documentation
Get Started Free
  • Get Started Free
  • Courses
      What are the courses?

      Video courses covering Apache Kafka basics, advanced concepts, setup and use cases, and everything in between.

      Learning pathways (24)
      New Courses
      NewDesigning Event-Driven Microservices
      NewApache Flink® 101
      NewBuilding Flink® Apps in Java
      NewHybrid and Multicloud Architecture
      NewMastering Production Data Streaming Systems with Apache Kafka®
      Featured Courses
      Kafka® 101
      Kafka® Connect 101
      Kafka Streams 101
      Schema Registry 101
      ksqlDB 101
      Data Mesh 101
  • Learn
      Pick your learning path

      A wide range of resources to get you started

      Start Learning
      Articles

      Deep-dives into key concepts
      Patterns

      Architectures for event streaming
      FAQs

      Q & A about Kafka® and its ecosystem
      Blog

      The Confluent blog
      NewLearn More

      Our podcast, Streaming Audio
  • Build
      Design. Build. Run.

      Build a client app, explore use cases, and build on our demos and resources

      Start Building
      Language Guides

      Build apps in your favorite language
      Tutorials

      Hands-on stream processing examples
      Demos

      More resources to get you started
  • Community
      Join the Community

      Confluent proudly supports the global community of streaming platforms, real-time data streams, Apache Kafka®️, and its ecosystems

      Learn More
      Meetups & Events

      Kafka and data streaming community
      Ask the Community

      Community forums and Slack channels
      Community Catalysts

      Sharing expertise with the community
      DevX Newsletter

      Bi-weekly newsletter with Apache Kafka® resources, news from the community, and fun links.
      Data Streaming Awards

      Nominate amazing use cases and view previous winners
      NewCommunity Use Cases

      Real-world Examples of Apache Kafka® and Flink® in action
      NewKafka Summit 2024 - Bangalore

      Register now!
      NewKafka Summit 2024 - London
      NewCurrent 2024
      Current 2023

      View sessions and slides from Current 2023
      Kafka Summit 2023

      View sessions and slides from Kafka Summit 2023
Courses
What are the courses?

Video courses covering Apache Kafka basics, advanced concepts, setup and use cases, and everything in between.

Learning pathways (24)
New Courses
NewDesigning Event-Driven Microservices
NewApache Flink® 101
NewBuilding Flink® Apps in Java
NewHybrid and Multicloud Architecture
NewMastering Production Data Streaming Systems with Apache Kafka®
Featured Courses
Kafka® 101
Kafka® Connect 101
Kafka Streams 101
Schema Registry 101
ksqlDB 101
Data Mesh 101
Learn
Pick your learning path

A wide range of resources to get you started

Start Learning
Articles

Deep-dives into key concepts
Patterns

Architectures for event streaming
FAQs

Q & A about Kafka® and its ecosystem
Blog

The Confluent blog
NewLearn More

Our podcast, Streaming Audio
Build
Design. Build. Run.

Build a client app, explore use cases, and build on our demos and resources

Start Building
Language Guides

Build apps in your favorite language
Tutorials

Hands-on stream processing examples
Demos

More resources to get you started
Community
Join the Community

Confluent proudly supports the global community of streaming platforms, real-time data streams, Apache Kafka®️, and its ecosystems

Learn More
Meetups & Events

Kafka and data streaming community
Ask the Community

Community forums and Slack channels
Community Catalysts

Sharing expertise with the community
DevX Newsletter

Bi-weekly newsletter with Apache Kafka® resources, news from the community, and fun links.
Data Streaming Awards

Nominate amazing use cases and view previous winners
NewCommunity Use Cases

Real-world Examples of Apache Kafka® and Flink® in action
NewKafka Summit 2024 - Bangalore

Register now!
NewKafka Summit 2024 - London
NewCurrent 2024
Current 2023

View sessions and slides from Current 2023
Kafka Summit 2023

View sessions and slides from Kafka Summit 2023
Developer
Get Started Free
Confluent Documentation
  1. Home
  2. Cloud
  3. Manage Networking on Confluent Cloud
  4. Networking with AWS on Confluent Cloud
  5. Use AWS PrivateLinks on Confluent Cloud

