Service Quotas for Confluent Cloud

Service quotas enable Confluent to manage the availability and scalability of Confluent Cloud resources. A service quota is the default maximum quantity of a resource or operations on it that can be used in Confluent Cloud.

Resources in Confluent Cloud can have different service quotas for different scopes. For example, the maximum number of Confluent Cloud clusters is 20 per environment, but is 100 per organization.

If a service quota does not have a quota code (ID), you cannot determine the current, applied limit using the Quotas API. To get the current applied limit for a service quota that does not have a quota code, contact Confluent Support.

Core resource scopes

The following sections list the service quotas for core resource scopes in Confluent Cloud, including organization, environments, Kafka clusters, ksqlDB clusters, and Apache Flink®.

Organization

Resource Quota (default) Quota code (ID) Usage data
Environments 25 iam.max_environments.per_org
Kafka clusters 100 iam.max_kafka_clusters.per_org
Stream Designer pipelines 100 sd.max_pipelines.per_organization  
Custom connector plugins 100    
Custom connectors 30    

Environments

The service quotas for the environment scope in Confluent Cloud are now listed within the resources or features. To view the limit on the number of environments, see Organization scope. You can check the current applied limits for an environment using the Quotas API.

The total number of RBAC role bindings with Kafka permissions allowed across your organization (Organization scope) includes both organization-level role bindings and role bindings assigned within each of your environments.

Kafka clusters

Each service quota listed below applies to a single Kafka cluster. For the limit on the number of Kafka clusters, see Organization or Environment. You can check the current applied limits for an Kafka cluster by using the Quotas API.

Resource Quota (default) Quota code (ID) Usage data
Kafka clusters per environment 20 kafka.max_kafka_clusters.per_env
Kafka clusters (pending) per environment 3 kafka.max_pending_kafka_clusters.per_env  
Kafka cluster CKUs per environment 50 kafka.max_ckus.per_env
eCKU per cluster 5    
CKUs (for credit card billing) per cluster 4 (Incrementally increasable to 152; see [Note]) kafka.max_ckus.per_cluster  
CKUs (for integrated cloud provider billing or invoice payments) per cluster 24 (Incrementally increasable to 152; see [Note]) kafka.max_ckus.per_cluster  
Connector tasks per cluster 250    
[Note](1, 2) AWS and Google Cloud support Kafka clusters to 152 CKUs. Azure supports Kafka clusters to 100 CKUs.

ksqlDB clusters

Each service quota listed below applies to the scope of one ksqlDB cluster. For the limit on the number of ksqlDB clusters, see Environment scope.

Resource Quota (default) Quota code (ID) Usage data
ksqlDB clusters per environment 10 ksql.max_apps.per_env  
CSUs per ksqlDB cluster 12    
Persistent queries per ksqlDB cluster 40    

Schema Registry clusters

Each service quota listed below applies to the scope of one Confluent Cloud environment.

Resource Quota (default) Quota code (ID) Usage data
Schema Registry clusters 1

 

Security scopes

Each security-related service quota below applies to a single Organization in Confluent Cloud. You can check the current applied limits for an environment using the Quotas API.

User accounts

Each service quota listed below applies to the scope of one Confluent Cloud organization. For API keys per user account, see API keys.

To get the current applied limits for an organization, see Quotas API.

Resource Quota (default) Quota code (ID) Usage data
User accounts (active and invited) per organization 1,000 iam.max_users.per_org

Service accounts

Each service quota listed below applies to the scope of one Confluent Cloud organization. For API keys per service account, see API keys.

To get the current applied limits for an organization, see Quotas API.

Resource Quota (default) Quota code (ID) Usage data
Service accounts per organization 1,000 iam.max_service_accounts.per_org

API keys

Each service quota listed below applies to the scope of one Confluent Cloud organization. For the limit on the number of API keys per service account or user account, see Service Account scope or User Account scope.

Resource Quota (default) Quota code (ID) Usage data
API keys for Audit Log per organization 2 iam.max_audit_log_api_keys.per_org  
API keys per organization 1000 iam.max_cloud_api_keys.per_org
API keys per Dedicated cluster 2000 kafka.max_api_keys.per_cluster
API keys per Enterprise cluster 500 kafka.max_api_keys.per_cluster
API keys per Standard cluster 100 kafka.max_api_keys.per_cluster
API keys per Basic cluster 50 kafka.max_api_keys.per_cluster
API keys per service account 100 iam.max_cloud_api_keys.per_service_account
API keys per service account (resource-scoped to Kafka cluster) 100 iam.max_cluster_api_keys.per_service_account
API keys (resource-scoped to resource management) per user account 10 iam.max_cloud_api_keys.per_user
API keys (resource-scoped to Kafka cluster) per user account 10 iam.max_cluster_api_keys.per_user

Role-based access control (RBAC)

Each service quota listed below applies to the scope of one organization or for cross-resource RBAC role bindings, the scope of one organization plus all environments in it.

Resource Quota (default) Quota code (ID) Usage data
RBAC role bindings (total) per organization 250,000 iam.max_rbac_role_bindings_all_roles.per_org
Cross-resource RBAC role bindings to roles with Kafka permissions (see [1]) - per organization plus environments 1000 iam.max_rbac_role_bindings.per_org_plus_envs
RBAC role bindings to roles with Kafka permissions (see [2])

500 (Basic, Standard, and Enterprise)

25000 (Dedicated)

iam.max_rbac_role_bindings.per_cluster
[1]Roles with Kafka permissions at the Organization or Environment scope include: OrganizationAdmin, EnvironmentAdmin, MetricsViewer, NetworkAdmin, DataSteward, DataDiscovery, and Operator.
[2]RBAC roles with Kafka permissions at the Cluster scope include: CloudClusterAdmin, DeveloperManage, DeveloperWrite, DeveloperRead, ResourceOwner, MetricsViewer, Operator, and KsqlAdmin.

IP filtering

Each service quota listed below applies to the scope of one Confluent Cloud IP group or one IP filter. For limits on the number of IP groups and IP filters per organization, see Organization scope.

Resource Quota (default) Quota code (ID) Usage data
IP filters per organization 25 iam.max_ip_filters.per_org  
IP groups per organization 25 iam.max_ip_groups.per_org  
CIDR blocks per IP group 25    
IP groups per IP filter 25    

Mutual TLS (mTLS)

Each service quota listed below applies to the scope of one mutual TLS (mTLS) certificate authority. For limits on the number of mutual TLS (mTLS) certificate authorities per organization, see Organization scope.

Resource Quota (default) Quota code (ID) Usage data
Mutual TLS (mTLS) certificate authorities per organization 5 iam.max_certificate_authorities.per_organization  
Mutual TLS (mTLS) certificate identity pools per certificate authority 1000 iam.max_certificate_pools.per_certificate_authority  

OAuth identity providers

Each service quota listed below applies to the scope of one Confluent Cloud OAuth identity provider. For the limit on the number of OAuth identity providers, see Organization scope.

Resource Quota (default) Quota code (ID) Usage data
OAuth identity providers per organization 5 iam.max_identity_providers.per_organization  
Identity pools per OAuth identity provider 100    

Self-managed (BYOK) encryption keys

Each service quota listed below applies to the scope of one organization.

Resource Quota (default) Quota code (ID) Usage data
Self-managed (BYOK) encryption keys per organization 20 byok.max_keys.per_org

Single sign-on (SSO) identity providers

Each service quota listed below applies to the scope of one Confluent Cloud organization or one SSO identity provider.

Resource Quota (default) Quota code (ID) Usage data
SSO identity providers per organization 5 iam.max_identity_providers.per_organization  
Single sign-on (SSO) group mappings 100 iam.max_group_mappings.per_org  
Identity pools per SSO identity provider 100    

Networking scopes

The following sections list the service quotas for networking resources in Confluent Cloud.

Networks

Each service quota listed below applies to the scope of one Confluent Cloud network.

To get the current applied limits for an organization, see Quotas API.

Resource Quota (default) Quota code (ID) Usage data
Networks 3 networking.max_network.per_environment
Kafka clusters 10    
Kafka cluster CKUs 72    
Peering 25 networking.max_peering.per_network
Max number of AWS accounts that are allowed to create PrivateLink endpoints to a specific Confluent Cloud network 10 networking.max_private_link.per_network
Max number of Azure subscriptions that are allowed to create Private Link endpoints to a specific Confluent Cloud network 10 networking.max_private_link.per_network
Max number of Google Cloud projects that are allowed to create Private Service Connect endpoints to a specific Confluent Cloud network 10 networking.max_private_link.per_network
Transit Gateways 1 networking.max_transit_gateway.per_network
AWS PrivateLink Attachments per environment for Enterprise 3 networking.max_private_link_attachments_per_environment  
AWS PrivateLink Attachment connections per AWS PrivateLink Attachment for Enterprise 10 networking.max_private_link_attachment_connections_per_attachment  
DNS domains per DNS forwarder 10 networking.limits.max_domains_per_dns_forwarder  
DNS server IP addresses per DNS forwarder 3 networking.limits.max_dns_server_ips_per_dns_forwarder  

Gateways

Each service quota listed below applies to the scope of one gateway that connects to Confluent Cloud using AWS PrivateLink or Azure Private Link.

To get the current applied limits for an organization, see Quotas API.

Resource Quota (default) Quota code (ID) Usage data
Access points per gateway 10 networking.limits.max_access_points_per_gateway  
DNS records per gateway 20 networking.limits.max_dns_records_per_gateway  
Egress Private Link gateways per region per environment 1