Test Connectivity to Confluent Cloud

Kafka broker hosts in Confluent Cloud do not respond to ping commands. Use alternative ways presented in this guide to test connectivity to the Kafka cluster and the Kafka REST endpoint before whitelisting those endpoints.

Note that you need to whitelist both endpoints (ports 9092 and 443) on your firewall for the Confluent CLI to work.

Run through the following steps to validate Confluent Cloud connectivity is working correctly.

  1. Test TCP connectivity to the Confluent Cloud cluster bootstrap endpoint.
  2. If TCP connectivity can be established, test data plane operations by producing/consuming using the Confluent CLI.

Test TCP connectivity to Confluent Cloud

For public networking, VPC peering, VNet peering, and AWS Transit Gateway, test TCP connectivity to the Confluent Cloud cluster using one of the tools, openSSL, Netcat, or Telnet.

For public endpoint clusters, run the command from any computer that has internet access.

For the cluster in private network environments, such as VPC peering, VNet peering, and AWS Transit Gateway, run the tests from within your VPC or VNet that is connected to the Confluent Cloud cluster.

Note that the host addresses of the Kafka bootstrap server and the REST endpoint are the same, and only the port numbers differ. Use port 9092 to test the connection to the Kafka bootstrap server, and port 443 to test the connection to the Kafka REST endpoint.

If successful, you will see a connection success message, and if there is a problem reaching the cluster, the commands will time out with an error.

  • openSSL

    openssl s_client -connect <bootstrap-url>:9092
    
    openssl s_client -connect <bootstrap-url>:443
    

    For details, see the openSSL documentation for the -connect option.

  • Netcat

    nc -zv <bootstrap-url> 9092
    
    nc -zv <bootstrap-url> 443
    
  • Telnet

    telnet <bootstrap-url> 9092
    
    telnet <bootstrap-url> 443
    

Note

You might need to update the network security tools and firewalls to allow connectivity. If you have issues connecting after following these steps, confirm which network security systems your organization uses and whether their configurations need to be changed.

Test connectivity to Confluent Cloud using Confluent CLI

After TCP connectivity is successfully established, test data plane operations by producing/consuming using the Confluent CLI.

If using private networking, run the steps from an instance within the VPC or VNet to validate Kafka connectivity works correctly.

  1. Sign in to Confluent CLI with your Confluent Cloud credentials.

    confluent login
    
  2. List the clusters in your organization.

    confluent kafka cluster list
    
  3. Select the cluster with a PrivateLink, Private Link, Private Service Connect you wish to test.

    confluent kafka cluster use ...
    

    For example:

    confluent kafka cluster use lkc-a1b2c
    
  4. Create a cluster API key to authenticate with the cluster.

    confluent api-key create --resource ... --description ...
    

    For example:

    confluent api-key create --resource lkc-a1b2c --description "connectivity test"
    
  5. Select the API key you just created.

    confluent api-key use ... --resource ...
    

    For example:

    confluent api-key use WQDMCIQWLJDGYR5Q --resource lkc-a1b2c
    
  6. Create a test topic.

    confluent kafka topic create test
    
  7. Start consuming events from the test topic.

    confluent kafka topic consume test
    
  8. Open another terminal tab or window.

  9. Start a producer.

    confluent kafka topic produce test
    
  10. Type anything into the produce tab and hit Enter; press Ctrl+D or Ctrl+C to stop the producer.

  11. The tab running consume will print what was typed in the tab running produce.

Troubleshoot connectivity to Kafka brokers