CLOUD

  • Overview
  • Get Started
    • Overview
    • Quick Start
    • Kafka REST APIs
    • Manage Schemas
    • Deploy Free Clusters
    • Tutorials and Examples
      • Overview
      • Example: Use Replicator to Copy Kafka Data to Cloud
      • Example: Create Fully-Managed Services
      • Example: Build an ETL Pipeline
  • Manage Kafka Clusters
    • Overview
    • Cluster Types
    • Manage Configuration Settings
    • Cloud Providers and Regions
    • Resilience
    • Copy Data with Cluster Linking
      • Overview
      • Quick Start
      • Use Cases and Tutorials
        • Share Data Across Clusters, Regions, and Clouds
        • Disaster Recovery and Failover
        • Create Hybrid Cloud and Bridge-to-Cloud Deployments
        • Use Tiered Separation of Critical Workloads
        • Migrate Data
        • Manage Audit Logs
      • Configure, Manage, and Monitor
        • Configure and Manage Cluster Links
        • Manage Mirror Topics
        • Manage Private Networking
        • Manage Security
        • Monitor Metrics
      • FAQ
      • Troubleshooting
    • Copy Data with Replicator
      • Quick Start
      • Use Replicator to Migrate Topics
    • Resize a Dedicated Cluster
    • Multi-tenancy and Client Quotas for Dedicated Clusters
      • Overview
      • Quick Start
    • Create Cluster Using Terraform
    • Create Cluster Using Pulumi
    • Connect Confluent Platform and Cloud Environments
      • Overview
      • Connect Self-Managed Control Center to Cloud
      • Connect Self-Managed Clients to Cloud
      • Connect Self-Managed Connect to Cloud
      • Connect Self-Managed REST Proxy to Cloud
      • Connect Self-Managed ksqlDB to Cloud
      • Connect Self-Managed MQTT to Cloud
      • Connect Self-Managed Schema Registry to Cloud
      • Connect Self-Managed Streams to Cloud
      • Example: Autogenerate Self-Managed Component Configs for Cloud
  • Build Client Applications
    • Overview
    • Connect with Confluent (Partner Integration)
    • Client Quick Start
    • Configuration Settings
    • Kafka Consumer for Confluent Cloud
    • Kafka Producer for Confluent Cloud
    • Guides
      • Python Client
      • .NET Client
      • Node.js Client
      • Go Client
      • Java Client
      • C++ Client
      • JMS Client
    • Examples
      • Overview
      • C/C++ Example
      • .NET Example
      • Go Example
      • Spring Boot Example
      • Java Example
      • KafkaProducer Example
      • Python Example
      • REST Example
      • Node.js Example
      • Clojure Example
      • Groovy Example
      • Kafka Connect Datagen Example
      • kafkacat Example
      • Kotlin Example
      • Ruby Example
      • Rust Example
      • Scala Example
    • Architecture
    • Test
    • Monitor
    • Reset Offsets
    • Optimize and Tune
      • Overview
      • Configuration Settings
      • Throughput
      • Latency
      • Durability
      • Availability
    • VS Code
  • Manage Security
    • Overview
    • Manage Authentication
      • Overview
      • Manage User Identities
        • Overview
        • Manage User Accounts
          • Overview
          • Authentication Security Protections
          • Manage Local User Accounts
          • Manage SSO User Accounts
        • Manage User Identity Providers
          • Overview
          • Use Single Sign-On (SSO)
          • Manage SAML Single Sign-On (SSO)
          • Manage Azure Marketplace SSO
          • Just-in-time User Provisioning
          • Group Mapping
            • Overview
            • Enable Group Mapping
            • Manage Group Mappings
            • Troubleshooting
            • Best Practices
          • Manage SSO Access to Confluent Support Portal
          • Manage SSO provider
          • Troubleshoot SSO
      • Manage Workload Identities
        • Overview
        • Manage Service Accounts and API Keys
          • Overview
          • Manage Service Accounts
          • Manage API Keys
            • Overview
            • Manage API keys
            • Best Practices
            • Troubleshoot
        • Manage OAuth/OIDC Identity Providers
          • Overview
          • Add an OIDC identity provider
          • Use identity pools and filters
          • Manage identity provider configurations
          • Manage the JWKS URI
          • Configure OAuth clients
          • Access Kafka REST APIs
          • Use Confluent STS tokens with REST APIs
          • Best Practices
        • Manage mTLS Identity Providers
          • Overview
          • Configure mTLS
          • Manage Certificate Authorities
          • Manage Identity Pools
          • Create CEL Filters for mTLS
          • Create JSON payloads for mTLS
          • Manage Certificate Revocation
          • Troubleshoot mTLS Issues
    • Control Access
      • Overview
      • Resource Hierarchy
        • Overview
        • Organizations
          • Overview
          • Manage Multiple Organizations
        • Environments
        • Confluent Resource Names (CRNs)
      • Manage Role-Based Access Control
        • Overview
        • Predefined RBAC Roles
        • Manage Role Bindings
        • Use ACLs with RBAC
      • Manage IP Filtering
        • Overview
        • Manage IP Groups
        • Manage IP Filters
        • Best Practices
      • Manage Access Control Lists
      • Use the Confluent CLI with multiple credentials on Confluent Cloud
    • Encrypt and Protect Data
      • Overview
      • Encrypt Data at Rest Using Self-managed Encryption Keys
        • Overview
        • Use Self-managed Encryption Keys on AWS
        • Use Self-managed Encryption Keys on Azure
        • Use Self-managed Encryption Keys on Google Cloud
        • Use Confluent CLI for Self-managed Encryption Keys
        • Use BYOK API for Self-managed Encryption Keys
        • Revoke Access to Data at Rest
        • Best Practices
      • Protect Sensitive Data Using Client-side Field Level Encryption
        • Overview
        • Manage CSFLE using Confluent Cloud Console
        • Use Client-side Field Level Encryption
        • Configuration Settings
        • Manage Encryption Keys
        • Quick Start
        • Implement a Custom KMS Driver
        • Code examples
        • Troubleshoot
        • FAQ
    • Monitor Activity
      • Concepts
      • Understand Audit Log Records
      • Audit Log Event Schema
      • Auditable Event Methods
        • Connector
        • Custom connector plugin
        • Flink
        • Flink Authentication and Authorization
        • IP Filter Authorization
        • Kafka Cluster Authentication and Authorization
        • Kafka Cluster Management
        • ksqlDB Cluster Authentication and Authorization
        • Networking
        • Notifications Service
        • OAuth/OIDC Identity Provider and Identity Pool
        • Organization
        • Pipeline (Stream Designer)
        • Role-based Access Control (RBAC)
