Enable Private Networking on Confluent Cloud for Schema Registry¶
Confluent Cloud Schema Registry now supports private networking on Amazon Web Services.
This feature enables your client applications in the virtual private cloud (VPC) to securely access Schema Registry without egressing to the public internet from your VPC.
How does it work?¶
Per-region PrivateLink Attachments for VPCs¶
Schema Registry has public access by default. Schema Registry Private Networking requires a PrivateLink Attachment. PrivateLink Attachment are resources that enable you to connect to Confluent serverless products, like Enterprise Clusters and Apache Flink®.
You can get a private endpoint by creating a PrivateLink Attachment in every region where you have a Apache Kafka® cluster deployed. For example, if you have a Kafka cluster deployed in region A, you can create a PrivateLink Attachment in region A and get a region A specific private endpoint for Schema Registry, making it accessible in region A’s VPC. In this way, you can have multiple VPCs deployed across different regions accessing the Kafka clusters within the environment, through these regional private endpoints for Schema Registry.
Each PrivateLink Attachment is used to establish a connection between your client applications (including Cloud Console, Confluent CLI, Terraform) and Schema Registry, enabling your clients to access Schema Registry from your VPCs.
IP filtering to secure Schema Registry connectivity on public networks¶
You can restrict the public endpoint using IP filtering, so that only a limited set of IPs are able to access Schema Registry via the public endpoint.
Quick Start¶
The following steps guide you through setup of Schema Registry private networking primarily using the Cloud Console.
You can also set up private endpoints to Schema Registry with the Confluent CLI or Terraform. Information about using those tools and other tools is provided at the end of this Quick Start. General prerequisites for all tools and approaches are shown below.
Prerequisites¶
- Terraform version 2.23.0 or later
- Confluent CLI version 4.21.0 or later
- Access to Confluent Cloud
- A Confluent Cloud environment with at least the Stream Governance Essentials package enabled
- The OrganizationAdmin, EnvironmentAdmin, or NetworkAdmin role to create a PrivateLink Attachment
- A VPC in AWS
Overview¶
The high level steps are:
- Step 1: Set up a PrivateLink Attachment and PrivateLink Attachment Connection
- In Confluent Cloud create a PrivateLink Attachment.
- In AWS, create a PrivateLink Attachment Connection and create a VPC Endpoint linked to the PrivateLink Attachment Connection service.
- In AWS Route53, set up DNS resolution for this endpoint.
- (Optional) Step 2: Restrict public access to Schema Registry with IP filtering.
- (Optional) Step 3: Connect to the network with Confluent Cloud Console.
Step 1: Set up a PrivateLink Attachment and PrivateLink Attachment Connection¶
In AWS, follow these steps to create a PrivateLink Attachment, a private endpoint, a PrivateLink Attachment Connection, and set up a DNS resolution.
- In Confluent Cloud, create a PrivateLinkAttachment.
- In AWS, create a VPC Interface Endpoint to the PrivateLinkAttachment service.
- In Confluent Cloud, create a PrivateLinkAttachmentConnection.
- Set up a DNS resolution.
When you have successfully created the PrivateLink Attachment, you should see the private connectivity endpoint for Schema Registry on the Cloud Console as shown:
At this point, Schema Registry is ready for use on the privatelink.
(Optional) Step 2: Restrict public access to Schema Registry with IP filtering¶
You can use IP filters to restrict the public access to Schema Registry to specified IP address ranges.
- Create IP groups.
- Create IP filters.
- Apply to schema management.
View IP filters applied to the Schema Registry by going to Network Management > Public Networks on the Cloud Console.
If you want to disable all public access to Schema Registry, create an IP filter using the No Public Networks IP group. If you do this Step 3 becomes mandatory to access schemas on the Cloud Console.
(Optional) Step 3: Connect to the network with Confluent Cloud Console¶
You can access access the Cloud Console from anywhere if you have enabled the public endpoint access for Schema Registry. If you have restricted access to it using IP filtering, you need to connect to Cloud Console using a valid IP over public internet or on the appropriate VPC where you have provisioned the PrivateLink Attachment.
Users will see the following error if they attempt to access schemas from an unauthorized IP address or from a VPC network that does not have access to the PrivateLink Attachment you created.
To connect to Confluent Cloud with PrivateLink Attachment, see Use Confluent Cloud with Private Networking. The Resource Metadata access option is not currently supported for Schema Registry.
One way to connect is to set up a reverse proxy:
Create an EC2 instance
Connect to the instance with SSH
Install NGINX
Configure Routing Table
Set up DNS resolution: point to the Schema Registry regional endpoints you use, as described in Step 6 of Configure a proxy.
<Public IP Address of VM instance> <schema-registry-private-endpoint>
<schema-registry-private-endpoint>will resemblelsrc-1234.<region>.<cloud>.private.confluent.cloud, for example:lsrc-axliw12p.us-east-2.aws.private.confluent.cloud.Find the DNS part of the PrivateLink Attachment by navigating to your environment’s Network management page and finding the DNS domain setting.
