Service Quotas for Confluent Cloud

There is a maximum quantity of resources and operations that can be used by organizations, environments, accounts, networks, and clusters in Confluent Cloud. These service quotas, or default limits, enable Confluent to manage the availability and scalability of Confluent Cloud resources.

In the sections below, the service quotas are grouped by resource scope that they apply to. Some resource limits are different for different scopes.

The default limits are usually adequate for most use cases, but if your requirements exceed the default limits, you can request increases for many of the default limits. For service quotas that have a quota code (ID) listed below, you use the use the Quotas API to get the current values.

Note

All Confluent Cloud resources have hard thresholds that cannot be exceeded, but many of the default quotas can be increased based on your changing requirements. To request an increase for a quota, contact Confluent Support.

Client quotas define throughput limits for specific principals on Dedicated Clusters. For more information about client quotas, see Multi-tenancy and Client Quotas on Confluent Cloud.

Service quota notifications

You can manage notifications for service quota events with the Confluent Cloud Console or with the REST API. For more information, see Notifications for Confluent Cloud.

Confluent Cloud service quota notification thresholds are as follows:

Usage (% quota) Notification level
50 Information
90 Warning
100 Critical

When notifications are enabled for a given notification level, you get notifications for each quota that exceeds the relevant notification threshold (50%, 90%, or 100% usage).

Note

  • Only quotas that have usage data available are eligible for notifications.

  • Notifications are sent only for exceeding a notification threshold, not for dipping beneath a threshold.

    Usage data is returned only if there has been non-zero usage. To see if a service quota generates usage data that can be used for notifications, review the Usage data available column in the tables below.

Service quotas

The following tables list the service quotas for Confluent Cloud resources by scope. Some resources have different limits for different scopes. For example, the maximum number of Kafka clusters is 20 per environment, but is 100 per organization.

Note

If a service quota does not have a quota code (ID), you cannot determine the current, applied limit using the Quotas API. To get the current applied limit for a service quota that does not have a quota code, contact Confluent Support.

Organization

Each service quota listed below applies to the scope of one Confluent Cloud organization.

To get the current applied limits for an organization, see Quotas API.

Important

The RBAC role bindings (for organization plus environments) limit in the Organization scope includes the total of role bindings for the organization plus the role bindings for the environments within that organization, but excludes the limits for Kafka clusters, Schema Registry clusters, ksqlDB clusters, and connectors.

Resource Quota (default) Quota code (ID) Usage data available
Audit Log API keys 2 iam.max_audit_log_api_keys.per_org  
Cloud API keys 1000 iam.max_cloud_api_keys.per_org
Self-managed (BYOK) encryption keys 20 byok.max_keys.per_org  
Environments 25 iam.max_environments.per_org
Identity providers (OAuth) 5 iam.max_identity_providers.per_organization  
Single sign-on (SSO) group mappings 10 iam.max_group_mappings.per_organization  
IP groups 25 iam.max_ip_groups.per_org  
IP filters 25 iam.max_ip_filters.per_org  
Kafka clusters 100 iam.max_kafka_clusters.per_org
RBAC role bindings (organization plus environments) 1000 iam.max_rbac_role_bindings.per_org_plus_envs  
Service accounts 1000 iam.max_service_accounts.per_org
User accounts (active and invited) 500 iam.max_users.per_org
Stream Designer pipelines 100 sd.max_pipelines.per_organization  
Custom connector plugins 100    
Custom connectors 30    

Environment

Each service quota listed below applies to the scope of one Confluent Cloud environment. For the limit on the number of environments, see Organization scope.

To get the current applied limits for an environment, see Quotas API.

Important

The RBAC role bindings (for organization plus environments) limit in the Organization scope includes the total of role bindings for the organization plus the role bindings for the environments within that organization, but excludes the limits for Kafka clusters, Schema Registry clusters, ksqlDB clusters, and connectors.

Resource Quota (default) Quota code (ID) Usage data available
Kafka clusters 20 kafka.max_kafka_clusters.per_env
Kafka clusters (pending) 3 kafka.max_pending_kafka_clusters.per_env  
Kafka cluster CKUs 50 kafka.max_ckus.per_env
ksqlDB clusters 10 ksql.max_apps.per_env  
Schema Registry clusters 1

 
Flink compute pools 10 flink.max_compute_pools.per_env  

Network

Each service quota listed below applies to the scope of one Confluent Cloud network. For more information about AWS PrivateLink attachments, see AWS PrivateLink for Enterprise Clusters.

To get the current applied limits for an organization, see Quotas API.

Resource Quota (default) Quota code (ID) Usage data available
Networks 3 networking.max_network.per_environment
Kafka clusters 10    
Kafka cluster CKUs 72    
Peering 25 networking.max_peering.per_network
AWS PrivateLink account accesses (unlimited connections) 10 networking.max_private_link.per_network
Azure Private Link subscription accesses (unlimited connections) 10 networking.max_private_link.per_network
Google Cloud Private Service Connect project accesses (unlimited connections) 10 networking.max_private_link.per_network
Transit gateways 1 networking.max_transit_gateway.per_network
AWS PrivateLink Attachments per environment for Enterprise 3 networking.max_private_link_attachments_per_environment  
AWS PrivateLink Attachment connections per AWS PrivateLink Attachment for Enterprise 10 networking.max_private_link_attachment_connections_per_attachment  
DNS domains per DNS forwarder 10 networking.limits.max_domains_per_dns_forwarder  
DNS server IP addresses per DNS forwarder 3 networking.limits.max_dns_server_ips_per_dns_forwarder  

Kafka Cluster

Each service quota listed below applies to the scope of one Kafka cluster. For the limit on the number of Kafka clusters, see the scopes for Organization and Environment.

To get the current applied limits for a Kafka cluster, see Quotas API.

Resource Quota (default) Quota code (ID) Usage data available
E-CKUs 5    
CKUs (for credit card billing) 4 (Incrementally increasable to 152 [1] ) kafka.max_ckus.per_cluster  
CKUs (for integrated cloud provider billing or invoice payments) 24 (Incrementally increasable to 152 [1] ) kafka.max_ckus.per_cluster  
API keys (for Dedicated Kafka cluster) 2000 kafka.max_api_keys.per_cluster
API keys (for Enterprise Kafka cluster) 500 kafka.max_api_keys.per_cluster
API keys (for Standard Kafka cluster) 100 kafka.max_api_keys.per_cluster
API keys (for Basic Kafka cluster) 50 kafka.max_api_keys.per_cluster
Connector tasks 250    
ACLs (for each Dedicated Kafka cluster) 10000    
ACLs (for each Enterprise Kafka cluster) 4000    
ACLs (for each Basic and Standard Kafka cluster) 1000    
RBAC role bindings

500 (Basic, Standard, and Enterprise)

5000 (Dedicated)

iam.max_rbac_role_bindings.per_cluster  
[1](1, 2) AWS supports Kafka clusters to 152 CKUs. GCP and Azure support Kafka clusters to 100 CKUs.

Service Account

Each service quota listed below applies to the scope of one service account. For the limit on the number of service accounts, see Organization scope.

To get the current applied limits for an organization, see Quotas API.

Resource Quota (default) Quota code (ID) Usage data available
Cloud API keys 10 iam.max_cloud_api_keys.per_service_account
Cluster API keys 10 iam.max_cluster_api_keys.per_service_account

User Account

Each service quota listed below applies to the scope of one user account. For the limit on the number of user accounts, see Organization scope.

To get the current applied limits for an organization, see Quotas API.

Resource Quota (default) Quota code (ID) Usage data available
Cloud API keys 10 iam.max_cloud_api_keys.per_user
Cluster API keys 10 iam.max_cluster_api_keys.per_user

Identity provider (OAuth)

Each service quota listed below applies to the scope of one Confluent Cloud identity provider. For the limit on the number of OAuth identity providers, see Organization scope.

Resource Quota (default) Quota code (ID) Usage data available
Identity pools 100    

IP filtering

Each service quota listed below applies to the scope of one Confluent Cloud IP group or one IP filter. For limits on the number of IP groups and IP filters per organization, see Organization scope.

Resource Quota (default) Quota code (ID) Usage data available
CIDR blocks per IP group 25    
IP groups per IP filter 25    

ksqlDB cluster

Each service quota listed below applies to the scope of one ksqlDB cluster. For the limit on the number of ksqlDB clusters, see Environment scope.

Resource Quota (default) Quota code (ID) Usage data available
CSUs 12    
Persistent queries 40    

Schema Registry cluster

Each service quota listed below applies to the scope of one Schema Registry cluster. For the limit on the number of Schema Registry clusters, see Environment scope.

Resource Quota (default) Quota code (ID) Usage data available
RBAC role bindings 5000