        • Schema Registry Authentication and Authorization
        • Schema Registry Management and Operations
      • Access and Consume Audit Log Records
      • Retain Audit Logs
      • Best Practices
      • Troubleshoot
    • Access Management Tutorial
    • Complete Environment Tutorial
  • Manage Topics
    • Overview
    • Configuration Reference
    • Message Browser
    • Share Streams
      • Overview
      • Provide Stream Shares
      • Consume Stream Shares
  • Govern Data Streams
    • Overview
    • Stream Governance
      • Packages, Features, and Limits
      • Data Portal
      • Track Data with Stream Lineage
      • Manage Stream Catalog
        • Stream Catalog User Guide
        • REST API Catalog Usage and Examples Guide
        • GraphQL API Catalog Usage and Examples Guide
    • Manage Schemas
      • Overview
      • Manage Schemas
      • Delete Schemas and Manage Storage
      • Use Broker-Side Schema ID Validation
      • Schema Linking
      • Schema Registry Tutorial
    • Fundamentals
      • Key Concepts
      • Schema Evolution and Compatibility
      • Schema Formats
        • Serializers and Deserializers Overview
        • Avro
        • Protobuf
        • JSON Schema
      • Data Contracts
      • Security Considerations
      • Enable Private Networking
        • Enable Private Networking with Schema Registry PrivateLink
        • Enable Private Networking for Schema Registry with a Public Endpoint
    • Reference
      • Configure Clients to Schema Registry
      • Schema Registry REST API Usage Examples
      • Use AsyncAPI to Describe Topics and Schemas
      • Maven Plugin
    • FAQ
  • Connect to External Systems
    • Overview
    • Install Connectors
      • ActiveMQ Source
      • AlloyDB Sink
      • Amazon CloudWatch Logs Source
      • Amazon CloudWatch Metrics Sink
      • Amazon DynamoDB Sink
      • Amazon DynamoDB CDC Source
      • Amazon Kinesis Source
      • Amazon Redshift Sink
      • Amazon S3 Sink
        • Configure and Launch
        • Configure with AWS Egress PrivateLink Endpoints
      • Amazon S3 Source
      • Amazon SQS Source
      • AWS Lambda Sink
      • Azure Blob Storage Sink
        • Configure and Launch
        • Configure with Azure Egress Private Link Endpoints
      • Azure Blob Storage Source
      • Azure Cognitive Search Sink
      • Azure Cosmos DB Sink
      • Azure Cosmos DB Source
      • Azure Data Lake Storage Gen2 Sink
      • Azure Event Hubs Source
      • Azure Functions Sink
      • Azure Log Analytics Sink
      • Azure Service Bus Source
      • Azure Synapse Analytics Sink
      • Databricks Delta Lake Sink
        • Set up Databricks Delta Lake (AWS) Sink Connector for Confluent Cloud
        • Configure and launch the connector
      • Datadog Metrics Sink
      • Datagen Source (development and testing)
      • Elasticsearch Service Sink
      • GitHub Source
      • Google BigQuery Sink (Legacy)
      • Google BigQuery Sink V2
      • Google Cloud BigTable Sink
      • Google Cloud Dataproc Sink
      • Google Cloud Functions Gen 2 Sink
      • Google Cloud Functions Sink (Legacy)
      • Google Cloud Pub/Sub Source
      • Google Cloud Spanner Sink
      • Google Cloud Storage Sink
      • Google Cloud Storage Source
      • HTTP Sink
      • HTTP Sink V2
      • HTTP Source
      • HTTP Source V2
      • IBM MQ Source
      • InfluxDB 2 Sink
      • InfluxDB 2 Source
      • Jira Source
      • Microsoft SQL Server CDC Source (Debezium) [Legacy]
      • Microsoft SQL Server CDC Source V2 (Debezium)
        • Configure and launch the connector
        • Backward incompatibility considerations
      • Microsoft SQL Server Sink (JDBC)
      • Microsoft SQL Server Source (JDBC)
      • MongoDB Atlas Sink
        • Configure and Launch
        • Configure with AWS Egress PrivateLink Endpoints
        • Configure with Azure Egress Private Link Endpoints
      • MongoDB Atlas Source
      • MQTT Sink
      • MQTT Source
      • MySQL CDC Source (Debezium) [Legacy]
      • MySQL CDC Source V2 (Debezium)
        • Configure and Launch the connector
        • Backward Incompatible Changes
      • MySQL Sink (JDBC)
      • MySQL Source (JDBC)
      • New Relic Metrics Sink
      • OpenSearch Sink
      • Oracle CDC Source
        • Overview
        • Configure and Launch the connector
        • Horizontal Scaling for Oracle CDC Source Connector for Confluent Cloud
        • Oracle Database Prerequisites for Oracle CDC Source Connector for Confluent Cloud
        • SMT Examples
        • DDL Changes
        • Troubleshooting
      • Oracle Database Sink (JDBC)
      • Oracle Database Source (JDBC)
      • PagerDuty Sink
      • Pinecone Sink
      • PostgreSQL CDC Source (Debezium) [Legacy]
      • PostgreSQL CDC Source V2 (Debezium)
        • Configure and Launch the connector
        • Backward Incompatible Changes
      • PostgreSQL Sink (JDBC)
      • PostgreSQL Source (JDBC)
      • RabbitMQ Sink
      • RabbitMQ Source
      • Redis Sink
      • Salesforce Bulk API 2.0 Sink
      • Salesforce Bulk API 2.0 Source
      • Salesforce Bulk API Source
      • Salesforce CDC Source
      • Salesforce Platform Event Sink
      • Salesforce Platform Event Source
      • Salesforce PushTopic Source
      • Salesforce SObject Sink
      • ServiceNow Sink
      • ServiceNow Source
      • SFTP Sink
      • SFTP Source
      • Snowflake Sink
        • Configure and Launch
        • Configure with AWS Egress PrivateLink Endpoints
        • Configure with Azure Egress Private Link Endpoints
      • Solace Sink
      • Splunk Sink
      • Zendesk Source
    • Confluent Hub
      • Overview
      • Component Archive Specification
      • Contribute
    • Install Custom Plugins and Custom Connectors
      • Overview
      • Quick Start
      • Manage Custom Connectors
      • Limitations and Support
      • API and CLI
    • Manage Provider Integration
      • Quick Start
      • Provider Integration APIs
    • Manage CSFLE
    • Networking and DNS
      • Overview
      • AWS Egress PrivateLink Endpoints for First-Party Services
      • AWS Egress PrivateLink Endpoints for RDS & Self-Managed Services
      • Azure Egress Private Link Endpoints for First-Party Services
      • Azure Egress Private Link Endpoints for Self-Managed Services
    • Confluent Cloud API for Managed and Custom Connectors
    • Manage Public Egress IP Addresses
    • Preview Connector Output
    • Configure Single Message Transforms
    • View Connector Events
    • Manage Service Accounts
    • Configure RBAC
    • View Errors in the Dead Letter Queue
    • Connector Limits
    • Manage Offsets
    • Transforms List
      • Overview
      • Cast
      • Drop
      • DropHeaders
      • EventRouter
      • ExtractField
      • ExtractTopic
      • Filter (Kafka)
      • Filter (Confluent)
      • Flatten
