Confluent Cloud Networking FAQ

This topic provides answers to frequently asked questions about networking on Confluent Cloud.

General networking questions

What networking options are available on Confluent Cloud?

Confluent Cloud supports both public and private networking solutions:

• Public connectivity: Internet-based connections with TLS encryption
• Private connectivity: Includes the following options for each cloud provider:
  • AWS: PrivateLink, VPC Peering, Transit Gateway, Private Network Interface (PNI)
  • Azure: Private Link, VNet Peering
  • Google Cloud: Private Service Connect, VPC Peering

All connections to Confluent Cloud are encrypted with TLS 1.2 or later and require authentication using API keys, OAuth, or mTLS.

For more information, see Manage Networking on Confluent Cloud.

Can I change a cluster’s networking type after provisioning?

Enterprise clusters on AWS can switch between PNI and PrivateLink Attachment.

For the other cluster types and networking types, you cannot change its networking solution type, after a cluster has been provisioned. You must plan your networking configuration before creating a cluster.

What ports and protocols does Confluent Cloud use?

Confluent Cloud uses the following ports and protocols:

• Kafka Brokers: Port 9092, Kafka protocol over TCP + TLS
• Confluent Cloud Console: Port 443, HTTPS over TCP + TLS
• Schema Registry: Port 443, HTTPS over TCP + TLS
• Kafka REST API: Port 443, HTTPS over TCP + TLS
• Confluent CLI: Port 443, HTTPS over TCP + TLS
• Metrics API: Port 443, HTTPS over TCP + TLS

Can I connect from on-premises to Confluent Cloud with private networking?

Yes, but not directly. If you use private networking (VPC peering, VNet peering, Private Link, or PNI), you cannot directly connect from an on-premises data center to Confluent Cloud.

To enable on-premises connectivity:

1. Route traffic to a shared services VPC or VNet that you own.
2. Connect that VPC/VNet to Confluent Cloud using:
   • VPC/VNet peering (with a proxy)
   • Private Link
   • Private network interface (AWS only)
   • Transit Gateway (AWS only)

Contact your Confluent Cloud sales representative for assistance with this configuration.

Confluent Cloud network questions

What is a Confluent Cloud network?

A Confluent Cloud network is a logical network construct in Confluent Cloud that defines the networking configuration for your Dedicated clusters. When you create a Dedicated cluster, you must specify a network type:

• Public networking: Accessible over the internet
• Private link access: For private link connections
• VPC/VNet peering: For peering connections
• Transit Gateway: For AWS Transit Gateway connections (AWS only)

For more information, see Confluent Cloud networks.

Can I use the same network for multiple clusters?

Yes. You can colocate multiple Confluent Cloud Dedicated clusters in the same Confluent Cloud network, subject to the following:

• Network capacity and CIDR block size limitations
• Expected number and size of clusters
• Resource limits specified in Networks

Private links questions

What is the difference between inbound and outbound private link?

• Inbound (ingress) private link: Allows secure connections from your VPC/VNet to Confluent Cloud clusters. It allows for connections not utilizing public internet access.
• Outbound (egress) private link: Allows Confluent Cloud clusters to securely connect to resources in your VPC/VNet, such as data sources and sinks for connectors.

For more information, see:

• AWS: AWS PrivateLink Overview in Confluent Cloud
• Azure: Azure Private Link Overview in Confluent Cloud
• Google Cloud: Google Cloud Private Service Connect Overview in Confluent Cloud

What cluster types support private link?

Private link support varies by cloud provider:

• AWS private link:
  • Inbound: Dedicated and Enterprise (Serverless) clusters
  • Outbound: Dedicated and Enterprise (Serverless) clusters
• Azure private link:
  • Inbound: Dedicated and Enterprise (Serverless) clusters
  • Outbound: Dedicated and Enterprise (Serverless) clusters
• Google Cloud private service connect:
  • Inbound: Dedicated and Enterprise (Serverless) clusters
  • Outbound: Dedicated clusters only

Does private link work across regions?

No. Confluent Cloud does not support cross-region connections with private link. Your private link connection must be in the same cloud region as your Confluent Cloud cluster.

Exception: Google Cloud Private Service Connect supports same-region and cross-region connectivity using PSC global access.

Can I access my Private Link cluster from the public internet?

No. When you use private link, your cluster will not have public endpoints. You can only access your cluster from Private Endpoints in accounts you have registered with Confluent Cloud.

VPC/VNet peering questions

What is VPC/VNet peering?

VPC (Virtual Private Cloud) peering or VNet (Virtual Network) peering enables you to route traffic using private IP addresses between your cloud network and Confluent Cloud. Your network can communicate with Confluent Cloud as if they are within the same network.

Peering is available on:

• AWS VPC Peering
• Azure VNet Peering
• Google Cloud VPC Peering

For more information, see the cloud-specific peering documentation.

Can I have multiple peering connections?

Yes. You can have multiple VPC/VNet peering connections. For information about limits, see Network quotas in Confluent Cloud.

What CIDR block should I use for my Confluent Cloud network?

When creating a Confluent Cloud network, carefully plan your CIDR block:

• Ensure the CIDR block does not overlap with your existing VPC/VNet ranges
• Use appropriate CIDR block sizes for your expected workload
• Consider future expansion needs

For specific requirements, see Confluent Cloud network CIDR blocks and block size for peering and Transit Gateway.

Egress IP addresses questions

Are public egress IP addresses static?

No. Public egress IP addresses are not guaranteed to be static, although Confluent will make a reasonable effort to minimize changes.

When IP addresses do change:

• Confluent will provide advance notice through email and in-product notifications
• You should monitor for updates and update your allowlists accordingly
• Changes are typically announced at least 30 days in advance

For more information, see Use Public Egress IP Addresses on Confluent Cloud for Connectors and Cluster Linking.

What are public egress IP addresses used for?

Public egress IP addresses are used by Confluent Cloud to establish outbound connections for:

• Managed connectors: Connecting to external data sources and sinks over the internet
• Cluster Linking (AWS only): Connecting to external Kafka clusters

Benefits include:

• IP allowlisting: Add egress IPs to allowlists of external resources
• Regulatory compliance: Meet requirements for outbound traffic identification
• Logging and monitoring: Track traffic sources in logs and metrics

Public egress IP addresses are only supported by publicly networked Kafka clusters.

Are egress IP addresses exclusive to my account?

No. Public egress IP addresses are not exclusive to specific Confluent Cloud accounts. All Confluent Cloud managed connectors that use the same cloud service provider and region share the same available public egress IP addresses.

DNS and connectivity questions

Why do I need DNS configuration for private networking?

DNS configuration is essential for private networking to:

• Resolve Confluent Cloud cluster endpoints to private IP addresses
• Enable clients to discover and connect to the correct private endpoints
• Support zonal DNS for high availability configurations

Each cloud provider has different DNS configuration requirements. See the cloud-specific documentation for detailed setup instructions.