Enable Private Networking on Confluent Cloud for Schema Registry¶
Confluent Cloud Schema Registry now supports private networking on Amazon Web Services.
This feature enables your client applications in the virtual private cloud (VPC) to securely access Schema Registry without egressing to the public internet from your VPC.
How does it work?¶
Per-region Private link attachments for VPCs¶
Schema Registry has public access by default. Schema Registry Private Networking requires a PrivateLink Attachment. PrivateLink Attachment are resources that enable you to connect to Confluent serverless products, like Enterprise Clusters and Apache Flink®.
You can get a private endpoint by creating a PrivateLink Attachment in every region where you have a Apache Kafka® cluster deployed. For example, if you have a Kafka cluster deployed in region A, you can create a PrivateLink Attachment in region A and get a region A specific private endpoint for Schema Registry, making it accessible in region A’s VPC. In this way, you can have multiple VPCs deployed across different regions accessing the Kafka clusters within the environment, through these regional private endpoints for Schema Registry.
Each PrivateLink Attachment is used to establish a connection between your client applications (including Cloud Console, Confluent CLI, Terraform) and Schema Registry, enabling your clients to access Schema Registry from your VPCs.
IP filtering to secure Schema Registry connectivity on public networks¶
You can restrict the public endpoint using IP filtering, so that only a limited set of IPs are able to access Schema Registry via the public endpoint.
Quick Start¶
The following steps guide you through setup of Schema Registry private networking primarily using the Cloud Console.
You can also set up private endpoints to Schema Registry with the Confluent CLI or Terraform. Information about using those tools and other tools is provided at the end of this Quick Start. General prerequisites for all tools and approaches are shown below.
Prerequisites¶
- Terraform version 2.23.0 or later
- Confluent CLI version 4.21.0 or later
- Access to Confluent Cloud
- A Confluent Cloud environment with at least the Stream Governance Essentials package enabled
- The OrganizationAdmin, EnvironmentAdmin, or NetworkAdmin role to create a PrivateLink Attachment
- A VPC in AWS
Overview¶
The high level steps are:
- Step 1: Set up a PrivateLink Attachment and PrivateLink Attachment Connection
- In Confluent Cloud create a PrivateLink Attachment.
- In AWS, create a PrivateLink Attachment Connection and create a VPC Endpoint linked to the PrivateLink Attachment Connection service.
- In AWS Route53, set up DNS resolution for this endpoint.
- (Optional) Step 2: Restrict public access to Schema Registry with IP filtering.
- (Optional) Step 3: Connect to the network with Confluent Cloud Console.
Step 1: Set up a PrivateLink Attachment and PrivateLink Attachment Connection¶
In AWS, follow these steps to create a PrivateLink Attachment, a private endpoint, a PrivateLink Attachment Connection, and set up a DNS resolution.
- In Confluent Cloud, create a PrivateLinkAttachment.
- In AWS, create a VPC Interface Endpoint to the PrivateLinkAttachment service.
- In Confluent Cloud, create a PrivateLinkAttachmentConnection.
- Set up a DNS resolution.
When you have successfully created the PrivateLink Attachment, you should see the private connectivity endpoint for Schema Registry on the Cloud Console as shown:
At this point, Schema Registry is ready for use on the privatelink.
(Optional) Step 2: Restrict public access to Schema Registry with IP filtering¶
You can use IP filters to restrict the public access to Schema Registry to specified IP address ranges.
- Create IP groups.
- Create IP filters.
- Apply to schema management.
View IP filters applied to the Schema Registry by going to Network Management > Public Networks on the Cloud Console.
If you want to disable all public access to Schema Registry, create an IP filter using the No Public Networks IP group. If you do this Step 3 becomes mandatory to access schemas on the Cloud Console.
(Optional) Step 3: Connect to the network with Confluent Cloud Console¶
You can access access the Cloud Console from anywhere if you have enabled the public endpoint access for Schema Registry. If you have restricted access to it using IP filtering, you need to connect to Cloud Console using a valid IP over public internet or on the appropriate VPC where you have provisioned the PrivateLink Attachment.
Users will see the following error if they attempt to access schemas from an unauthorized IP address or from a VPC network that does not have access to the PrivateLink Attachment you created.
To connect to Confluent Cloud with PrivateLink Attachment, see Use Confluent Cloud with Private Networking. The Resource Metadata access option is not currently supported for Schema Registry.
One way to connect is to set up a reverse proxy:
Create an EC2 instance
Connect to the instance with SSH
Install NGINX
Configure Routing Table
Set up DNS resolution: point to the Schema Registry regional endpoints you use, as described in Step 6 of Configure a proxy.
<Public IP Address of VM instance> <schema-registry-private-endpoint>
<schema-registry-private-endpoint>will resemblelsrc-1234.<region>.<cloud>.private.confluent.cloud, for example:lsrc-axliw12p.us-east-2.aws.private.confluent.cloud.Find the DNS part of the PrivateLink Attachment by navigating to your environment’s Network management page and finding the DNS domain setting.
Once networking is set up in Cloud Console, the interface uses the correct endpoint automatically, and you should be able to view your schemas on the Schema Registry page.
Use Schema Linking with private endpoints¶
You can use the private endpoints for a Schema Registry when creating schema exporters on Confluent Platform or Confluent Cloud Schema Registry. You need to provide the private endpoint and the corresponding API key information when creating the exporter.
To learn more about Schema Linking, see Schema Linking on Confluent Cloud.
Use Confluent CLI and Terraform with private endpoints¶
You can use the Confluent CLI and Terraform with private endpoints for Schema Registry.
- Use the Confluent CLI version 4.21.0 or later.
- Using Terraform version 2.23.0 or later, use confluent_private_link_access Confluent Terraform Provider resource to create a PrivateLink Access.
Stream Catalog endpoints¶
The Stream Catalog endpoint and APIs will remain accessible only via public internet. To learn more, see: Stream Catalog REST API Usage and Examples on Confluent Cloud, and especially, Setup and suggestions.
Limitations¶
- Schema Registry PrivateLink is currently available only in select regions on AWS.
- Resource Metadata access is not applicable for Schema Registry.
- Customer connectors cannot use Schema Registry configured with private access.
Supported AWS Regions¶
The following AWS regions are supported in the current release.
The Americas and Canada¶
| Code | Region |
|---|---|
| ca-central-1 | Canada (Central) |
| us-west-2 | US West (Oregon) |
| us-east-1 | US East (N. Virginia) |
| us-east-2 | US East (Ohio) |
| sa-east-1 | South America (São Paulo) |
Asia Pacific¶
| Code | Region |
|---|---|
| ap-southeast-1 | Asia Pacific (Singapore) |
| ap-south-1 | Asia Pacific (Mumbai) |
| ap-east-1 | Asia Pacific (Hong Kong) |
| ap-northeast-2 | Asia Pacific (Seoul) |
| ap-southeast-2 | Asia Pacific (Sydney) |
Europe¶
| Code | Region |
|---|---|
| eu-central-1 | Europe (Frankfurt) |
| eu-west-1 | Europe (Ireland) |
| eu-west-2 | Europe (London) |
| eu-west-3 | Europe (Paris) |
Africa¶
| Code | Region |
|---|---|
| af-south-1 | Africa (Cape Town) |