      • GzipDecompress
      • HeaderFrom
      • HoistField
      • InsertField
      • InsertHeader
      • MaskField
      • MessageTimestampRouter
      • RegexRouter
      • ReplaceField (Kafka)
      • ReplaceField (Confluent)
      • SetSchemaMetadata
      • TimestampConverter
      • TimestampRouter
      • TombstoneHandler
      • TopicRegexRouter
      • ValueToKey
  • Process Data with Flink
    • Overview
    • Get Started
      • Overview
      • Quick Start with Cloud Console
      • Quick Start with SQL Shell in Confluent CLI
      • Quick Start with Java Table API
      • Quick Start with Python Table API
    • Concepts
      • Overview
      • Compute Pools
      • Autopilot
      • Statements
      • Determinism
      • Tables and Topics
      • Time and Watermarks
      • User-defined Functions
      • Delivery Guarantees and Latency
      • Schema and Statement Evolution
      • Comparison with OSS Flink
    • How-To Guides
      • Overview
      • Aggregate a Stream in a Tumbling Window
      • Convert the Serialization Format of a Topic
      • Compare Current and Previous Values in a Stream
      • Mask Fields in a Table
      • Deduplicate Rows in a Table
      • Scan and Summarize Tables
      • Handle Multiple Event Types
      • Create a UDF
      • Process Schemaless Events
      • Combine Streams and Track Most Recent Records
    • Operate and Deploy
      • Overview
      • CLI Commands
      • Create a Compute Pool
      • Monitor and Manage Statements
      • Grant Role-Based Access
      • Billing
      • Deploy a Statement with CI/CD
      • Generate a Flink API Key
      • REST API
      • Move SQL Statements to Production
      • Enable Private Networking
    • Flink SQL Reference
      • Overview
      • SQL Syntax
      • DDL Statements
        • Statements Overview
        • ALTER MODEL
        • ALTER TABLE
        • ALTER VIEW
        • CREATE FUNCTION
        • CREATE MODEL
        • CREATE TABLE
        • CREATE VIEW
        • DESCRIBE
        • DROP MODEL
        • DROP TABLE
        • DROP VIEW
        • HINTS
        • EXPLAIN
        • RESET
        • SET
        • SHOW
        • USE CATALOG
        • USE database_name
      • DML Statements
        • Queries Overview
        • Deduplication
        • Group Aggregation
        • INSERT INTO FROM SELECT
        • INSERT VALUES
        • Joins
        • LIMIT
        • Pattern Recognition
        • ORDER BY
        • OVER Aggregation
        • SELECT
        • Set Logic
        • Statement Set
        • Top-N
        • Window Aggregation
        • Window Deduplication
        • Window Join
        • Window Top-N
        • Window Table-Valued Function
        • WITH
      • Functions
        • Flink SQL Functions
        • Aggregate
        • Collections
        • Comparison
        • Conditional
        • Datetime
        • Hashing
        • JSON
        • AI Model Inference
        • Numeric
        • String
        • Table API
      • Data Types
      • Data Type Mappings
      • Time Zone
      • Keywords
      • Information Schema
      • Example Streams
      • Supported Cloud Regions
      • SQL Examples
      • Table API
    • Get Help
  • Build AI with Flink
    • Overview
    • Run an AI Model
  • Process Data with ksqlDB
    • Create Stream Processing Apps with ksqlDB
    • Quick Start
    • Enable ksqlDB Integration with Schema Registry
    • ksqlDB Cluster API Quick Start
    • Monitor ksqlDB
    • Manage ksqlDB by using the CLI
    • Manage Connectors With ksqlDB
    • Develop ksqlDB Applications
    • Pull Queries
    • Grant Role-Based Access
    • Migrate ksqlDB Applications on Confluent Cloud
    • Build Data Pipelines with Stream Designer
      • Stream Designer for Confluent Cloud
      • Quick Start for Stream Designer
      • Create a Join Pipeline
      • Create an Aggregation Pipeline
      • Import a Recipe Into a Pipeline
      • Import and Export a Pipeline
      • Edit and Update a Pipeline
      • Role-Based Access Control for Pipelines
      • Troubleshoot a Pipeline in Stream Designer
      • Manage Pipelines With the CLI
      • Manage Pipelines With the REST API
      • Manage Pipeline Secrets
  • Manage Networking
    • Overview
    • Networking on AWS
      • Overview
      • Public Networking on AWS
      • Confluent Cloud Network on AWS
      • PrivateLink on AWS
        • Overview
        • Inbound PrivateLink for Dedicated Clusters
        • Inbound PrivateLink for Serverless Products
        • Outbound PrivateLink for Dedicated Clusters
        • Outbound PrivateLink for Serverless Products
      • VPC Peering on AWS
      • Transit Gateway on AWS
    • Networking on Azure
      • Overview
      • Public Networking on Azure
      • Confluent Cloud Network on Azure
      • Private Link on Azure
        • Overview
        • Inbound Private Link for Dedicated Clusters
        • Inbound Private Link for Serverless Products
        • Outbound Private Link for Dedicated Clusters
        • Outbound Private Link for Serverless Products
      • VNet Peering on Azure
    • Networking on Google Cloud
      • Overview
      • Public Networking on Google Cloud
      • Confluent Cloud Network on Google Cloud
      • Inbound Private Service Connect on Google Cloud
      • VPC Peering on Google Cloud
    • Connectivity for Confluent Resources
      • Overview
      • Public Egress IP Address for Connectors and Cluster Linking
      • Cluster Linking using AWS PrivateLink
      • Follower Fetching using AWS VPC Peering
    • Use Confluent Cloud with Private Networking
    • Test Connectivity
  • Log and Monitor
    • Metrics
    • Manage Notifications
    • Monitor Consumer Lag
    • Monitor Dedicated Clusters
      • Monitor Cluster Load
      • Manage Performance and Expansion
      • Track Usage by Team
    • Observability for Kafka Clients to Confluent Cloud
  • Manage Billing
    • Overview
    • Marketplace Consumption Metrics
    • Use AWS Pay As You Go
    • Use AWS Commits
    • Use Azure Pay As You Go
    • Use Azure Commits
    • Use Google Cloud Pay As You Go
    • Use Google Cloud Commits
    • Marketplace Organization Suspension and Deactivation
  • Manage Service Quotas
    • Overview
    • Service Quotas
    • View Service Quotas using Confluent CLI
    • Service Quotas API
  • APIs
    • Confluent Cloud APIs
    • Kafka Admin and Produce REST APIs
    • Connect API
    • Client APIs
      • C++ Client API
      • Python Client API
      • Go Client API
      • .NET Client API
    • Provider Integration API
    • Flink REST API
    • Metrics API
    • Stream Catalog REST API Usage
    • GraphQL API
    • Service Quotas API
    • Stream Designer Pipelines API
  • Confluent CLI
  • Release Notes & FAQ
    • Release Notes
    • FAQ
    • Upgrade Policy
    • Compliance
    • Generate a HAR file for Troubleshooting
    • Confluent AI Assistant
  • Support
  • Glossary

