Networking in Confluent Cloud

Confluent Cloud supports the following public internet connectivity and private networking solutions:

  • You can access Confluent Cloud Dedicated clusters through secure internet endpoints, Private Link connections, VPC/VNet peering, or AWS Transit Gateway.

    If you use Private Link, your cluster will not have internet endpoints, and you can only access your cluster from Private Endpoints in accounts you have registered with Confluent Cloud.

  • All Basic and Standard clusters are accessible through secure public internet endpoints.

    All connections to Confluent Cloud are encrypted with TLS 1.2 and require authentication using API keys, regardless of network configuration.

    Refer to the Confluent Cloud Security Controls whitepaper for more details on securing Confluent Cloud.

After a cluster has been provisioned, you cannot change its networking solution type between public and private.

Considerations for public vs. private networking type

Using a private or public connectivity with Confluent Cloud is a trade-off:

  • With private networking, your cluster cannot be accessed from the public internet, eliminating potential security threats.

  • Private networking requires you to manage the peered or linked networks to ensure all your client applications and developers have the needed access to Confluent Cloud.

  • If you use private networking (VPC peering, VNet peering, or private links), you cannot directly connect from an on-premises data center to Confluent Cloud.

    To do this, you must first route to a shared services VPC or VNet that you own and connect that to Confluent Cloud using VPC/VNet peering (along with a proxy) or Private Link.

    If you are interested in this configuration for Confluent Cloud, contact your Confluent sales representative.

  • IP addresses for secure internet endpoints are not static.

  • Native Kafka clients are not designed to work seamlessly in forward proxy environments. If you are producing HTTPS records, consider using the Kafka REST API.

To learn more about networking in Confluent Cloud, see:

Public networking solutions

Confluent Cloud offers data in motion services that can be shared across organizations over the public internet. Confluent Cloud services include public internet connectivity for the Basic, Standard, and Dedicated cluster types.

Confluent Cloud clusters with internet endpoints are protected by a proxy layer that prevents types of DoS, DDoS, syn flooding, and other network-level attacks.

For Confluent Cloud Dedicated clusters with public connectivity on AWS only, you can use static egress IP addresses to communicate with external resources (such as data sources and sinks for managed connectors) over the public internet. For details, see Use Static IP addresses on Confluent Cloud.

Private networking solutions

Confluent Cloud includes support for data in motion services that are shared privately with organizations on private networks and offer additional customization and controls for security and privacy. Private networking in Confluent Cloud is supported with Confluent Cloud networks for Dedicated clusters.

Confluent Cloud clusters using private networking solutions are not accessible from the public internet.

The following table summarizes the private networking solutions supported by Confluent Cloud. For details on each solution, click the link to go to the specific documentation.

Cloud service provider Supported networking solution
Amazon Web Services (AWS) AWS VPC Peering
  AWS PrivateLink
  AWS Transit Gateway
Microsoft Azure Azure VNet Peering
  Azure Private Link
Google Cloud Google Cloud VPC Peering
  Google Cloud Private Service Connect

Confluent Cloud networks

A Confluent Cloud network is an abstraction for a single tenant network environment that hosts the following Confluent Cloud services:

  • One or more Dedicated clusters.

    After provisioning, a cluster cannot be moved to a different network.

  • Single tenant services

    • Managed connectors
    • Cluster Linking
    • ksqlDB clusters

A Confluent Cloud network is associated with one Confluent Cloud environment and can host clusters and applications within that environment. You cannot move a network to a different environment.

Each Confluent Cloud network gets its own VPC or VNet, and no more than one Confluent Cloud network are in one VPC or VNet.

A Confluent Cloud network includes the following features:

  • Support for private network connectivity with AWS PrivateLink, Azure Private Link, VPC peering, VNet peering, or AWS Transit Gateway.

  • Cloud-specific, regional, and spread across three zones.

    Zone selection for a Confluent Cloud network is supported in AWS and Google Cloud.

The following RBAC roles can provision Confluent Cloud networks:

  • NetworkAdmin

    Can grant access to provision Confluent Cloud networks in all environments belonging to the organization.

  • OrganizationAdmin

    Can grant access to provision Confluent Cloud networks in all environments belonging to the organization.

  • EnvironmentAdmin

    Can only provision the Confluent Cloud networks for the assigned environments.

You can create or delete a Confluent Cloud network on demand using: