Confluent Cloud supports public internet connectivity and private networking solutions. You can access Confluent Cloud Dedicated clusters through secure internet endpoints, Private Link connections, VPC/VNet peering, or AWS Transit Gateway. All Basic and Standard clusters are accessible through secure internet endpoints. All connections to Confluent Cloud are encrypted with TLS and require authentication using API keys, regardless of network configuration.
Using VPC/VNet peering, Private Link, or AWS Transit Gateway is a trade-off. Your cluster cannot be accessed from the public internet, which eliminates some potential security threats, but it also requires you to manage the peered or linked networks to ensure all your client applications and developers have the access they need to Confluent Cloud.
- If you use VPC/VNet peering, your cluster will not have internet endpoints and you can only access it from a peered VPC/VNet.
- If you use private networking (VPC peering, VNet peering, or private links), then you cannot directly connect from an on-premises data center to Confluent Cloud. To do this, you must first route to a shared services VPC or VNet that you own and connect that to Confluent Cloud using VPC/VNet peering (along with a proxy) or Private Link. If you are interested in this configuration for Confluent Cloud, contact your Confluent sales representative.
- If you use Private Link, your cluster will not have internet endpoints and you can only access it from Private Endpoints in accounts you have registered with Confluent Cloud.
- If you use AWS Transit Gateway, your cluster will not have internet endpoints and you can only access it from the linked AWS Transit Gateway network.
- After a cluster has been provisioned with VPC peering, AWS PrivateLink, or AWS Transit Gateway, you cannot update it to use internet endpoints.
- After a cluster has been provisioned with secure internet endpoints, you cannot change it to use VPC/VNet peering, Private Link, or AWS Transit Gateway.
- IP addresses for secure internet endpoints are not static.
Confluent Cloud clusters with internet endpoints are protected by a proxy layer that prevents some types of DoS, DDoS, syn flooding, and other network-level attacks. Confluent Cloud clusters using VPC peering, AWS PrivateLink, or AWS Transit Gateway are not accessible from the public internet.
Confluent Cloud ensures all connections to all cluster configurations use TLS 1.2 so traffic is encrypted in transit. Access to any Confluent Cloud Kafka cluster or other services is limited to clients with valid API keys and secrets. Non-TLS or unauthenticated connections are not allowed. Refer to the Confluent Cloud Security Controls whitepaper for more details on securing Confluent Cloud.
To learn more about networking in Confluent Cloud, see:
- Securing the Cloud with VPC Peering, a podcast that walks you through the details of cloud networking and VPC peering.
- Confluent Cloud Networking: Introduction, a Confluent Developer course.
- Apache Kafka Networking with Confluent Cloud, a Confluent Developer podcast.
Supported public networking solutions¶
Confluent Cloud offers data in motion services that can be shared across organizations over the public internet. Confluent Cloud services include public internet connectivity for all cluster types, including Basic, Standard, and Dedicated clusters.
For Confluent Cloud Dedicated clusters with public connectivity on AWS only, you can use static egress IP addresses to communicate with external resources (such as data sources and sinks for managed connectors) over the public internet. For details, see Use Static Egress IP addresses.
Supported private networking solutions¶
Confluent Cloud includes support for data in motion services that are shared privately with organizations on private networks and offer additional customization and controls for security and privacy. Private networking in Confluent Cloud is supported with Confluent Cloud networks, but only for Dedicated clusters.
Confluent Cloud network overview¶
A Confluent Cloud network is an abstraction for a single tenant network environment that hosts Confluent Cloud Dedicated clusters along with its single tenant services, like ksqlDB clusters and managed connectors.
A Confluent Cloud network includes the following features:
One or more Dedicated clusters. However, clusters cannot be moved to a different Confluent Cloud network after creation.
Support for private network connectivity. You can provision a Confluent Cloud network with AWS PrivateLink, Azure Private Link, VPC peering, VNet peering, or AWS Transit Gateway.
Can be created or deleted on demand using the Confluent Cloud Console or the Confluent Cloud Network REST API.
Are cloud-specific, regional, and spread across three zones.
Zone selection for a Confluent Cloud network is supported in AWS and Google Cloud.
Are in a VPC or VNet of their own. That is, every Confluent Cloud network gets its own VPC or VNet, and no more than one Confluent Cloud network are in the same VPC or VNet.
Belong to exactly one Confluent Cloud environment and can host clusters and applications only within that environment. Networks cannot be moved between environments.
Requires one of the following RBAC roles to provision a Confluent Cloud network: NetworkAdmin, EnvironmentAdmin, or OrganizationAdmin.
NetworkAdmin and OrganizationAdmin roles grant access to provision Confluent Cloud networks in all environments belonging to the organization, but the EnvironmentAdmin role can only provision these networks for assigned environments.
Private link Confluent Cloud network:
- Supports registration of multiple AWS accounts or Azure subscriptions and auto-approval of PL connection requests from the registered accounts or subscriptions.
VPC-peered or VNet-peered Confluent Cloud network:
- Allows multiple peering connections to be provisioned.
- Requires a unique
/16CIDR IP address range from the private IP address space. The clusters and services created in this Confluent Cloud network will use the IP addresses from this range.
AWS Transit Gateway Confluent Cloud network:
- Requires a unique
/16 CIDRIP address range from the RFC 1918 private address space. The clusters and services created in this network will use the IP addresses from this range.
- Allows manual provisioning of a single Transit Gateway attachment.
- Contact Confluent Support for provisioning of Transit Gateway attachment.
- Requires a unique
All clusters and services within a Confluent Cloud network can be accessed after connectivity is provisioned for the network.
The following table summarizes the private networking solutions supported by Confluent Cloud by the cloud service provider. For details on each solution, click the link to go to the documentation details.
|Cloud service provider||Supported networking solution|
|Amazon Web Services (AWS)||AWS VPC Peering|
|AWS Transit Gateway|
|Microsoft Azure||Azure VNet Peering|
|Azure Private Link|
|Google Cloud||Google Cloud VPC Peering|
|Google Cloud Private Service Connect|