Use AWS PrivateLink for Serverless Products on Confluent Cloud¶

Confluent Cloud, available through AWS Marketplace or directly from Confluent, supports private connectivity for serverless Confluent Cloud products, such as Enterprise Kafka clusters and Confluent Cloud for Apache Flink®, using PrivateLink Attachment. When you use PrivateLink Attachment, your Enterprise cluster or Flink resources are only accessible from customer-specific private endpoints. Public access is blocked with PrivateLink Attachment.

Note

The PrivateLink Attachment enables you to access the Flink API with private networking, allowing you to issue Flink SQL queries and retrieve results through the associated PrivateLink connection. All data movement between Flink queries and Kafka clusters configured with private networking occurs over a secure private path within Confluent Cloud.

Confluent Cloud uses the following private networking resources for serverless Confluent Cloud products. These resources are regional and do not have a mapping to specific availability zones.

PrivateLink Attachment

The PrivateLink Attachment (PrivateLinkAttachment) resource represents a reservation to establish a PrivateLink connection from your virtual private cloud (VPC) to regional services in a Confluent Cloud environment.

A PrivateLink Attachment belongs to an Environment in the Confluent resource hierarchy.

This resource is referred to as gateways in the Confluent Cloud Console.

PrivateLink Attachment Connection

A PrivateLink Attachment Connection (PrivateLinkAttachmentConnection) is a registration of VPC interface endpoints that are allowed to connect to Confluent Cloud. A PrivateLink Attachment Connection belongs to a specific PrivateLink Attachment.

This resource is referred to as access points in the Confluent Cloud Console.

You can use Confluent Cloud UI, Confluent REST API, Confluent CLI, or Terraform to establish a PrivateLink connectivity for serverless products, such as Enterprise Kafka clusters or Confluent Cloud for Apache Flink®.

The high-level workflow is:

  1. In Confluent Cloud, create a PrivateLinkAttachment.
  2. In AWS, create a VPC Interface Endpoint to the PrivateLinkAttachment service.
  3. In Confluent Cloud, create a PrivateLinkAttachmentConnection.
  4. Set up a DNS resolution.

Requirements and considerations¶

  • You can connect to only one environment in a region from a VPC or from an on-premises network. A single VPC cannot have private link connections to multiple Confluent Cloud environments.

    For the workaround you can configure in Flink for cross-environment queries, see Cross-environment queries.

  • For the regions supported for PrivateLink Attachment on AWS, see Cloud Providers and Regions for Confluent Cloud.

  • Cross-region AWS PrivateLink Attachment Connections are not supported.

  • Confluent Cloud connectors connecting to sources or sinks with private IP addresses is unsupported at this time.

  • Confluent Cloud Console components, such as topic management and Flink workspaces, require additional configuration to function as they use cluster endpoints.

    For information about using Flink with AWS Private Link, see Enable Private Networking with Confluent Cloud for Apache Flink.

    To use all features of the Confluent Cloud Console with AWS PrivateLink, see Use Confluent Cloud with Private Networking.

Create a PrivateLink Attachment¶

When you create a PrivateLink Attachment in an environment and in a region, the PrivateLink Attachment resource provides connectivity to all Enterprise Kafka clusters within the environment for the specific cloud region.

In the Confluent Cloud Console, the PrivateLink Attachment resources are labeled and referred to as gateways.

  1. In the Confluent Cloud Console, select an environment for the PrivateLink Attachment.

  2. In the Network management tab in the environment, click For serverless products.

  3. Click Add network configuration.

  4. On the From your VPC or VNet to Confluent Cloud pane, click + Create configuration.

  5. On the Create ingress network configure gateway sliding panel, enter the following information.

    • Gateway name
    • Cloud provider
    • Region

  6. Click Submit.

  7. You can continue to create an access point for an Ingress Private Link Endpoint.

    Alternatively, you can create an access point at a later time by navigating to this gateway in the Network management tab.

The gateway (PrivateLink Attachment) will be provisioned and move to the Waiting for connection state.

A PrivateLink Attachment can be in one of the following states:

  • WAITING FOR CONNECTION: The PrivateLink Attachment is waiting for a connection to be created.
  • READY: The connectivity is ready to be used.
  • EXPIRED: A valid connection has not been provisioned within the allotted time. A new PrivateLink Attachment must be provisioned.

  1. Send a request to create a PrivateLink Attachment resource:

    REST request

    POST https://api.confluent.cloud/networking/v1/private-link-attachments

    REST request body

    {
  "spec":
  {
    "display_name": "<name of this resource>",
    "cloud": "<provider type>",
    "region": "<region>",
    "environment":
    {
      "id": "<environement id>"
    }
  }
}

    In the REST response, status.phase should be set to PROVISIONING because a VPC Endpoint Service has not yet been allocated.

  2. Check the status of the new PrivateLink Attachment:

    REST request

    GET https://api.confluent.cloud/networking/v1/private-link-attachments/<platt-id>

    REST response example

    {
  "status":
  {
    "phase": "WAITING_FOR_CONNECTIONS",
    "error_code": "",
    "error_message": "",
    "cloud":
    {
      "kind": "AwsPrivateLinkAttachmentStatus",
      "vpc_endpoint_service_id": "com.amazonaws.vpce.us-east-1.vpce-svc-123abcc1298abc123",
    }
  }
}

    status.phase is WAITING_FOR_CONNECTIONS because no PrivateLink Attachment Connection has been associated with this PrivateLink Attachment resource yet.

    The status.cloud object has information about the vpc_endpoint_service that you must connect your PrivateLink Attachment endpoint to.

Use the confluent network private-link attachment create Confluent CLI command to create an AWS private link attachment:

confluent network private-link attachment create <attachment-name> <flags>

The following command-specific flags are supported:

  • --network: Required. Confluent Cloud network ID.
  • --region: Required. AWS region where the resources to be accessed using the private link attachment.

You can specify additional optional CLI flags described in the Confluent CLI command reference, such as --environment.

The following is an example Confluent CLI command to create a private link attachment:

confluent network private-link attachment create my-private-link-attachment \
  --cloud aws \
  --region us-west-2

Create a VPC Endpoint¶

Note

Confluent recommends using a Terraform configuration for setting up VPC endpoints. This configuration automates the manual steps described below.

In AWS, create an endpoint that is associated with the PrivateLink Service ID of the PrivateLink Attachment you created in Create a PrivateLink Attachment.

  1. In the AWS Management Console, go to the VPC dashboard.

  2. Verify that DNS hostnames and DNS resolution are enabled.

    1. In the navigation menu under VIRTUAL PRIVATE CLOUD, click Your VPCs.
    2. Select your VPC and click Edit VPC settings.
    3. Under DNS settings, verify that Enable DNS resolution and Enable DNS hostnames are selected and then click Save.

  3. In the navigation menu under VIRTUAL PRIVATE CLOUD, click Endpoints, and click Create endpoint.

  4. In Name tag, specify the name of the endpoint.

  5. In Service category, select Other endpoint services.

  6. In the Service name field, specify the PrivateLink Service ID of the gateway (PrivateLink Attachment) you created in Create a PrivateLink Attachment, and click Verify service.

    If you get an error, ensure that your account is allowed to create PrivateLink connections, and try again.

  7. In the VPC field, specify the ID of this VPC.

  8. Uncheck the Enable DNS name setting under Additional settings (only appearing after the VPC is selected).

  9. In Subnets, select the subnets in which to create an endpoint network interface.

  10. Select or create a security group for the VPC Endpoint.

    • Add three inbound rules for each of ports 80, 443, and 9092 from your desired source (your VPC CIDR). The Protocol should be TCP for all three rules.
    • Port 80 is not required, but is available as a redirect only to https/443, if desired.

  11. Click Create endpoint.

  12. Note that the VPC endpoint ID created.

aws ec2 create-vpc-endpoint --vpc-id <id of this VPC> \
  --service-name <privatelink attachment service id> \
  --subnet-ids <subnet IDs for the endpoint> \
  --region <region to use> \
  --private-dns-enabled false \
  --vpc-endpoint-type Interface

Note that the VPC endpoint ID is created.

For example, using the information in status.cloud.vpc_endpoint_service_id in the PrivateLink Attachment status:

aws ec2 create-vpc-endpoint --vpc-id vpc-097799943f9fc059d \
  --service-name com.amazonaws.vpce.us-east-1.vpce-svc-123abcc1298abc123 \
  --subnet-ids subnet-7b16de0c \
  --region us-east-1 \
  --private-dns-enabled false \
  --vpc-endpoint-type Interface

Create a PrivateLink Attachment Connection¶

Create a PrivateLink Attachment Connection (PrivateLinkAttachmentConnection) resource in Confluent Cloud. A PrivateLink Attachment Connection represents a VPC Interface Endpoint in your VPC.

