Manage Networking on Confluent Cloud¶

Confluent Cloud supports the following networking solutions:

Dedicated clusters are accessible through secure public endpoints, Private Link connections, VPC/VNet peering, or AWS Transit Gateway.

If you use Private Link, your cluster will not have public endpoints, and you can only access your cluster from Private Endpoints in accounts you have registered with Confluent Cloud.
Enterprise clusters are accessible through secure AWS PrivateLink or Azure Private Link connections.
Basic and Standard clusters are accessible through secure public endpoints.

Regardless of network configuration, all connections to Confluent Cloud are encrypted with TLS 1.2 or later and require authentication using API keys, OAuth, or mTLS.

Refer to the Confluent Cloud Security Controls whitepaper for more details on securing Confluent Cloud.

After a cluster has been provisioned, you cannot change its networking solution type between public and private.

Confluent Cloud uses the following ports and protocols for Confluent Cloud services:

Service	Port	Protocol
Kafka Brokers	9092	TCP
Confluent Cloud Console	443	HTTPS
Schema Registry	443	HTTPS
Confluent REST API	443	HTTPS
Confluent CLI	443	HTTPS
Metrics API	443	HTTPS

Considerations for public vs. private networking type¶

Using a private or public connectivity with Confluent Cloud is a trade-off:

With private networking, your cluster cannot be accessed from the public endpoints, eliminating potential security threats.
Private networking requires you to manage the peered or linked networks to ensure all your client applications and developers have the needed access to Confluent Cloud.
If you use private networking (VPC peering, VNet peering, or Private Links), you cannot directly connect from an on-premises data center to Confluent Cloud.

To do this, you must first route to a shared services VPC or VNet that you own and connect that to Confluent Cloud using VPC/VNet peering (along with a proxy) or Private Link.

If you are interested in this configuration for Confluent Cloud, contact your Confluent sales representative.
IP Addresses for ingress public endpoints are not static. These ingress public endpoints include the endpoints for Kafka brokers, Confluent REST API (api.confluent.cloud), and Telemetry API (api.telemetry.confluent.cloud).

The endpoints can assume any public IP, without a specific range.
Native Kafka clients are not designed to work seamlessly in forward proxy environments. If you are producing HTTPS records, consider using the Kafka REST API.
You are prohibited from transmitting cardholder or sensitive authentication data (PCI data as defined in the Payment Card Industry Data Security Standard) unless you encrypt the PCI data at the message level, and you use only private networking for Confluent Cloud clusters.

To learn more about networking in Confluent Cloud, see:

Securing the Cloud with VPC Peering, a podcast that walks you through the details of cloud networking and VPC peering.
Confluent Cloud Networking: Introduction, a Confluent Developer course.
Apache Kafka Networking with Confluent Cloud, a Confluent Developer podcast.

Public networking solutions¶

Confluent Cloud offers data in motion services that can be shared across organizations over the secure public endpoints. Confluent Cloud services include the public connectivity for the Basic, Standard, and Dedicated cluster types.

Confluent Cloud clusters with secure public endpoints are protected by a proxy layer that prevents types of DoS, DDoS, syn flooding, and other network-level attacks.

For Confluent Cloud clusters with public connectivity, you can use public egress IP addresses to communicate with external resources (such as data sources and sinks for managed connectors) over the secure public endpoints. For details, see Use Public Egress IP Addresses on Confluent Cloud for Connectors and Cluster Linking.

Private networking solutions¶

Confluent Cloud includes support for data in motion services that are shared privately with organizations on private networks and offer additional customization and controls for security and privacy. Private networking in Confluent Cloud is supported:

With Confluent Cloud networks for Dedicated clusters
With Private Links for Enterprise clusters on AWS and Azure

Confluent Cloud clusters using private networking solutions are not accessible from the public endpoints.

Confluent Cloud services, Confluent Cloud Console, Kafka REST API, and Confluent REST API requests require additional configuration to function as they use cluster endpoints. To use all features of the Confluent Cloud Console and Confluent REST API with private networking, see Use Confluent Cloud with Private Networking.