Once networking is set up in Cloud Console, the interface uses the correct endpoint automatically, and you should be able to view your schemas on the Schema Registry page.
Migrate clients from the public endpoint to private endpoint for Schema Registry¶
If you are using the public endpoint for Schema Registry but want to migrate clients to use the private endpoint, you can do so as follows:
Identify the principal IDs sending traffic by means of the public endpoint to Schema Registry.
The
traffic_typemetric recently added toschema_operations_counthas values PUBLIC and PRIVATE which allow you to identify public and private traffic to Schema Registry. You can useprincipal_idwith this metric to see which principal IDs are sending which kinds of traffic, as shown in the example below.Create a file named
sr_traffic.jsonusing the following template. Be sure to changelsrc-XXXXXand the timestamp values to match your needs.{ "aggregations": [ { "metric": "io.confluent.kafka.schema_registry/schema_operations_count" } ], "filter": { "field": "resource.schema_registry.id", "op": "EQ", "value": "lsrc-XXXXX" }, "granularity": "PT1M", "intervals": [ "2021-02-24T10:00:00Z/2021-02-24T10:01:00Z" ], "group_by": [ "resource.schema_registry.id", "metric.principal_id", "metric.traffic_type" ] }
Submit the query as a POST using the following command. Be sure to change
<API_KEY>and<SECRET>to match your environments.http 'https://api.telemetry.confluent.cloud/v2/metrics/cloud/query' --auth '<API_KEY>:<SECRET>' < sr_traffic.json
Your output should resemble:
{ "data": [ { "resource.schema_registry.id": "lsrc-XXXXX", "metric.principal_id": "sa-abc123", "traffic_type": "PUBLIC" , "timestamp": "2021-02-24T10:00:00Z", "value": 1.0 } ] }
To learn more about monitoring and metrics for Confluent Cloud, see Confluent Cloud Metrics.
To learn more about Schema Registry metrics definitions, refer to Resource: schema_registry section in the
Confluent Cloud Metrics API Reference.
Enable private access to Schema Registry in the same region across different environments with PrivateLink Attachments¶
To enable the same VPC to connect to schema registries in the same region across two different environments, you must configure two VPC endpoints with a PrivateLink Attachment created in each environment.
In this example, consider that you have two environments with Schema Registry in the same region and you want to access both the registries within the same VPC:
- Environment 1, which has
Schema Registry-1in region-1 with a fully qualified domain name (FQDN) of:lsrc-1234.region-1.aws.private.confluent.cloud - Environment 2, which has
Schema Registry-2in region-1 with a FQDN of:lsrc-5678.region-1.aws.private.confluent.cloud - You have one VPC connecting to both environments.
The steps to enable this across the two environments are as follows.
- Create PrivateLink Attachment-1 with VPC endpoint (VPCE-1) to connect to Schema Registry-1.
- Create PrivateLink Attachment-2 with another VPC endpoint (VPCE-2) in the same network to connect to Schema Registry-2.
- When setting up domain name system (DNS) resolution within the VPC, enter DNS entries in the private hosted zone for the VPC as follows:
lsrc-1234.region-1.aws.private.confluent.cloudresolves to VPCE-1 DNSlsrc-5678.region-1.aws.private.confluent.cloudresolves to VPCE-2 DNS
Use Schema Linking with private endpoints¶
You can use the private endpoints for a Schema Registry when creating schema exporters on Confluent Platform or Confluent Cloud Schema Registry. You need to provide the private endpoint and the corresponding API key information when creating the exporter. You can use this Confluent CLI command to retrieve the endpoint: confluent schema-registry cluster describe.
To learn more about Schema Linking, see Schema Linking on Confluent Cloud.
Use Confluent CLI and Terraform with private endpoints¶
You can use the Confluent CLI and Terraform with private endpoints for Schema Registry.
- Use the Confluent CLI version 4.21.0 or later.
- Using Terraform version 2.23.0 or later, use confluent_private_link_access Confluent Terraform Provider resource to create a PrivateLink Access.
Stream Catalog endpoints¶
The Stream Catalog endpoint and APIs will remain accessible only via public internet. To learn more, see: Stream Catalog REST API Usage and Examples on Confluent Cloud, and especially, Setup and suggestions.
Limitations¶
- Schema Registry PrivateLink is currently available only in select regions on AWS.
- Resource Metadata access is not applicable for Schema Registry.
- Customer connectors cannot use Schema Registry configured with private access.
Supported AWS Regions¶
The following AWS regions are supported in the current release.