In the Confluent Cloud Console, the PrivateLink Attachment Connection resources are labeled and referred to as access points.

The name of the VPC Endpoint Service is not required. Confluent will check which VPC Endpoint Service is associated with the PrivateLink Attachment that has a pending VPC Endpoint with the given ID.

  1. In the Network Management tab of the desired Confluent Cloud environment, click the For serverless products tab.

  2. Click Create access point for the gateway to which you want to add the PrivateLink Endpoint.

    Make sure the gateway is in the correct region of the VPC Private Endpoint.

  3. Create a VPC Interface Endpoint in AWS.

  4. Specify the Private Endpoint ID. The Private Endpoint ID is the ID of the VPC Interface Endpoint you created in the previous step.

  5. Specify the access point name.

  6. Click Create access point to create the PrivateLink Endpoint.

    The PrivateLink Attachment and PrivateLink Attachment Connection should now move to the READY state once the VPC Endpoint connection is accepted.

  1. Send a request to create a PrivateLink Attachment Connection resource:

    REST request

    POST https://api.confluent.cloud/networking/v1/private-link-attachment-connections

    REST request body

    {
  "spec":
  {
    "display_name": "<PrivateLinkAttachmentEndpoint name>",
    "cloud":
    {
      "kind": "AwsPrivateLinkAttachmentConnection",
      "vpc_endpoint_id": "<VPC Private Endpoint ID>",
    },
    "environment":
    {
      "id": "<Environment ID>",
    },
    "private_link_attachment":
    {
      "id": "<PrivateLinkAttachment>",
    }
  }
}

    REST response example

    {
  "api_version": "networking/v1",
  "kind": "PrivateLinkAttachmentConnection",
  "id": "plattc-xyzuvw",
  "status": {
    "phase": "PROVISIONING",
    "error_code": "",
    "error_message": "",
  }
}

    status.phase is PROVISIONING because a VPC Endpoint connection has not yet been accepted.

  2. Check the status of the new PrivateLink Attachment Connection:

    REST request

    GET https://api.confluent.cloud/networking/v1/private-link-attachment-connections/<platt-id>

    REST response example

    {
  "api_version": "networking/v1",
  "kind": "PrivateLinkAttachmentConnection",
  "id": "plattc-xyzuvw",
  "status": {
    "phase": "READY",
    "error_code": "",
    "error_message": "",
    "cloud": {
      "kind": "AwsPrivateLinkAttachmentConnectionStatus",
      "phase": "READY",
      "vpc_endpoint_service": "com.amazonaws.vpce.us-east-1.vpce-svc-123abcc1298abc123",
      "vpc_endpoint_id": "vpce-bbbbbb2222222333"
    }
  }
}
    • status.phase is READY because a VPC Endpoint connection has been accepted.
    • status.cloud has an object of kind AwsPrivateLinkConnectionStatus.
    • vpc_endpoint_id reflects the value vpce-bbbbbb2222222333 that you registered.

Use the confluent network private-link attachment connection create Confluent CLI command to create an AWS private link attachment connection:

confluent network private-link attachment connection create <connection-name> <flags>

The following command-specific flags are supported:

  • --cloud: Required. The cloud provider. Set to aws.
  • --endpoint: Required. ID of an AWS VPC endpoint that is connected to the AWS VPC endpoint service.
  • --attachment: Required. Private link attachment ID.

You can specify additional optional CLI flags described in the Confluent CLI command reference, such as --environment.

The following is an example Confluent CLI command to create a private link attachment connection:

confluent network private-link attachment connection create aws-private-link-attachment-connection \
  --cloud aws \
  --endpoint vpce-1234567890abcdef0 \
  --attachment platt-123456

Set up DNS resolution¶

Set up a Route53 Private Hosted Zone in your AWS VPC for DNS resolution.

  1. In Confluent Cloud, verify that the status of the PrivateLink Attachment Connection is READY.

  2. In Confluent Cloud, open the newly created PrivateLink Attachment to get the DNS domain value of Confluent Cloud.

    The value is in the <region>.aws.private.confluent.cloud pattern.

  3. In the AWS Route 53 console, create a Route53 Private Hosted Zone:

    1. Specify the following values:

      • Domain name: Confluent Cloud DNS domain value from the previous step
      • Type: Private hosted zone
      • VPC ID: VPC ID where you added the VPC Endpoint

      For example:

      ../_images/aws-hosted-zone.png

    2. Click Create hosted zone to associate the Private Hosted Zone with your VPC.

  4. Create a DNS record for the Hosted Zone you created above.

    This record is regional DNS and is used for all the target Confluent Cloud resources in the region.

    1. Click Create Record from within the previously created Hosted Zone.

    2. Specify the following values:

      • Record name: *

        Enter * as the subdomain name.

        The Record name consists of the subdomain and the DNS domain name. The DNS domain name is filled in with the Confluent Cloud DNS domain value you specified when you created the Route53 Private Hosted Zone in the previous step.

        ../_images/aws-dns-subdomain.png

        If you are creating DNS resolution for Schema Registry for a single VPC connecting to multiple Schema Registry clusters in the same region across different environments, enter the id of the Schema Registry, lsrc-xxxxx in the Record name field to connect to a specific Schema Registry.

