-456 in the env-prod environment. A DNS query for lkc-456.us-west-2.aws.private.confluent.cloud resolves against phz-2 and returns vpce-2.
  5. ProdApp-2 sends traffic to vpce-2.
  6. vpce-2 forwards traffic to PLATT-abc, and lkc-456 can be accessed since PLATTC-456 is associated with vpce-2.

Scenario: Access one environment from an on-premise network¶

../_images/EnterpriseSKU-access-1env-from-onprem.png

The following resources are configured:

  • PLATT-abc as a PrivateLink Attachment for accessing Kafka clusters in the env-abc environment
  • PLATTC-123 as a PrivateLink Attachment Connection for the vpce-1 endpoint in VPC-1
  • On-Prem-1 as a Kafka client bootstrapped with lkc-123.us-west-2.aws.private.confluent.cloud
  • ProdApp-1 as a Kafka client bootstrapped with lkc-123.us-west-2.aws.private.confluent.cloud
  • phz-fwd as a DNS forwarding rule with the regional wildcard *.us-west-2.aws.private.confluent.cloud
  • phz-1 as a Route53 Private Hosted Zone with the regional wildcard *.us-west-2.aws.private.confluent.cloud

The following steps are performed:

  1. On-Prem-1 attempts to access lkc-123 in the env-abc environment. A DNS query for lkc-123.us-west-2.aws.private.confluent.cloud forwards to phz-1 and returns vpce-1.
  2. On-Prem-1 sends traffic to vpce-1 over AWS DirectConnect.
  3. vpce-1 forwards traffic to PLATT-abc and lkc-123 can be accessed since PLATTC-123 is associated with vpce-1.

Was this doc page helpful?

Give us feedback

Do you still need help?

Confluent support portal Ask the community
Thank you. We'll be in touch!
Be the first to get updates and new content

By clicking "SIGN UP" you agree that your personal data will be processed in accordance with our Privacy Policy.

  • Confluent
  • About
  • Careers
  • Contact
  • Professional Services
  • Product
  • Confluent Cloud
  • ksqlDB
  • Developer
  • Free Courses
  • Tutorials
  • Event Streaming Patterns
  • Documentation
  • Blog
  • Podcast
  • Community
  • Forum
  • Meetups
  • Kafka Summit
  • Catalysts
Terms & Conditions Privacy Policy Do Not Sell My Information Modern Slavery Policy Cookie Settings Feedback

Copyright © Confluent, Inc. 2014- Apache, Apache Kafka, Kafka, the Kafka logo, Apache Flink, Flink, and the Flink logo are trademarks of the Apache Software Foundation

On this page: