Service Quotas for Confluent Cloud¶
Service quotas enable Confluent to manage the availability and scalability of Confluent Cloud resources. A service quota is the default maximum quantity of a resource or operations on it that can be used in Confluent Cloud.
Resources in Confluent Cloud can have different service quotas for different scopes.
For example, the maximum number of Confluent Cloud clusters is 20 per environment,
but is 100 per organization.
If a service quota does not have a quota code (ID), you cannot determine the current, applied limit using the Quotas API. To get the current applied limit for a service quota that does not have a quota code, contact Confluent Support.
Core resource scopes¶
The following sections list the service quotas for core resource scopes in Confluent Cloud, including organization, environments, Kafka clusters, ksqlDB clusters, and Apache Flink®.
Organization¶
| Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
| Environments | 25 | iam.max_environments.per_org |
✔ |
| Kafka clusters | 100 | iam.max_kafka_clusters.per_org |
✔ |
| Stream Designer pipelines | 100 | sd.max_pipelines.per_organization |
|
| Custom connector plugins | 100 | ||
| Custom connectors | 30 |
Environments¶
The service quotas for the environment scope in Confluent Cloud are now listed within the resources or features. To view the limit on the number of environments, see Organization scope. You can check the current applied limits for an environment using the Quotas API.
The total number of RBAC role bindings with Kafka permissions allowed across your organization (Organization scope) includes both organization-level role bindings and role bindings assigned within each of your environments.
Apache Flink¶
Each service quota listed below applies to Apache Flink®. Relevant scopes for Flink apply to one Confluent Cloud environment or one Confluent Cloud cloud region.
| Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
| Flink compute pools per environment | 10 | flink.max_compute_pools.per_env |
|
| Flink statements per cloud region | 10000 |
Kafka clusters¶
Each service quota listed below applies to a single Kafka cluster. For the limit on the number of Kafka clusters, see Organization or Environment. You can check the current applied limits for an Kafka cluster by using the Quotas API.
| Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
| Kafka clusters per environment | 20 | kafka.max_kafka_clusters.per_env |
✔ |
| Kafka clusters (pending) per environment | 3 | kafka.max_pending_kafka_clusters.per_env |
|
| Kafka cluster CKUs per environment | 50 | kafka.max_ckus.per_env |
✔ |
| eCKU per cluster | 5 | ||
| CKUs (for credit card billing) per cluster | 4 (Incrementally increasable to 152; see [Note]) | kafka.max_ckus.per_cluster |
|
| CKUs (for integrated cloud provider billing or invoice payments) per cluster | 24 (Incrementally increasable to 152; see [Note]) | kafka.max_ckus.per_cluster |
|
| Connector tasks per cluster | 250 |
| [Note] | (1, 2) AWS and Google Cloud support Kafka clusters to 152 CKUs. Azure supports Kafka clusters to 100 CKUs. |
ksqlDB clusters¶
Each service quota listed below applies to the scope of one ksqlDB cluster. For the limit on the number of ksqlDB clusters, see Environment scope.
| Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
| ksqlDB clusters per environment | 10 | ksql.max_apps.per_env |
|
| CSUs per ksqlDB cluster | 12 | ||
| Persistent queries per ksqlDB cluster | 40 |
Schema Registry clusters¶
Each service quota listed below applies to the scope of one Confluent Cloud environment.
| Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
| Schema Registry clusters | 1 |
Security scopes¶
Each security-related service quota below applies to a single Organization in Confluent Cloud. You can check the current applied limits for an environment using the Quotas API.
User accounts¶
Each service quota listed below applies to the scope of one Confluent Cloud organization. For API keys per user account, see API keys.
To get the current applied limits for an organization, see Quotas API.
| Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
| User accounts (active and invited) per organization | 1,000 | iam.max_users.per_org |
✔ |
Service accounts¶
Each service quota listed below applies to the scope of one Confluent Cloud organization. For API keys per service account, see API keys.
To get the current applied limits for an organization, see Quotas API.
| Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
| Service accounts per organization | 1,000 | iam.max_service_accounts.per_org |
✔ |
API keys¶
Each service quota listed below applies to the scope of one Confluent Cloud organization. For the limit on the number of API keys per service account or user account, see Service Account scope or User Account scope.
| Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
| API keys for Audit Log per organization | 2 | iam.max_audit_log_api_keys.per_org |
|
| API keys per organization | 1000 | iam.max_cloud_api_keys.per_org |
✔ |
| API keys per Dedicated cluster | 2000 | kafka.max_api_keys.per_cluster |
✔ |
| API keys per Enterprise cluster | 500 | kafka.max_api_keys.per_cluster |
✔ |
| API keys per Standard cluster | 100 | kafka.max_api_keys.per_cluster |
✔ |
| API keys per Basic cluster | 50 | kafka.max_api_keys.per_cluster |
✔ |
| API keys per service account | 100 | iam.max_cloud_api_keys.per_service_account |
✔ |
| API keys per service account (resource-scoped to Kafka cluster) | 100 | iam.max_cluster_api_keys.per_service_account |
✔ |
| API keys (resource-scoped to resource management) per user account | 10 | iam.max_cloud_api_keys.per_user |
✔ |
| API keys (resource-scoped to Kafka cluster) per user account | 10 | iam.max_cluster_api_keys.per_user |
✔ |
Role-based access control (RBAC)¶
Each service quota listed below applies to the scope of one organization or for cross-resource RBAC role bindings, the scope of one organization plus all environments in it.
| Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
| RBAC role bindings (total) per organization | 250,000 | iam.max_rbac_role_bindings_all_roles.per_org |
✔ |
| Cross-resource RBAC role bindings to roles with Kafka permissions (see [1]) - per organization plus environments | 1000 | iam.max_rbac_role_bindings.per_org_plus_envs |
✔ |
| RBAC role bindings to roles with Kafka permissions (see [2]) | 500 (Basic, Standard, and Enterprise) 25000 (Dedicated) |
iam.max_rbac_role_bindings.per_cluster |
✔ |
| [1] | Roles with Kafka permissions at the Organization or Environment scope include: OrganizationAdmin, EnvironmentAdmin, MetricsViewer, NetworkAdmin, DataSteward, DataDiscovery, and Operator. |
| [2] | RBAC roles with Kafka permissions at the Cluster scope include: CloudClusterAdmin, DeveloperManage, DeveloperWrite, DeveloperRead, ResourceOwner, MetricsViewer, Operator, and KsqlAdmin. |
IP filtering¶
Each service quota listed below applies to the scope of one Confluent Cloud IP group or one IP filter. For limits on the number of IP groups and IP filters per organization, see Organization scope.
| Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
| IP filters per organization | 25 | iam.max_ip_filters.per_org |
|
| IP groups per organization | 25 | iam.max_ip_groups.per_org |
|
| CIDR blocks per IP group | 25 | ||
| IP groups per IP filter | 25 |
Mutual TLS (mTLS)¶
Each service quota listed below applies to the scope of one mutual TLS (mTLS) certificate authority. For limits on the number of mutual TLS (mTLS) certificate authorities per organization, see Organization scope.
| Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
| Mutual TLS (mTLS) certificate authorities per organization | 5 | iam.max_certificate_authorities.per_organization |
|
| Mutual TLS (mTLS) certificate identity pools per certificate authority | 1000 | iam.max_certificate_pools.per_certificate_authority |
OAuth identity providers¶
Each service quota listed below applies to the scope of one Confluent Cloud OAuth identity provider. For the limit on the number of OAuth identity providers, see Organization scope.
| Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
| OAuth identity providers per organization | 5 | iam.max_identity_providers.per_organization |
|
| Identity pools per OAuth identity provider | 100 |
Self-managed (BYOK) encryption keys¶
Each service quota listed below applies to the scope of one organization.
| Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
| Self-managed (BYOK) encryption keys per organization | 20 | byok.max_keys.per_org |
✔ |
Single sign-on (SSO) identity providers¶
Each service quota listed below applies to the scope of one Confluent Cloud organization or one SSO identity provider.
| Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
| SSO identity providers per organization | 5 | iam.max_identity_providers.per_organization |
|
| Single sign-on (SSO) group mappings | 100 | iam.max_group_mappings.per_org |
|
| Identity pools per SSO identity provider | 100 |
Networking scopes¶
The following sections list the service quotas for networking resources in Confluent Cloud.
Networks¶
Each service quota listed below applies to the scope of one Confluent Cloud network.
To get the current applied limits for an organization, see Quotas API.
| Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
| Networks | 3 | networking.max_network.per_environment |
✔ |
| Kafka clusters | 10 | ||
| Kafka cluster CKUs | 72 | ||
| Peering | 25 | networking.max_peering.per_network |
✔ |
| AWS PrivateLink account accesses | 10 | networking.max_private_link.per_network |
✔ |
| Azure Private Link subscription accesses | 10 | networking.max_private_link.per_network |
✔ |
| Google Cloud Private Service Connect project accesses | 10 | networking.max_private_link.per_network |
✔ |
| Transit Gateways | 1 | networking.max_transit_gateway.per_network |
✔ |
| AWS PrivateLink Attachments per environment for Enterprise | 3 | networking.max_private_link_attachments_per_environment |
|
| AWS PrivateLink Attachment connections per AWS PrivateLink Attachment for Enterprise | 10 | networking.max_private_link_attachment_connections_per_attachment |
|
| DNS domains per DNS forwarder | 10 | networking.limits.max_domains_per_dns_forwarder |
|
| DNS server IP addresses per DNS forwarder | 3 | networking.limits.max_dns_server_ips_per_dns_forwarder |
Gateways¶
Each service quota listed below applies to the scope of one gateway that connects to Confluent Cloud using AWS PrivateLink or Azure Private Link.
To get the current applied limits for an organization, see Quotas API.
| Resource | Quota (default) | Quota code (ID) | Usage data |
|---|---|---|---|
| Access points per gateway | 10 | networking.limits.max_access_points_per_gateway |
|
| DNS records per gateway | 20 | networking.limits.max_dns_records_per_gateway |
|
| Egress Private Link gateways per region per environment | 1 |