Use AWS PrivateLink with Confluent Cloud¶

AWS PrivateLink allows for one-way secure connection access from your VPC to Confluent Cloud with an added protection against data exfiltration. This networking option is popular for its unique combination of security and simplicity.

The following diagram summarizes the AWS PrivateLink architecture with the customer VPC/account and the Confluent Cloud VPC/account.

AWS PrivateLink architecture between customer VPC/account and Confluent Cloud cluster

Prerequisites¶

A Confluent Cloud network of type PRIVATELINK in AWS. If you do not have a Confluent Cloud network, see Confluent Cloud Network on AWS.
Your VPC must allow outbound internet connections for Confluent Cloud Schema Registry, ksqlDB, and Confluent CLI to work.
- Confluent Cloud Schema Registry is accessible over the internet.
- Provisioning new ksqlDB clusters requires Internet access. After ksqlDB clusters are up and running, they are fully accessible over AWS PrivateLink connections.
- Confluent CLI requires internet access to authenticate with the Confluent Cloud control plane.
Confluent Cloud Console components, like topic management, require additional configuration to function as they use cluster endpoints. To use all features of the Confluent Cloud Console with AWS PrivateLink, see Access Confluent Cloud Console with Private Networking.

Warning

For limitations of the AWS PrivateLink feature, see Limitations below.

Register your AWS account with Confluent Cloud¶

To make an AWS PrivateLink connection to a cluster in Confluent Cloud you must register the AWS Account ID you wish to use. This is a security measure so Confluent can ensure only your organization can initiate AWS PrivateLink connections to the cluster. AWS PrivateLink connections from a VPC not contained in a registered AWS account will not be accepted by Confluent Cloud.

You can register multiple AWS accounts to the same Confluent Cloud cluster, and AWS PrivateLink connections can be made from multiple VPCs in each registered AWS account.

If a VPC exists in a different AWS account, you need to create a separate PrivateLink Access on your Confluent Cloud network.

In the Confluent Cloud Console, go to your network resource in the Network Management tab and click + PrivateLink Access.
Enter the 12-digit AWS Account Number for the account containing the VPCs you want to make the AWS PrivateLink connection from.
Note the VPC Endpoint service name to create an AWS PrivateLink connection from your VPC to the Confluent Cloud cluster. This URL will also be provided later.
Click Save.

HTTP POST request

POST https://api.confluent.cloud/networking/v1/private-link-accesses

Authentication

See Authentication.

Request specification

In the request specification, include values for the Confluent Cloud network ID, account, environment, and, optionally, add the display name. Update the attributes below with the correct values.

{
   "spec":
   {
      "display_name": "AWS-PL-CCN-1",
      "cloud":
      {
         "kind": "AwsPrivateLinkAccess",
         "account": "000000000000"
      },
      "environment":
      {
         "id":"env-000000"
      },
      "network":
      {
         "id":"n-00000"
      }
   }
}

Your AWS PrivateLink connection status will transition from “Pending” to “Active” in the Confluent Cloud Console. You still need to configure the Private Endpoints in your VPC before you can connect to the cluster.

Create an AWS PrivateLink connection to Confluent Cloud¶

Follow this procedure to create an AWS PrivateLink connection to a Confluent Cloud cluster on AWS using the Confluent Cloud Console or REST APIs.

Set up the VPC endpoint for AWS PrivateLink in your AWS account¶

After the connection status is “Active” in the Confluent Cloud Console, configure your VPC private endpoints using the AWS VPC dashboard to make the AWS PrivateLink connection to your Confluent Cloud cluster.

Note

Confluent recommends using a Terraform configuration for setting up Private Link endpoints. This configuration automates the manual steps described below.

Prerequisites¶

In the Confluent Cloud Console, find the following information for your Confluent Cloud cluster under the Cluster Settings section and Confluent Cloud network under Confluent Cloud Network overview.

Kafka Bootstrap (in the General tab)
Availability Zone IDs (in the Networking tab)
VPC Service Endpoint Name (in the Networking tab)
DNS Domain Name (in the Networking tab)
Zonal DNS Subdomain Names (in the Networking tab)

Steps¶

Verify subnet availability.

The Confluent Cloud VPC and cluster is created in specific zones that, for optimal usage, should match the zones of the VPC you want to make the AWS PrivateLink connections from. You must have subnets in your VPC for these zones so that IP addresses can be allocated from them. It is allowed to also have subnets in zones outside of these. AWS Zone IDs should be used for this. You can find the specific Availability Zones for your Confluent Cloud cluster in the Confluent Cloud Console.

Note

Because Availability Zone names (for example, us-west-2a) are inconsistent across AWS accounts, Availability Zone IDs (like usw2-az1) are used.
Verify that DNS hostnames and DNS resolution are enabled.
1. Open the AWS Management Console and go the the VPC Dashboard at https://console.aws.amazon.com/vpc/home.
2. In the navigation menu under VIRTUAL PRIVATE CLOUD, click Your VPCs. The Your VPCs page appears.
3. Select your VPC and click Edit VPC settings. The Edit VPC settings page appears.
4. Under DNS settings, verify that Enable DNS resolution and Enable DNS hostnames are selected and then click Save.