The Americas and Canada¶
| Code | Region |
|---|---|
| ca-central-1 | Canada (Central) |
| us-west-2 | US West (Oregon) |
| us-east-1 | US East (N. Virginia) |
| us-east-2 | US East (Ohio) |
| sa-east-1 | South America (São Paulo) |
Asia Pacific¶
| Code | Region |
|---|---|
| ap-southeast-1 | Asia Pacific (Singapore) |
| ap-south-1 | Asia Pacific (Mumbai) |
| ap-east-1 | Asia Pacific (Hong Kong) |
| ap-northeast-2 | Asia Pacific (Seoul) |
| ap-southeast-2 | Asia Pacific (Sydney) |
Europe¶
| Code | Region |
|---|---|
| eu-central-1 | Europe (Frankfurt) |
| eu-west-1 | Europe (Ireland) |
| eu-west-2 | Europe (London) |
| eu-west-3 | Europe (Paris) |
Africa¶
| Code | Region |
|---|---|
| af-south-1 | Africa (Cape Town) |
Frequently Asked Questions (FAQ)¶
FAQ Quick List¶
- Is there an extra charge for using this feature?
- I already have a Dedicated cluster and corresponding private network setup, is a PrivateLink Attachment still necessary?
- Is the PrivateLink Attachment created for Flink or Enterprise cluster private networking re-used for Schema Registry?
- Is it possible to block all public traffic to the Schema Registry using IP filtering?
- Does IP filtering affect my private traffic, public traffic, or both?
- Does IP filtering for schema management impact existing connectors, Flink statements, linked schema registries, or ksqlDB setups that access schema registries?
- Is IP filtering also applicable for Stream Governance catalog, as it shares the same public endpoint as Schema Registry?
- Is the private endpoint applicable for Stream Catalog access?
- Is it possible to use Schema Linking with private endpoints?
- There are multiple endpoints for Schema Registry, does this mean a different Schema Registry exists in every region?
- There are multiple endpoints for Schema Registry in different regions, does this mean there is schema redundancy in the these regions?
- Why is a “Create Cluster” message shown on the UI when I try to enable Stream Governance, if I already have Kafka clusters present in the environment?
Q&As¶
- Is there an extra charge for using this feature?
- This feature is available starting with the Stream Governance Essentials package which is free till 100 schemas. There is no extra charge for this feature. (See, Manage Stream Governance Packages in Confluent Cloud to learn more about Stream Governance packages.)
- I already have a Dedicated cluster and corresponding private network setup, is a PrivateLink Attachment still necessary?
- Yes, a PrivateLink Attachment is required for private access to Schema Registry.
- Is the PrivateLink Attachment created for Flink or Enterprise cluster private networking re-used for Schema Registry?
- Yes, a PrivateLink Attachment created in a region will be re-used automatically.
- Is it possible to block all public traffic to the Schema Registry using IP filtering?
- Using the No Public Networks IP group will block all public traffic to the Schema Registry. With this configuration, Cloud Console would not display data contracts over the public internet. To regain access to the data contracts UI, create a proxy with access to the VPC where the private Schema Registry endpoint is accessible, as described in Step 3.
- Does IP filtering affect my private traffic, public traffic, or both?
- IP filtering is only applied to public traffic.
- Does IP filtering for schema management impact existing connectors, Flink statements, linked schema registries, or ksqlDB setups that access Schema Registry?
- No, IP filtering is only applied to public traffic originating outside Confluent Cloud.
- Is IP filtering also applicable for Stream Catalog, as it shares the same public endpoint as Schema Registry?
- No, IP filtering is only applicable for Schema Registry APIs.
- Is the private endpoint applicable for Stream Catalog access?
No, private endpoints only provide private access to Schema Registry.
(To learn more about Stream Catalog and using its APIs, see Stream Catalog on Confluent Cloud: User Guide to Manage Tags and Metadata and Stream Catalog REST API Usage and Examples on Confluent Cloud.)
- Is it possible to use Schema Linking with private endpoints?
- Yes, you can create a schema exporter using a private endpoint with source and destination Schema Registry in the same or different region.
- There are multiple endpoints for Schema Registry, does this mean a different Schema Registry exists in every region?
- No, all the endpoints provide access to one Schema Registry in the environment.
- There are multiple endpoints for Schema Registry in different regions, does this mean there is schema redundancy in the these regions?
- No, all the endpoints provide access to one Schema Registry in the environment. If the region of the Schema Registry is unavailable, schema operations will be unavailable.
- Why is a “Create Cluster” message shown on the UI when I try to enable Stream Governance, if I already have Kafka clusters present in the environment?
If you see this message, then it is possible that this environment was created using an older version of of the Confluent CLI (v3 or lower) or Terraform (v1). In this case, update your CLI to version 4 or higher and Terraform to version 2 or higher.
To use Schema Registry with a PrivateLink Attachment, use CLI version 4.21.0 and Terraform version 2.23.0.
To resolve this issue, you could use the deprecated Schema Registry cluster management (SRCM) v2 regions API only as a workaround to provision the Schema Registry cluster or contact Confluent support to provision a Schema Registry cluster. To learn more about the v2 and v3 SRCM regions APIs, see Upgrade to SRCM v3 clusters and regions APIs (Deprecation of SRCM v2).