The following table summarizes the private networking solutions supported by Confluent Cloud. For details on each solution, click the link to go to the specific documentation.

Cloud service provider	Supported networking solution
Amazon Web Services (AWS)	AWS VPC Peering for Dedicated clusters
	AWS Transit Gateway for Dedicated clusters
	AWS inbound PrivateLink for Dedicated clusters
	AWS inbound PrivateLink for Enterprise clusters and Flink
	AWS outbound PrivateLink for connectors in Dedicated clusters
	AWS outbound PrivateLink for connectors in Enterprise
Microsoft Azure	Azure VNet Peering for Dedicated clusters
	Azure inbound Private Link for Dedicated clusters
	Azure inbound Private Link for Enterprise clusters and Flink
	Azure outbound Private Link for connectors in Dedicated clusters
	Azure outbound Private Link for connectors in Enterprise clusters
Google Cloud	Google Cloud VPC Peering
	Google Cloud Private Service Connect for Dedicated clusters

Confluent Cloud networks¶

A Confluent Cloud network is an abstraction for a single tenant network environment that hosts the following Confluent Cloud services:

One or more Dedicated clusters.

After provisioning, a cluster cannot be moved to a different network.
Single tenant services
- Managed connectors
- ksqlDB clusters

A Confluent Cloud network is associated with one Confluent Cloud environment and can host clusters and applications within that environment. You cannot move a network to a different environment.

A Confluent Cloud network includes the following features:

Support for private network connectivity with AWS PrivateLink, Azure Private Link, VPC peering, VNet peering, or AWS Transit Gateway.
Cloud-specific, regional, and spread across three zones.

Zone selection for a Confluent Cloud network is supported in AWS and Google Cloud.

The following RBAC roles can provision Confluent Cloud networks:

NetworkAdmin

Can grant access to provision Confluent Cloud networks in all environments belonging to the organization.
OrganizationAdmin

Can grant access to provision Confluent Cloud networks in all environments belonging to the organization.
EnvironmentAdmin

Can only provision the Confluent Cloud networks for the assigned environments.

You can create or delete a Confluent Cloud network on demand using:

Confluent Cloud Console
Confluent Cloud Network REST API

Deletion of idle Confluent Cloud networks¶

An idle network is defined as a Confluent Cloud network that does not contain any physical resources, such as physical Kafka clusters.

Idle networks are deleted after 60 days. You will receive email communication and reminders prior to any deletion.

Check for an idle Confluent Cloud network¶

You can proactively check if or which of your Confluent Cloud networks are idle using the Confluent Cloud Console, Confluent REST API, or Confluent CLI.

In the Network management tab of your Confluent Cloud environment, click For dedicated clusters to get a table of Confluent Cloud networks. Check the following columns:
- State: Indicates Idle when the network is not being provisioned and in the idle state.
- Connections: Number of connections and clusters
  
  When no connection and no cluster exists in the network, you see the warning symbol.
  
  When you hover over the warning symbol for the network, you see how many days remain until this network is deleted.
Click a network name to open the network detail page.

If the network is idle, the network detail page shows how many days are remaining before the network gets deleted.

REST request

GET https://api.confluent.cloud/networking/v1/networks/<network-id>

REST authentication

See Authentication.

The status section of the response includes idle_since which is the timestamp of when the network became idle.

Use the confluent network describe Confluent CLI command to check the status of a Confluent Cloud network:

confluent network describe <network-id>

The output contains the idle_since field which is the timestamp of when the network became idle.

Delete a Confluent Cloud network¶

You can delete a Confluent Cloud network using the Confluent Cloud Console, Confluent REST API, or Confluent CLI.

In the Network management tab of your Confluent Cloud environment, click For dedicated clusters to get a table of Confluent Cloud networks.
Click a network name you want to delete.
Click … at the upper right side of the page, and select Delete network.
Specify the network ID, and click Continue.

REST request

DELETE https://api.confluent.cloud/networking/v1/networks/<network-id>

REST authentication

See Authentication.

Use the confluent network delete Confluent CLI command to delete a Confluent Cloud network:

confluent network delete <network-id>