Create the VPC endpoint.
1. Open the AWS Management Console and go the the VPC Dashboard at https://console.aws.amazon.com/vpc/home.
2. In the navigation menu under VIRTUAL PRIVATE CLOUD, click Endpoints. The Endpoints page appears.
3. Click Create endpoint. The Create endpoint page appears.
4. Under Service category, select Other endpoint services.
5. Under Service settings, enter the Service name for your Confluent Cloud VPC Service Endpoint Name. You can find this in the Confluent Cloud Console.
6. Click Verify service. If you get an error, ensure that your account is allowed to create PrivateLink connections.
7. Under VPC, select the VPC in which to create your endpoint.
8. Click Create endpoint.
  
  Your VPC endpoint is created and displayed. Copy the VPC Endpoint ID for later use.
9. Note the availability zones for your Confluent Cloud cluster from the Networking tab in the Confluent Cloud Console. Select the service in these zones. Ensure the desired subnet is selected for each zone. Failure to add all zones as displayed in the Confluent Cloud Console can cause connectivity issues to brokers in the omitted zones, which can result in an unusable cluster.
  
  Note
  
  Confluent Cloud single availability zone clusters need service and subnet selection in one zone whereas Confluent Cloud multi-availability zone clusters need service and subnet selection in three zones.
10. Select or create a security group for the VPC Endpoints.
  - Add three inbound rules for each of ports 80, 443, and 9092 from your desired source (your VPC CIDR). The Protocol should be TCP for all three rules.
  - Port 80 is not required, but is available as a redirect only to https/443, if desired.
11. Wait for acceptance by Confluent Cloud. This should happen almost immediately (less than a minute). After it is accepted, the endpoint will transition from “Pending” to “Active”.

Set up DNS records to use AWS VPC endpoints¶

You must update your DNS records to ensure connectivity through AWS PrivateLink in the supported pattern. Any DNS web service that can ensure that DNS requests are routed as follows can be used, but for the example, AWS Route53 is used.

DNS resolution options¶

For AWS PrivateLink Confluent Cloud networks, you can use the default DNS resolution or enable private DNS resolution.

Default DNS resolution¶

The default DNS resolution, which is partially public, is used for the bootstrap server and broker hostnames of a Confluent Cloud cluster that is using AWS PrivateLink. The default DNS resolution performs the following two-step process:

The Confluent Cloud Global DNS Resolver removes the glb subdomain and returns a CNAME for your bootstrap and broker hostnames.

Example: $lkc-id-$nid.$region.$cloud.glb.confluent.cloud

CNAME returned: $lkc-id.$nid.$region.$cloud.confluent.cloud
The CNAME resolves to your VPC private endpoints based on the Private Hosted Zone configuration.

Private DNS resolution¶

If you enable the Private DNS resolution option, your private hosted zone provides internal DNS resolution for your private networks without requiring external resolution to the Confluent Global DNS Resolver (GLB).

Tip

To identity the CNAME DNS zone records to correctly map to zonal endpoints for Confluent Cloud, you can run the DNS helper shell script.

To use private DNS resolution, disable the Enable DNS name setting under Additional settings (only appearing after the VPC is selected) when you create the VPC endpoint in the AWS Management Console. By default, this setting is enabled.

Configure DNS zones¶

To update DNS resolution using AWS Route53 in the AWS Management Console:

Create the Private Hosted Zone.
1. Click Create Hosted Zone.
2. Paste Confluent Cloud DNS into Domain Name. This can be found in the Confluent Cloud Console.
3. Change Type to Private Hosted Zone for Amazon VPC.
4. Select the VPC ID where you added the VPC Endpoint.
5. Click Create.
Set up DNS records for Confluent Cloud single availability zone clusters as follows:
1. Create the following record with the Create Record button using the VPC Endpoint DNS Name map from the previous setup in the form.
```
*.$domain CNAME “The lone zonal VPC Endpoint” TTL 60
```
  For example:
```
*.l92v4.us-west-2.aws.confluent.cloud CNAME vpce-09f9f4e9a86682eed-9gxp2f7v-us-west-2c.vpce-svc-04689782e9d70ee9e.us-west-2.vpce.amazonaws.com TTL 60
```

Set up DNS records for Confluent Cloud multi-availability zone clusters as follows:

Create the following records with the Create Record button
using the VPC Endpoint DNS Name map from the previous setup in the form.
```
*.$domain CNAME “All Zones VPC Endpoint” TTL 60
```
For example:
```
*.l92v4.us-west-2.aws.confluent.cloud CNAME vpce-09f9f4e9a86682eed-9gxp2f7v.vpce-svc-04689782e9d70ee9e.us-west-2.vpce.amazonaws.com TTL 60
```
The CNAME is used to ensure AWS Route53 health checks are used in the case of AWS outages.

Create one record per zone (repeat for all zones) in the form.

*.$zoneid.$domain CNAME “Zonal VPC Endpoint” TTL 60

For example:

*.usw2-az3.l92v4.us-west-2.aws.confluent.cloud. CNAME vpce-09f9f4e9a86682eed-9gxp2f7v-us-west-2a.vpce-svc-04689782e9d70ee9e.us-west-2.vpce.amazonaws.com TTL 60
*.usw2-az2.l92v4.us-west-2.aws.confluent.cloud. CNAME vpce-09f9f4e9a86682eed-9gxp2f7v-us-west-2c.vpce-svc-04689782e9d70ee9e.us-west-2.vpce.amazonaws.com TTL 60
*.usw2-az1.l92v4.us-west-2.aws.confluent.cloud. CNAME vpce-09f9f4e9a86682eed-9gxp2f7v-us-west-2b.vpce-svc-04689782e9d70ee9e.us-west-2.vpce.amazonaws.com TTL 60

Validate connectivity to Confluent Cloud¶

From an instance within the VPC (or anywhere the previous step’s DNS is set up), run the following to validate Kafka connectivity through AWS PrivateLink is working correctly.
1. Set an environment variable with the cluster bootstrap URL.
```
export BOOTSTRAP=$<bootstrap-server-url>
```
  The Bootstrap URL displayed in Confluent Cloud Console includes the port (9092). The BOOTSTRAP value should include the full hostname, but do not include the port. This is so that you can run the openssl s_client -connect <host>:<port> command with the required values.
  
  For example:
```
# Default DNS resolution
export BOOTSTRAP=lkc-2v531-lg1y3.us-west-1.aws.glb.confluent.cloud

# Private DNS resolution

export BOOTSTRAP=lkc-2v531.domz6wj0p.us-west-1.aws.confluent.cloud
```
2. Test connectivity to your cluster by running the openssl s_client -connect <host>:<port> command, specifying the $BOOTSTRAP environment variable for the <host> value and 9092 for the <port> value.
```
openssl s_client -connect $BOOTSTRAP:9092 -servername $BOOTSTRAP -verify_hostname $BOOTSTRAP </dev/null 2>/dev/null | grep -E 'Verify return code|BEGIN CERTIFICATE' | xargs
```
  To run the openssl s_client -connect command, the -connect option requires that you specify the host and the port number. For details, see the openssl s_client documentation.
3. If the return output is -----BEGIN CERTIFICATE----- Verify return code: 0 (ok), connectivity to the bootstrap is confirmed.
  
  Note
  
  You might need to update the network security tools and firewalls to allow connectivity. If you have issues connecting after following these steps, confirm which network security systems your organization uses and whether their configurations need to be changed. If you still have issues, run the debug connectivity script and provide the output to Confluent Support for assistance with your PrivateLink setup.
Next, verify connectivity using the Confluent CLI.
1. Sign in to Confluent CLI with your Confluent Cloud credentials.
```
confluent login
```
2. List the clusters in your organization.
```
confluent kafka cluster list
```
3. Select the cluster with AWS PrivateLink you wish to test.
```
confluent kafka cluster use ...
```
  For example:
```
confluent kafka cluster use lkc-a1b2c
```
4. Create a cluster API key to authenticate with the cluster.
```
confluent api-key create --resource ... --description ...
```
  For example:
```
confluent api-key create --resource lkc-a1b2c --description "connectivity test"
```
5. Select the API key you just created.
```
confluent api-key use ... --resource ...
```
  For example:
```
confluent api-key use WQDMCIQWLJDGYR5Q --resource lkc-a1b2c
```
6. Create a test topic.
```
confluent kafka topic create test
```
7. Start consuming events from the test topic.
```
confluent kafka topic consume test
```
8. Open another terminal tab or window.
9. Start a producer.
```
confluent kafka topic produce test
```
10. Type anything into the produce tab and hit Enter; press Ctrl+D or Ctrl+C to stop the producer.
11. The tab running consume will print what was typed in the tab running produce.

You’re done! The cluster is ready for use.

Limitations¶

AWS PrivateLink is only available for use with Dedicated clusters.
Existing Confluent Cloud networks cannot be converted to use AWS PrivateLink.
After provisioning of a Confluent Cloud network, you cannot change the DNS resolution option for the default or private DNS resolution.
Cross-region AWS PrivateLink connections are not supported.
See also: Prerequisites.

Connectors¶

Fully-managed Confluent Cloud connectors can connect to sources or sinks using public IP addresses. Sources or sinks in the customer network with private IP addresses are not supported. An exception to this is the Amazon S3 Sink connector which can connect to an Amazon S3 bucket from a private network.

Availability zones¶

Japan (Osaka) region ap-northeast-3 and Jakarta region ap-southeast-3 are not supported for AWS PrivateLink clusters in Confluent Cloud. For these regions, you can use VPC peering for clusters, or use AWS PrivateLink with clusters in different regions.

All AWS availability zones, except use1-az3, are supported in the us-east-1 region.

Single availability-zone clusters¶

Each Confluent Cloud single zone cluster that uses AWS PrivateLink access is provisioned with service endpoints in one availability zone. The availability zone is selected based on Confluent Cloud placement policies.

To ensure connectivity over AWS PrivateLink connections, provision subnets in your VPC that minimally include the single availability zone in which the AWS PrivateLink access is provisioned.