Service Quotas for Confluent Cloud
Service quotas enable Confluent to manage the availability and scalability of Confluent Cloud resources. A service quota is the default maximum quantity of a resource or operations on it that can be used in Confluent Cloud.
Resources in Confluent Cloud can have different service quotas for different scopes. For example, the maximum number of Confluent Cloud clusters is 20 per environment, but is 100 per organization.
If a service quota does not have a quota code (ID), you cannot determine the current, applied limit using the Quotas API. To get the current applied limit for a service quota that does not have a quota code, contact Confluent Support.
Core resource scopes
The following sections list the service quotas for core resource scopes in Confluent Cloud, including organization, environments, Kafka clusters, ksqlDB clusters, and Apache Flink®.
Organization
Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
Environments | 25 |
| ✔ |
Kafka clusters | 400 |
| ✔ |
Custom connector plugins | 100 | ||
Custom connectors | 30 |
Environments
The service quotas for the environment scope in Confluent Cloud are now listed within the resources or features. To view the limit on the number of environments, see Organization scope. You can check the current applied limits for an environment using the Quotas API.
The total number of RBAC role bindings with Kafka permissions allowed across your organization (Organization scope) includes both organization-level role bindings and role bindings assigned within each of your environments.
Apache Flink
Each service quota listed below applies to Apache Flink®. Relevant scopes for Flink apply to one Confluent Cloud environment or one Confluent Cloud cloud region.
Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
Flink compute pools per environment | 50 |
| |
Flink statements per cloud region | 10000 |
Kafka clusters
Each service quota listed below applies to a single Kafka cluster. For the limit on the number of Kafka clusters, see Organization or Environment. You can check the current applied limits for an Kafka cluster by using the Quotas API.
Limited Availability of 32 eCKU maximum Enterprise clusters
Enterprise clusters that scale to 32 eCKU maximum (current limit is 10) are in Limited Availability and available by request. To sign up, contact Confluent.
Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
Kafka clusters per environment | 20 |
| ✔ |
Kafka clusters (pending) per environment | 3 |
| |
Kafka cluster CKUs per environment | 50 |
| ✔ |
eCKU per Basic cluster | 50 | ||
eCKU per Standard cluster | 10 | ||
eCKU per Enterprise cluster | 10 (current maximum)/ 32 (Limited Availability) | ||
CKUs (for credit card billing) per cluster | 4 (Incrementally increasable to 152; see [Note]) |
| |
CKUs (for integrated cloud provider billing or invoice payments) per cluster | 24 (Incrementally increasable to 152; see [Note]) |
| |
Connector tasks per cluster | 250 |
ksqlDB clusters
Each service quota listed below applies to the scope of one ksqlDB cluster. For the limit on the number of ksqlDB clusters, see Environment scope.
Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
ksqlDB clusters per environment | 10 |
| |
CSUs per ksqlDB cluster | 12 | ||
Persistent queries per ksqlDB cluster | 40 |
Schema Registry clusters
Each service quota listed below applies to the scope of one Confluent Cloud environment.
Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
Schema Registry clusters | 1 | ||
KEKs (Key Encryption Keys) per Schema Registry cluster | 20,000 | ||
DEKs (Data Encryption Keys) per Schema Registry cluster | 20,000 |
Security scopes
Each security-related service quota below applies to a single Organization in Confluent Cloud. You can check the current applied limits for an environment using the Quotas API.
User accounts
Each service quota listed below applies to the scope of one Confluent Cloud organization. For API keys per user account, see API keys.
To get the current applied limits for an organization, see Quotas API.
Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
User accounts (active and invited) per organization | 1,000 |
| ✔ |
Service accounts
Each service quota listed below applies to the scope of one Confluent Cloud organization. For API keys per service account, see API keys.
To get the current applied limits for an organization, see Quotas API.
Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
Service accounts per organization | 1,000 |
| ✔ |
API keys
Each service quota listed below applies to the scope of one Confluent Cloud organization. For the limit on the number of API keys per service account or user account, see Service Account scope or User Account scope.
Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
API keys for Audit Log per organization | 2 |
| |
API keys per organization | 1000 |
| ✔ |
API keys per Dedicated cluster | 2000 |
| ✔ |
API keys per Enterprise cluster | 500 |
| ✔ |
API keys per Standard cluster | 100 |
| ✔ |
API keys per Basic cluster | 50 |
| ✔ |
API keys per service account | 100 |
| ✔ |
API keys per service account (resource-scoped to a cluster API key, which includes Kafka, Schema Registry, Flink, and ksqlDB keys) | 100 |
| ✔ |
API keys (resource-scoped to resource management) per user account | 10 |
| ✔ |
API keys (resource-scoped to a cluster API key, which includes Kafka, Schema Registry, Flink, and ksqlDB keys) per user account | 10 |
| ✔ |
Role-based access control (RBAC)
Each service quota listed below applies to the scope of one organization or for cross-resource RBAC role bindings, the scope of one organization plus all environments in it.
Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
RBAC role bindings (total) per organization | 250,000 |
| ✔ |
Cross-resource RBAC role bindings to roles with Kafka permissions (see [1]) - per organization plus environments | 1000 |
| ✔ |
RBAC role bindings to roles with Kafka permissions (see [2]) | 500 (Basic, Standard, Enterprise, and Freight) 25000 (Dedicated) |
| ✔ |
IP filtering
Each service quota listed below applies to the scope of one Confluent Cloud IP group or one IP filter. For limits on the number of IP groups and IP filters per organization, see Organization scope.
Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
IP filters per organization | 25 |
| |
IP groups per organization | 25 |
| |
CIDR blocks per IP group | 25 | ||
IP groups per IP filter | 25 |
Mutual TLS (mTLS)
Each service quota listed below applies to the scope of one mutual TLS (mTLS) certificate authority. For limits on the number of mutual TLS (mTLS) certificate authorities per organization, see Organization scope.
Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
Mutual TLS (mTLS) certificate authorities per organization | 5 |
| |
Mutual TLS (mTLS) certificate identity pools per certificate authority | 1000 |
|
OAuth identity providers
Each service quota listed below applies to the scope of one Confluent Cloud OAuth identity provider. For the limit on the number of OAuth identity providers, see Organization scope.
Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
OAuth identity providers per organization | 5 |
| |
Identity pools per OAuth identity provider | 1000 |
Self-managed (BYOK) encryption keys
Each service quota listed below applies to the scope of one organization.
Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
Self-managed (BYOK) encryption keys per organization | 20 |
| ✔ |
Single sign-on (SSO) identity provider
Each service quota listed below applies to the scope of one Confluent Cloud organization or one SSO identity provider.
Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
Single sign-on (SSO) group mappings | 100 |
|
Networking scopes
The following sections list the service quotas for networking resources in Confluent Cloud.
Networks
Each service quota listed below applies to the scope of one Confluent Cloud network.
To get the current applied limits for an organization, see Quotas API.
Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
Networks | 3 |
| ✔ |
Kafka clusters | 10 | ||
Kafka cluster CKUs | 72 | ||
Peering | 25 |
| ✔ |
Max number of AWS accounts that are allowed to create PrivateLink endpoints to a specific Confluent Cloud network | 10 |
| ✔ |
Max number of Azure subscriptions that are allowed to create Private Link endpoints to a specific Confluent Cloud network | 10 |
| ✔ |
Max number of Google Cloud projects that are allowed to create Private Service Connect endpoints to a specific Confluent Cloud network | 10 |
| ✔ |
Transit Gateways | 1 |
| ✔ |
AWS PrivateLink Attachments per environment for Enterprise | 3 |
| |
AWS PrivateLink Attachment connections per AWS PrivateLink Attachment for Enterprise | 10 |
| |
DNS domains per DNS forwarder | 10 |
| |
DNS server IP addresses per DNS forwarder | 3 |
|
Gateways (private links)
Each service quota listed below applies to the scope of one gateway that connects to Confluent Cloud using AWS PrivateLink or Azure Private Link.
To get the current applied limits for an organization, see Quotas API.
Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
Access points per gateway | 10 |
| |
DNS records per gateway | 20 |
| |
Egress Private Link gateways per region per environment | 1 |
Gateways (Private Network Interface)
Resource | Quota (default) | Quota code (ID) |
|---|---|---|
Max number of PNI gateways per environment | 1 |
|
Max number of PNI access points per PNI gateway | 1 |
|