      • Record type: CNAME

      • Value: DNS Name of your VPC Interface Endpoint, such as vpce-<>.vpce-svc-<>.us-east-2.vpce.amazonaws.com.

    3. Click Create Record.

      You will see the summary of the new record. For example:

      ../_images/aws-create-dns-record.png

Connectivity scenarios¶

Below are a few connectivity scenarios that are supported for Enterprise clusters in Confluent Cloud.

Scenario: Access one environment from one VPC¶

../_images/EnterpriseSKU-access-1env-from-1VPC.png

The following resources are configured:

  • PLATT-prod as a PrivateLink Attachment for accessing Kafka clusters in the env-prod environment
  • PLATTC-123 as a PrivateLink Attachment Connection for the vpce-1 VPC endpoint in VPC-1
  • ProdApp as a Kafka client bootstrapped with lkc-123.us-west-2.aws.private.confluent.cloud
  • phz-1 as a Route53 Private Hosted Zone with the regional wildcard *.us-west-2.aws.private.confluent.cloud

The following steps are performed:

  1. ProdApp attempts to access lkc-123 in the env-prod environment. A DNS query for lkc-123.us-west-2.aws.private.confluent.cloud resolves against phz-1 and returns vpce-1.
  2. Application sends traffic to vpce-1.
  3. vpce-1 forwards traffic to PLATT-prod, and lkc-123 can be accessed since PLATTC-123 is associated with vpce-1.

Scenario: Access one environment from many VPC’s¶

../_images/EnterpriseSKU-access-1env-from-manyVPCs.png

The following resources are configured:

  • PLATT-abc as a PrivateLink Attachment for accessing Kafka clusters in the env-prod environment
  • PLATTC-123 as a PrivateLink Attachment Connection for the vpce-1 VPC endpoint in VPC-1
  • PLATTC-456 for the vpce-2 VPC endpoint in VPC-2
  • ProdApp-1 as a Kafka client bootstrapped with lkc-123.us-west-2.aws.private.confluent.cloud
  • ProdApp-2 as a Kafka client bootstrapped with lkc-456.us-west-2.aws.private.confluent.cloud
  • phz-1 as a Route53 Private Hosted Zone with the regional wildcard *.us-west-2.aws.private.confluent.cloud
  • phz-2 as a Route53 Private Hosted Zone with the regional wildcard *.us-west-2.aws.private.confluent.cloud

The following steps are performed:

  1. ProdApp-1 attempts to access lkc-123 in the env-prod environment. A DNS query for lkc-123.us-west-2.aws.private.confluent.cloud resolves against phz-1 and returns vpce-1.
  2. ProdApp-1 sends traffic to vpce-1.
  3. vpce-1 forwards traffic to PLATT-abc, and lkc-123 can be accessed since PLATTC-123 is associated with vpce-1.
  4. ProdApp-2 attempts to access lkc-456 in the env-prod environment. A DNS query for lkc-456.us-west-2.aws.private.confluent.cloud resolves against phz-2 and returns vpce-2.
  5. ProdApp-2 sends traffic to vpce-2.
  6. vpce-2 forwards traffic to PLATT-abc, and lkc-456 can be accessed since PLATTC-456 is associated with vpce-2.

Scenario: Access one environment from an on-premises network¶

../_images/EnterpriseSKU-access-1env-from-onprem.png

The following resources are configured:

  • PLATT-abc as a PrivateLink Attachment for accessing Kafka clusters in the env-abc environment
  • PLATTC-123 as a PrivateLink Attachment Connection for the vpce-1 endpoint in VPC-1
  • On-Prem-1 as a Kafka client bootstrapped with lkc-123.us-west-2.aws.private.confluent.cloud
  • ProdApp-1 as a Kafka client bootstrapped with lkc-123.us-west-2.aws.private.confluent.cloud
  • phz-fwd as a DNS forwarding rule with the regional wildcard *.us-west-2.aws.private.confluent.cloud
  • phz-1 as a Route53 Private Hosted Zone with the regional wildcard *.us-west-2.aws.private.confluent.cloud

The following steps are performed:

  1. On-Prem-1 attempts to access lkc-123 in the env-abc environment. A DNS query for lkc-123.us-west-2.aws.private.confluent.cloud forwards to phz-1 and returns vpce-1.
  2. On-Prem-1 sends traffic to vpce-1 over AWS DirectConnect.
  3. vpce-1 forwards traffic to PLATT-abc and lkc-123 can be accessed since PLATTC-123 is associated with vpce-1.

Next steps¶

Try Confluent Cloud on AWS Marketplace with $1000 of free usage for 30 days, and pay as you go. No credit card is required.

Was this doc page helpful?

Give us feedback

Do you still need help?

Confluent support portal Ask the community
Thank you. We'll be in touch!
Be the first to get updates and new content

By clicking "SIGN UP" you agree that your personal data will be processed in accordance with our Privacy Policy.

  • Confluent
  • About
  • Careers
  • Contact
  • Professional Services
  • Product
  • Confluent Cloud
  • Confluent Platform
  • Connectors
  • Flink
  • Stream Governance
  • Developer
  • Free Courses
  • Tutorials
  • Event Streaming Patterns
  • Documentation
  • Blog
  • Podcast
  • Community
  • Forum
  • Meetups
  • Kafka Summit
  • Catalysts
Terms & Conditions Privacy Policy Do Not Sell My Information Modern Slavery Policy Cookie Settings Feedback

Copyright © Confluent, Inc. 2014- Apache, Apache Kafka, Kafka, the Kafka logo, Apache Flink, Flink, the Flink logo, Apache Iceberg, Iceberg, and the Iceberg logo are trademarks of the Apache Software Foundation

On this page: