Service Quotas for Confluent Cloud

Service quotas enable Confluent to manage the availability and scalability of Confluent Cloud resources. A service quota defines the default limit on resources or operations that organizations, environments, accounts, networks, and clusters can use in Confluent Cloud.

Resources in Confluent Cloud can have different service quotas for different scopes. For example, the maximum number of Confluent Cloud clusters is 20 per environment, but is 400 per organization.

If a service quota doesn’t have a quota code (ID), you can’t determine the current applied limit using the Quotas API. To get the current applied limit for a service quota that does not have a quota code, contact Confluent Support.

Core resource scopes

The following sections list the service quotas for core resource scopes in Confluent Cloud, including organization, environments, Apache Kafka® clusters, ksqlDB clusters, and Apache Flink®.

Organization

Resource

Quota (default)

Quota code (ID)

Usage data

Environments

25

iam.max_environments.per_org

Kafka clusters

400

iam.max_kafka_clusters.per_org

Custom connector plugins

100

Custom connectors

30

Environments

This page lists the service quotas for the environment scope in Confluent Cloud under the individual resource or feature sections. To view the limit on the number of environments, see organization scope. You can check the current applied limits for an environment using the Quotas API.

Kafka clusters

Each service quota in the following table applies to a single Kafka cluster. For the limit on the number of Kafka clusters, see Organization or Environment. You can check the current applied limits for a Kafka cluster using the Quotas API.

Considerations:
  • To provision Enterprise clusters with a maximum of 32 eCKU on AWS, your cluster networking must use Private Network Interface (PNI).

  • Enterprise clusters that use PrivateLink networking on AWS are limited to a maximum of 10 eCKU.

  • CKU quotas for Dedicated clusters on AWS can be incrementally increased to 252.

  • AWS supports up to 252 CKUs for Dedicated clusters.

  • Google Cloud supports up to 152 CKUs for Dedicated clusters.

  • Azure supports up to 100 CKUs for Dedicated clusters.

Resource

Quota (default)

Quota code (ID)

Usage data

Kafka clusters per environment

20

kafka.max_kafka_clusters.per_env

Kafka clusters (pending) per environment

3

kafka.max_pending_kafka_clusters.per_env

Kafka cluster CKUs per environment

50

kafka.max_ckus.per_env

eCKU per Basic cluster

50

eCKU per Standard cluster

10

eCKU per Enterprise cluster

32

Fast-scaling eCKU threshold per Enterprise cluster

10

CKUs (for credit card billing) per cluster

4

kafka.max_ckus.per_cluster

CKUs (for integrated cloud provider billing or invoice payments) per cluster

24

kafka.max_ckus.per_cluster

Connector tasks per cluster

250

client quotas per Enterprise or Freight cluster

100

ksqlDB clusters

Each service quota in the following table applies to the scope of one ksqlDB cluster. For the limit on the number of ksqlDB clusters, see Environment scope.

Resource

Quota (default)

Quota code (ID)

Usage data

ksqlDB clusters per environment

15

ksql.max_apps.per_env

Confluent Streaming Units (CSUs) per ksqlDB cluster

12

Persistent queries per ksqlDB cluster

40

Schema Registry clusters

Each service quota in the following table applies to the scope of one Confluent Cloud environment.

Resource

Quota (default)

Quota code (ID)

Usage data

Schema Registry clusters

1

Key Encryption Keys (KEKs) per Schema Registry cluster

20,000

Data Encryption Keys (DEKs) per Schema Registry cluster

20,000

Security scopes

Each security-related service quota below applies to a single organization in Confluent Cloud. You can check the current applied limits for your organization using the Quotas API.

User accounts

Each service quota in the following table applies to the scope of one Confluent Cloud organization. For API keys per user account, see API keys.

To get the current applied limits for an organization, see Quotas API.

Resource

Quota (default)

Quota code (ID)

Usage data

User accounts (active and invited) per organization

1,000

iam.max_users.per_org

Invitations (pending) per organization

300

iam.max_pending_invitations.per_org

Service accounts

Each service quota in the following table applies to the scope of one Confluent Cloud organization. For API keys per service account, see API keys.

To get the current applied limits for an organization, see Quotas API.

Resource

Quota (default)

Quota code (ID)

Usage data

Service accounts per organization

1,000

iam.max_service_accounts.per_org

API keys

Each service quota in the following table applies to the scope of one Confluent Cloud organization. For the limit on the number of API keys per service account or user account, see service account scope or user account scope.

Resource

Quota (default)

Quota code (ID)

Usage data

Audit log API keys per organization

2

iam.max_audit_log_api_keys.per_org

API keys per organization

3,000

iam.max_cloud_api_keys.per_org

API keys per Dedicated cluster

20,000

kafka.max_api_keys.per_cluster

API keys per Freight cluster

2,500

kafka.max_api_keys.per_cluster

API keys per Enterprise cluster

2,500

kafka.max_api_keys.per_cluster

API keys per Standard cluster

250

kafka.max_api_keys.per_cluster

API keys per Basic cluster

50

kafka.max_api_keys.per_cluster

API keys per service account

100

iam.max_cloud_api_keys.per_service_account

API keys per service account (resource-scoped to a cluster API key, which includes Kafka, Schema Registry, Flink, and ksqlDB keys)

