Use Azure Egress Access Points for Dedicated Clusters on Confluent Cloud

Azure Private Link is a networking service that allows one-way connectivity from one VNet to a service provider and is popular for its unique combination of security and simplicity.

Confluent Cloud supports outbound Azure Private Link connections using Egress Access Points. Egress Access Points are Azure Private Endpoints, and they enable Confluent Cloud clusters to access supported Azure services and other endpoint services powered by Azure Private Link, such as Azure Blob Storage, a SaaS service, or a Private Link service that you create yourself.

The following diagram summarizes the Egress Access Point architecture between Confluent Cloud and various potential destinations.

Azure Egress Access Point architecture

To set up an Egress Access Point from Confluent Cloud to an external system, such as for managed connectors:

  1. Obtain the Azure Private Link service resource ID.
  2. Create an Egress Access Point in Confluent Cloud.
  3. [Optional] Create private DNS records for use with Azure private endpoints.

Requirements and considerations

Review the following requirements and considerations before you set up an Egress Access Point using Azure Private Link:

Note

It is strongly recommended that you do not implement any automated policies for endpoint acceptance. Confluent Cloud uses a shared subscription when provisioning endpoints. You should manually accept each endpoint connection after validating that the private endpoint ID you see in the Azure portal matches what you see in the Confluent Cloud Console.

Create an Egress Access Point in Confluent Cloud

Confluent Cloud Egress Access Points are Azure Private Endpoints used to connect to Azure Private Link Services.

  1. In the Confluent Cloud Console, in the Network Management tab, click the Confluent Cloud network you want to add the Access Point.

  2. Click Create access point in the Egress access points tab.

  3. Specify the following field values:

  4. Click Save.


Your Egress Access Point status will transition from “Provisioning” to “Ready” in the Confluent Cloud Console when the endpoint has been created and can be used. Some endpoints may need to be manually accepted before transitioning to “Ready”.

Once an access point is created, connectors provisioned against Kafka clusters in the same network can leverage the Egress Access Point to access the external data systems.

Confluent Cloud exposes various pieces of information for each of the above Egress Access Points so that you can use it in various network-related policies.

Create a private DNS record in Confluent Cloud

Create private DNS records for use with Azure private endpoints.

Not all service providers set up public DNS records to be used when connecting to them with Azure Private Link. For situations where a system provider requires setting up private DNS records in conjunction with Azure Private Link, you need to create DNS records in Confluent Cloud.

Before you create a DNS Record, you need to first create an Egress Access Point and use the Egress Access Point ID for the DNS record.

When creating DNS records, Confluent Cloud creates a single * record that maps the domain name you specify to the IP address of the private endpoint.

For example, in setting up DNS records for Snowflake, the DNS zone configuration will look like:

*.eastus2.privatelink.snowflakecomputing.com A 10.2.0.1 TTL 60
  1. Open the Confluent Cloud Console, in the Network Management tab, click the Confluent Cloud network you want to add the DNS record to.
  2. Navigate to the DNS tab.
  3. Click Create DNS record.
  4. Specify the following field values:
    • Egress Access Point: The Egress Access Point ID you created in create an Egress Access Point
    • Domain: The domain of the private link service you wish to access. Get the domain value from the private link service provider, Azure or a third-party provider.
  5. Click Save.