Service Quotas for Confluent Cloud¶
There is a maximum quantity of resources and operations that can be used by organizations, environments, accounts, networks, and clusters in Confluent Cloud. These service quotas, or default limits, enable Confluent to manage the availability and scalability of Confluent Cloud resources.
In the sections below, the service quotas are grouped by resource scope that they apply to. Some resource limits are different for different scopes.
- The default limits are usually adequate for most use cases, but if your requirements exceed the default limits, you can request increases for many of the default limits. For service quotas that have a quota code (ID) listed below, you use the use the Quotas API to get the current values.
- All Confluent Cloud resources have hard thresholds that cannot be exceeded, but many of the default quotas can be increased based on your changing requirements. To request an increase for a quota, contact Confluent Support.
- Client quotas define throughput limits for specific principals on Dedicated Clusters. For more information about client quotas, see Multi-tenancy and Client Quotas on Confluent Cloud.
Service quota notifications¶
You can manage notifications for service quota events with the Confluent Cloud Console or with the REST API. For more information, see Notifications for Confluent Cloud.
Confluent Cloud service quota notification thresholds are as follows:
| Usage (% quota) | Notification level |
|---|---|
| 50 | Information |
| 90 | Warning |
| 100 | Critical |
When notifications are enabled for a given notification level, you get notifications for each quota that exceeds the relevant notification threshold (50%, 90%, or 100% usage).
- Only quotas that have usage data available are eligible for notifications.
- Notifications are sent only for exceeding a notification threshold, not for dipping beneath a threshold.
- Usage data is returned only if there has been non-zero usage. To see if a service quota generates usage data that can be used for notifications, review the Usage data column in the tables below.
Service quotas¶
The following tables list the service quotas for Confluent Cloud resources by scope.
Some resources have different limits for different scopes. For example, the
maximum number of Kafka clusters is 20 per environment, but is 100 per
organization.
If a service quota does not have a quota code (ID), you cannot determine the current, applied limit using the Quotas API. To get the current applied limit for a service quota that does not have a quota code, contact Confluent Support.
Organization¶
Each service quota listed below applies to a single Organization in Confluent Cloud. You can check the current applied limits for an environment using the Quotas API.
| Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
| Audit Log API keys | 2 | iam.max_audit_log_api_keys.per_org |
|
| Cloud API keys | 1000 | iam.max_cloud_api_keys.per_org |
✔ |
| Self-managed (BYOK) encryption keys | 20 | byok.max_keys.per_org |
|
| Environments | 25 | iam.max_environments.per_org |
✔ |
| Identity providers (OAuth) | 5 | iam.max_identity_providers.per_organization |
|
| Single sign-on (SSO) group mappings | 12 | iam.max_group_mappings.per_org |
|
| IP groups | 25 | iam.max_ip_groups.per_org |
|
| IP filters | 25 | iam.max_ip_filters.per_org |
|
| Kafka clusters | 100 | iam.max_kafka_clusters.per_org |
✔ |
| RBAC role bindings (total) | 250,000 | iam.max_rbac_role_bindings_all_roles.per_org |
✔ |
| Cross-resource RBAC role bindings to roles with Kafka permissions (see [1]) | 1000 | iam.max_rbac_role_bindings.per_org_plus_envs |
✔ |
| Service accounts | 1,000 | iam.max_service_accounts.per_org |
✔ |
| User accounts (active and invited) | 1,000 | iam.max_users.per_org |
✔ |
| Stream Designer pipelines | 100 | sd.max_pipelines.per_organization |
|
| Custom connector plugins | 100 | ||
| Custom connectors | 30 |
| [1] | Roles with Kafka permissions at the Organization or Environment scope include: OrganizationAdmin, EnvironmentAdmin, MetricsViewer, NetworkAdmin, DataSteward, DataDiscovery, and Operator. |
Environment¶
Each service quota listed below applies to a single environment in Confluent Cloud. To view the limit on the number of environments, see Organization scope. You can check the current applied limits for an environment using the Quotas API.
The total number of RBAC role bindings with Kafka permissions allowed across your organization (Organization scope) includes both organization-level role bindings and role bindings assigned within each of your environments.
| Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
| Kafka clusters | 20 | kafka.max_kafka_clusters.per_env |
✔ |
| Kafka clusters (pending) | 3 | kafka.max_pending_kafka_clusters.per_env |
|
| Kafka cluster CKUs | 50 | kafka.max_ckus.per_env |
✔ |
| ksqlDB clusters | 10 | ksql.max_apps.per_env |
|
| Schema Registry clusters | 1 | ||
| Flink compute pools | 10 | flink.max_compute_pools.per_env |
Network¶
Each service quota listed below applies to the scope of one Confluent Cloud network.
