Use Public Egress IP Addresses on Confluent Cloud for Connectors and Cluster Linking

Confluent Cloud provides public egress IP addresses for managed connectors and Cluster Linking. The IP addresses are used to securely establish outbound connections to endpoints of external data sources and sinks over the secure public endpoints. Egress IP addresses are beneficial for:

  • IP allowlisting. Adding egress IP addresses to the allowlist of an external resource ensures that only traffic originating from a known and consistent IP address is allowed to connect to the external resource.
  • Regulatory compliance. Some organizations require that all outbound traffic is initiated from an IP address.
  • Logging and monitoring. Egress IP addresses can be used to identify the source of traffic in logs and metrics.

Public egress IP addresses in Confluent Cloud can be used to:

  • Establish outbound connections to external data sources and sinks over the internet using Confluent Cloud managed connectors on AWS, Azure, and Google Cloud.
  • Configure the allowlist of an external resource to allow connections from Confluent Cloud services for Cluster linking on AWS.

Public egress IP addresses are not exclusive to specific Confluent Cloud accounts. All Confluent Cloud managed connectors that use the same cloud service provider and region share the same available public egress IP addresses.

Requirements and considerations

When using public egress IP addresses, review the following requirements and considerations:

  • Public egress IP addresses are not guaranteed to be static although Confluent will make the best effort to minimize changes.

    For detail, see FAQ.

  • The IP addresses are associated with specific cloud service providers and regions. If you change the region of a Confluent Cloud cluster, you need to update your allowlists to use the IP addresses available for the region.

  • Public egress IP addresses are not available for privately networked clusters (PrivateLink, VPC/Vnet Peering, or TGW) through the Confluent Cloud Console, Confluent REST API, or Confluent CLI.

    For private networking connectivity IP address details, refer to Egress IP address ranges.

  • Azure does not support IP-based allowlisting if the managed connectors on Confluent Cloud and the Azure service reside in the same Azure region.

    For more information, see Grant access from a public IP range.

  • If you see, in your access logs, the requests coming from IP addresses that are not within the Static Egress IP list provided for your clusters (for example, 35.160.220.191, 52.38.2.235, 35.160.220.191), you can safely ignore those IP addresses; they do not require addition to the whitelist.

    These IPs only used to make an initial communication attempt for validations. And there is no data sent from these IP addresses.

List the available public egress IP addresses

The public egress IP addresses only appear for the publicly networked Kafka cluster.

You can view the list of available public egress IP addresses in the Confluent Cloud Console under the Cluster networking page for your Kafka cluster or when you add a new managed connector to a Kafka cluster.

On Cluster networking page:

  1. In the Confluent Cloud Console, select your Kafka cluster.
  2. Click Networking.
  3. On the Cluster networking page, the list of available public egress IP addresses appear under Egress IPs and can be copied for later use with managed connectors.

When adding a managed connector:

  1. In the Confluent Cloud Console, select your Kafka cluster.
  2. Click Cluster settings, and then click Connector.
  3. On the Connectors page, select the managed connector that you want to add. The Add connector page appears.
  4. On the Authentication page, click Add Confluent cluster IP addresses to your firewall’s allowlist. The list of available public egress IP addresses are listed and can be copied for later use.