AWS PrivateLink allows for one-way
secure connection access from your VPC to Confluent Cloud with an added protection
against data exfiltration. This networking option is popular for its unique
combination of security and simplicity.
The following diagram summarizes the AWS PrivateLink architecture with the
customer VPC/account and the Confluent Cloud VPC/account.
In the request specification, include values for cloud, region, environment, connection
type, and, optionally, add the display name, CIDR, and zones for the Confluent Cloud network.
Update the attributes below with the correct values.
To make an AWS PrivateLink connection to a cluster in Confluent Cloud you must register the
AWS account ID you wish to use. This is a security measure so Confluent can ensure
only your organization can initiate AWS PrivateLink connections to the cluster.
AWS PrivateLink connections from a VPC not contained in a registered AWS account
will not be accepted by Confluent Cloud.
You can register multiple AWS accounts to the same Confluent Cloud cluster, and
AWS PrivateLink connections can be made from multiple VPCs in each registered
In the Confluent Cloud Console, go to your network resource in the
Network Management tab and click + PrivateLink Access.
Enter the 12-digit AWS Account Number for the account containing
the VPCs you want to make the AWS PrivateLink connection from.
Note the VPC Endpoint service name to create an AWS PrivateLink
connection from your VPC to the Confluent Cloud cluster. This URL will also be
HTTP POST request
Your AWS PrivateLink connection status will transition from “Pending” to
“Active” in the Confluent Cloud Console. You still need to configure the Private
Endpoints in your VPC before you can connect to the cluster.
Create an AWS PrivateLink connection to Confluent Cloud¶
Follow this procedure to create an AWS PrivateLink connection to a Confluent Cloud
cluster on AWS using the Confluent Cloud Console or REST APIs.
Set up the VPC Endpoint for AWS PrivateLink in your AWS account¶
After the connection status is “Active” in the Confluent Cloud Console, you must
configure Private Endpoints in your VPC from the AWS Management Console
to make the AWS Private Link connection to your Confluent Cloud cluster.
Confluent recommends using a
for setting up Private Link endpoints. This configuration automates the manual steps described below.
In the Confluent Cloud Console, find the following information for your Confluent Cloud
cluster under the Cluster Settings section and Confluent Cloud network under
Confluent Cloud Network overview.
Kafka Bootstrap (in the General tab)
Availability Zone IDs (in the Networking tab)
VPC Service Endpoint Name (in the Networking tab)
DNS Domain Name (in the Networking tab)
Zonal DNS Subdomain Names (in the Networking tab)
Verify subnet availability.
The Confluent Cloud VPC and cluster is created in specific zones that, for optimal
usage, should match the zones of the VPC you want to make the AWS PrivateLink
connections from. You must have subnets in your VPC for these zones so that
IP addresses can be allocated from them. It is allowed to also have subnets
in zones outside of these. AWS Zone IDs should be used for this. You can find
the specific Availability Zones for your Confluent Cloud cluster in the Confluent Cloud Console.
Please note: Because Availability Zone names (for example, us-west-2a)
are inconsistent across AWS accounts, Availability Zone IDs (like usw2-az1)
Verify that DNS hostnames and DNS resolution are enabled.
In the navigation menu under VIRTUAL PRIVATE CLOUD, click Endpoints.
The Endpoints page appears.
Click Create endpoint. The Create endpoint page appears.
Under Service category, select Other endpoint services.
Under Service settings, enter the Service name for your
Confluent Cloud VPC Service Endpoint Name. You can find this in
the Confluent Cloud Console.
Click Verify service. If you get an error, ensure that your account
is allowed to create PrivateLink connections.
Under VPC, select the VPC in which to create your endpoint.
Click Create endpoint.
Your VPC endpoint is created and displayed. Copy the VPC Endpoint ID for
Note the availability zones for your Confluent Cloud cluster from the
Networking tab in the Confluent Cloud Console. Select the service in these
zones. Ensure the desired subnet is selected for each zone. Failure to
add all zones as displayed in the Confluent Cloud Console can cause connectivity
issues to brokers in the omitted zones, which can result in an unusable cluster.
Confluent Cloud single availability zone clusters need service and subnet
selection in one zone whereas Confluent Cloud multi-availability zone clusters
need service and subnet selection in three zones.
Select or create a security group for the VPC Endpoints.
Add three inbound rules for each of ports 80, 443, and 9092
from your desired source (your VPC CIDR). The Protocol should be
TCP for all three rules.
Port 80 is not required, but is available as a redirect only to
https/443, if desired.
Wait for acceptance by Confluent Cloud. This should happen almost immediately
(less than a minute). After it is accepted, the endpoint will transition
from “Pending” to “Active”.
DNS changes must be made to ensure connectivity passes through AWS PrivateLink
in the supported pattern. Any DNS provider can be used - AWS Route53 (used
in this example) is not required. Any DNS provider that can ensure DNS is routed
as follows is acceptable.
From an instance within the VPC (or anywhere the previous step’s DNS is
set up), run the following to validate Kafka connectivity through AWS
PrivateLink is working correctly.
Set an environment variable with the cluster bootstrap URL.
The Bootstrap URL displayed in Confluent Cloud Console includes the port (9092).
The BOOTSTRAP value should include the full hostname, but do not include
the port. This is so that you can run the
openssls_client-connect<host>:<port> command with the required values.
To run the openssls_client-connect command, the -connect option requires
that you specify the host and the port number. For details, see the
If the return output is -----BEGINCERTIFICATE-----Verifyreturncode:0(ok),
connectivity to the bootstrap is confirmed.
You might need to update the network security tools and firewalls to allow
connectivity. If you have issues connecting after following these
steps, confirm which network security systems your organization
uses and whether their configurations need to be changed. If you still have issues,
run the debug connectivity script
and provide the output to Confluent Support for assistance with your PrivateLink setup.
Japan (Osaka) region ap-northeast-3 and Jakarta region ap-southeast-3
are not supported for AWS PrivateLink clusters in Confluent Cloud. For these regions,
you can use VPC peering for clusters, or
use AWS PrivateLink with clusters in different regions.
All AWS availability zones, except use1-az3, are supported
in the us-east-1 region.
Each Confluent Cloud single zone cluster that uses AWS PrivateLink access
is provisioned with service endpoints in one availability zone. The
availability zone is selected based on Confluent Cloud placement policies.
To ensure connectivity over AWS PrivateLink connections, provision
subnets in your VPC that minimally include the single availability zone
in which the AWS PrivateLink access is provisioned.