100

iam.max_cluster_api_keys.per_service_account

API keys (resource-scoped to resource management) per user account

10

iam.max_cloud_api_keys.per_user

API keys (resource-scoped to a cluster API key, which includes Kafka, Schema Registry, Flink, and ksqlDB keys) per user account

10

iam.max_cluster_api_keys.per_user

Global API keys per service account across Confluent Cloud resources

2

iam.global_api_keys.per_service_account

Global API keys per user account across Confluent Cloud resources

2

iam.global_api_keys.per_user

Global API keys for user accounts per organization

1,000

iam.max_user_account_global_api_keys.per_org

Global API keys for service accounts per organization

1,000

iam.max_service_account_global_api_keys.per_org

Note

When you create a global API key, it counts toward the kafka.max_api_keys.per_cluster quota for every supported Kafka cluster in the organization, not just the clusters it is actively used with. This means the system counts a single global API key once against each Dedicated, Enterprise, and Freight cluster’s limit. Basic and Standard clusters don’t support global API keys and are not affected.

Role-based access control (RBAC)

Each service quota in the following table applies to the scope of one organization or, for cross-resource RBAC role bindings, the scope of one organization plus all environments in it.

Resource

Quota (default)

Quota code (ID)

Usage data

RBAC role bindings (total) per organization

250,000

iam.max_rbac_role_bindings_all_roles.per_org

Cross-resource RBAC role bindings to roles with Kafka permissions (see [1]): per organization plus environments

1,000

iam.max_rbac_role_bindings.per_org_plus_envs

RBAC role bindings to roles with Kafka permissions (see [2])

500 (Basic, Standard, Enterprise, and Freight)

25,000 (Dedicated)

iam.max_rbac_role_bindings.per_cluster

IP filtering

Each service quota in the following table applies to the scope of one Confluent Cloud IP group or one IP filter. For limits on the number of IP groups and IP filters per organization, see Organization scope.

Resource

Quota (default)

Quota code (ID)

Usage data

IP filters per organization

25

iam.max_ip_filters.per_org

IP groups per organization

25

iam.max_ip_groups.per_org

Classless Inter-Domain Routing (CIDR) blocks per IP group

25

IP groups per IP filter

25

Mutual TLS (mTLS)

Each service quota in the following table applies to the scope of one mutual TLS (mTLS) certificate authority. For limits on the number of mutual TLS (mTLS) certificate authorities per organization, see Organization scope.

Resource

Quota (default)

Quota code (ID)

Usage data

Mutual TLS (mTLS) certificate authorities per organization

5

iam.max_certificate_authorities.per_organization

mTLS certificate identity pools per certificate authority

1,000

iam.max_certificate_pools.per_certificate_authority

OAuth identity providers

Each service quota in the following table applies to the scope of one Confluent Cloud OAuth identity provider. For the limit on the number of OAuth identity providers, see Organization scope.

Resource

Quota (default)

Quota code (ID)

Usage data

OAuth identity providers per organization

5

iam.max_identity_providers.per_organization

Identity pools per OAuth identity provider

1,000

iam.max_identity_pools.per_identity_provider

Self-managed (BYOK) encryption keys

Each service quota in the following table applies to the scope of one organization.

Resource

Quota (default)

Quota code (ID)

Usage data

Self-managed (Bring Your Own Key, BYOK) encryption keys per organization

20

byok.max_keys.per_org

Single sign-on (SSO) identity provider

Each service quota in the following table applies to the scope of one Confluent Cloud organization or one SSO identity provider.

Resource

Quota (default)

Quota code (ID)

Usage data

Single sign-on (SSO) group mappings

100

iam.max_group_mappings.per_org

Networking scopes

The following sections list the service quotas for networking resources in Confluent Cloud.

Networks

Each service quota in the following table applies to the scope of one Confluent Cloud network.

To get the current applied limits for an organization, see Quotas API.

Resource

Quota (default)

Quota code (ID)

Usage data

Networks

3

networking.max_network.per_environment

Kafka clusters

10

Kafka cluster CKUs

72

Peering

25

networking.max_peering.per_network

Maximum number of AWS accounts allowed to create PrivateLink endpoints to a specific Confluent Cloud network

10

networking.max_private_link.per_network

Maximum number of Azure subscriptions allowed to create Private Link endpoints to a specific Confluent Cloud network

10

networking.max_private_link.per_network

Maximum number of Google Cloud projects allowed to create Private Service Connect endpoints to a specific Confluent Cloud network

10

networking.max_private_link.per_network

Transit Gateways

1

networking.max_transit_gateway.per_network

AWS PrivateLink Attachments per environment for Enterprise

3

networking.max_private_link_attachments_per_environment

AWS PrivateLink Attachment connections per AWS PrivateLink Attachment for Enterprise

10

networking.max_private_link_attachment_connections_per_attachment

DNS domains per DNS forwarder

10

networking.limits.max_domains_per_dns_forwarder

DNS server IP addresses per DNS forwarder

3

networking.limits.max_dns_server_ips_per_dns_forwarder

Gateways (Private Network Interface)

Each service quota in the following table applies to the scope of one gateway that connects to Confluent Cloud using a PNI.

Resource

Quota (default)

Quota code (ID)

Maximum number of PNI gateways per region per environment

2

networking.limits.max_private_network_interface_gateways_per_environment

Maximum number of PNI access points per PNI gateway

1

networking.limits.max_private_network_interface_accesspoints_per_gateway