Networking in Confluent Cloud

Confluent Cloud supports the following networking solutions:

  • You can access Confluent Cloud Dedicated clusters through secure public endpoints, Private Link connections, VPC/VNet peering, or AWS Transit Gateway.

    If you use Private Link, your cluster will not have public endpoints, and you can only access your cluster from Private Endpoints in accounts you have registered with Confluent Cloud.

  • Enterprise clusters (on AWS only) are accessible through secure AWS Private Link connections.

  • Basic and Standard clusters are accessible through secure public endpoints.

    All connections to Confluent Cloud are encrypted with TLS 1.2 and require authentication using API keys, regardless of network configuration.

    Refer to the Confluent Cloud Security Controls whitepaper for more details on securing Confluent Cloud.

After a cluster has been provisioned, you cannot change its networking solution type between public and private.

Confluent Cloud uses the following ports and protocols for Confluent Cloud services:

Service Port Protocol
Kafka Brokers 9092 TCP
Confluent Cloud Console 443 HTTPS
Schema Registry 443 HTTPS
Confluent REST API 443 HTTPS
Confluent CLI 443 HTTPS
Metrics API 443 HTTPS

Considerations for public vs. private networking type

Using a private or public connectivity with Confluent Cloud is a trade-off:

  • With private networking, your cluster cannot be accessed from the public endpoints, eliminating potential security threats.

  • Private networking requires you to manage the peered or linked networks to ensure all your client applications and developers have the needed access to Confluent Cloud.

  • If you use private networking (VPC peering, VNet peering, or Private Links), you cannot directly connect from an on-premises data center to Confluent Cloud.

    To do this, you must first route to a shared services VPC or VNet that you own and connect that to Confluent Cloud using VPC/VNet peering (along with a proxy) or Private Link.

    If you are interested in this configuration for Confluent Cloud, contact your Confluent sales representative.

  • IP Addresses for ingress public endpoints are not static. These ingress public endpoints include the endpoints for Kafka brokers, Confluent REST API (, and Telemetry API (

    The endpoints can assume any public IP, without a specific range.

  • Native Kafka clients are not designed to work seamlessly in forward proxy environments. If you are producing HTTPS records, consider using the Kafka REST API.

To learn more about networking in Confluent Cloud, see:

Public networking solutions

Confluent Cloud offers data in motion services that can be shared across organizations over the secure public endpoints. Confluent Cloud services include the public connectivity for the Basic, Standard, and Dedicated cluster types.

Confluent Cloud clusters with secure public endpoints are protected by a proxy layer that prevents types of DoS, DDoS, syn flooding, and other network-level attacks.

For Confluent Cloud clusters with public connectivity on AWS only, you can use public egress IP addresses to communicate with external resources (such as data sources and sinks for managed connectors) over the secure public endpoints. For details, see Use Public Egress IP Addresses on Confluent Cloud for Connectors and Cluster Linking.

Private networking solutions

Confluent Cloud includes support for data in motion services that are shared privately with organizations on private networks and offer additional customization and controls for security and privacy. Private networking in Confluent Cloud is supported:

Confluent Cloud clusters using private networking solutions are not accessible from the public endpoints.

Confluent Cloud services, Confluent Cloud Console, Kafka REST API, and Confluent REST API requests require additional configuration to function as they use cluster endpoints. To use all features of the Confluent Cloud Console and Confluent REST API with private networking, see Use Confluent Cloud with Private Networking.

The following table summarizes the private networking solutions supported by Confluent Cloud. For details on each solution, click the link to go to the specific documentation.

Cloud service provider Supported networking solution
Amazon Web Services (AWS) AWS VPC Peering
  AWS PrivateLink for Dedicated clusters
  AWS PrivateLink for Enterprise clusters
  AWS Transit Gateway
Microsoft Azure Azure VNet Peering
  Azure Private Link
Google Cloud Google Cloud VPC Peering
  Google Cloud Private Service Connect

Confluent Cloud networks

A Confluent Cloud network is an abstraction for a single tenant network environment that hosts the following Confluent Cloud services:

  • One or more Dedicated clusters.

    After provisioning, a cluster cannot be moved to a different network.

  • Single tenant services

    • Managed connectors
    • Cluster Linking
    • ksqlDB clusters

A Confluent Cloud network is associated with one Confluent Cloud environment and can host clusters and applications within that environment. You cannot move a network to a different environment.

Each Confluent Cloud network gets its own VPC or VNet, and no more than one Confluent Cloud network are in one VPC or VNet.

A Confluent Cloud network includes the following features:

  • Support for private network connectivity with AWS PrivateLink, Azure Private Link, VPC peering, VNet peering, or AWS Transit Gateway.

  • Cloud-specific, regional, and spread across three zones.

    Zone selection for a Confluent Cloud network is supported in AWS and Google Cloud.

The following RBAC roles can provision Confluent Cloud networks:

  • NetworkAdmin

    Can grant access to provision Confluent Cloud networks in all environments belonging to the organization.

  • OrganizationAdmin

    Can grant access to provision Confluent Cloud networks in all environments belonging to the organization.

  • EnvironmentAdmin

    Can only provision the Confluent Cloud networks for the assigned environments.

You can create or delete a Confluent Cloud network on demand using:

Deletion of idle Confluent Cloud networks

An idle network is defined as a Confluent Cloud network that does not contain any physical resources, such as physical Kafka clusters.

Idle networks are deleted after 60 days. You will receive email communication and reminders prior to any deletion.

Check for an idle Confluent Cloud network

You can proactively check if or which of your Confluent Cloud networks are idle using the Confluent Cloud Console, Confluent REST API, or Confluent CLI.

  1. In the Network management tab of your Confluent Cloud environment, click For dedicated clusters to get a table of Confluent Cloud networks. Check the following columns:

    • State: Indicates Idle when the network is not being provisioned and in the idle state.

    • Connections: Number of connections and clusters

      When no connection and no cluster exists in the network, you see the warning symbol.

      When you hover over the warning symbol for the network, you see how many days remain until this network is deleted.

  2. Click a network name to open the network detail page.

    If the network is idle, the network detail page shows how many days are remaining before the network gets deleted.

Delete a Confluent Cloud network

You can delete a Confluent Cloud network using the Confluent Cloud Console, Confluent REST API, or Confluent CLI.

  1. In the Network management tab of your Confluent Cloud environment, click For dedicated clusters to get a table of Confluent Cloud networks.
  2. Click a network name you want to delete.
  3. Click at the upper right side of the page, and select Delete network.
  4. Specify the network ID, and click Continue.