To get the current applied limits for an organization, see Quotas API.
| Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
| Networks | 3 | networking.max_network.per_environment |
✔ |
| Kafka clusters | 10 | ||
| Kafka cluster CKUs | 72 | ||
| Peering | 25 | networking.max_peering.per_network |
✔ |
| AWS PrivateLink account accesses | 10 | networking.max_private_link.per_network |
✔ |
| Azure Private Link subscription accesses | 10 | networking.max_private_link.per_network |
✔ |
| Google Cloud Private Service Connect project accesses | 10 | networking.max_private_link.per_network |
✔ |
| Transit gateways | 1 | networking.max_transit_gateway.per_network |
✔ |
| AWS PrivateLink Attachments per environment for Enterprise | 3 | networking.max_private_link_attachments_per_environment |
|
| AWS PrivateLink Attachment connections per AWS PrivateLink Attachment for Enterprise | 10 | networking.max_private_link_attachment_connections_per_attachment |
|
| DNS domains per DNS forwarder | 10 | networking.limits.max_domains_per_dns_forwarder |
|
| DNS server IP addresses per DNS forwarder | 3 | networking.limits.max_dns_server_ips_per_dns_forwarder |
Kafka Cluster¶
Each service quota listed below applies to a single Kafka cluster. For the limit on the number of Kafka clusters, see Organization or Environment. You can check the current applied limits for an Kafka cluster by using the Quotas API.
| Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
| E-CKUs | 5 | ||
| CKUs (for credit card billing) | 4 (Incrementally increasable to 152 [2] ) | kafka.max_ckus.per_cluster |
|
| CKUs (for integrated cloud provider billing or invoice payments) | 24 (Incrementally increasable to 152 [2] ) | kafka.max_ckus.per_cluster |
|
| API keys (for Dedicated Kafka cluster) | 2000 | kafka.max_api_keys.per_cluster |
✔ |
| API keys (for Enterprise Kafka cluster) | 500 | kafka.max_api_keys.per_cluster |
✔ |
| API keys (for Standard Kafka cluster) | 100 | kafka.max_api_keys.per_cluster |
✔ |
| API keys (for Basic Kafka cluster) | 50 | kafka.max_api_keys.per_cluster |
✔ |
| Connector tasks | 250 | ||
| ACLs (for each Dedicated Kafka cluster) | 10000 | ||
| ACLs (for each Enterprise Kafka cluster) | 4000 | ||
| ACLs (for each Basic and Standard Kafka cluster) | 1000 | ||
| RBAC role bindings to roles with Kafka permissions (see [3]) | 500 (Basic, Standard, and Enterprise) 5000 (Dedicated) |
iam.max_rbac_role_bindings.per_cluster |
✔ |
| [2] | (1, 2) AWS and Google Cloud support Kafka clusters to 152 CKUs. Azure supports Kafka clusters to 100 CKUs. |
| [3] | RBAC roles with Kafka permissions at the Cluster scope include: CloudClusterAdmin, DeveloperManage, DeveloperWrite, DeveloperRead, ResourceOwner, MetricsViewer, Operator, and KsqlAdmin. |
Service Account¶
Each service quota listed below applies to the scope of one service account. For the limit on the number of service accounts, see Organization scope.
To get the current applied limits for an organization, see Quotas API.
| Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
| Cloud API keys | 10 | iam.max_cloud_api_keys.per_service_account |
✔ |
| Cluster API keys | 10 | iam.max_cluster_api_keys.per_service_account |
✔ |
User Account¶
Each service quota listed below applies to the scope of one user account. For the limit on the number of user accounts, see Organization scope.
To get the current applied limits for an organization, see Quotas API.
| Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
| Cloud API keys | 10 | iam.max_cloud_api_keys.per_user |
✔ |
| Cluster API keys | 10 | iam.max_cluster_api_keys.per_user |
✔ |
Identity provider (OAuth)¶
Each service quota listed below applies to the scope of one Confluent Cloud identity provider. For the limit on the number of OAuth identity providers, see Organization scope.
| Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
| Identity pools | 100 |
IP filtering¶
Each service quota listed below applies to the scope of one Confluent Cloud IP group or one IP filter. For limits on the number of IP groups and IP filters per organization, see Organization scope.
| Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
| CIDR blocks per IP group | 25 | ||
| IP groups per IP filter | 25 |
ksqlDB cluster¶
Each service quota listed below applies to the scope of one ksqlDB cluster. For the limit on the number of ksqlDB clusters, see Environment scope.
| Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
| CSUs | 12 | ||
| Persistent queries | 40 |
Cloud Region¶
Each service quota listed below applies to the scope of one cloud region in an environment.
| Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
| Flink statements | 5000 |