Configure Private Networking for USM Agents

This page describes how to set up AWS PrivateLink connectivity for the USM Agent to send Confluent Platform metadata to Confluent Cloud. You configure this connectivity by creating a gateway and an access point in your Confluent Cloud environment. For general Confluent Cloud PrivateLink setup that’s not specific to USM, see Use AWS PrivateLink for Serverless Products on Confluent Cloud.

Unified Stream Manager (USM) requires a secure, private network connection between your Confluent Platform cluster and Confluent Cloud that uses AWS PrivateLink. With AWS PrivateLink, your Confluent Cloud resources are only accessible from private endpoints in your VPC, so all metadata is transmitted over a private channel without exposure to the public internet.

You can create a new private network or use an existing one.

Note

As of June, 2026, the PrivateLink Attachment (PLATT) resource is replaced by the ingress PrivateLink Gateway resource for USM. A gateway provides the same functionality as a PLATT, but it provides unique fully qualified domain names (FQDNs) using the access point ID for each PrivateLink connection. With these FQDNs, your applications can more granularly route traffic from your AWS VPC to the services in your Confluent Cloud environment.

Existing PLATT resources continue to function, but you can’t provision new ones after a future release. Update your applications to use gateways.

Private networking resources

Confluent Cloud uses the following private networking resources for registering Confluent Platform clusters. These resources are regional and do not map to specific availability zones.

  • Gateway: A gateway resource represents a reservation to establish a PrivateLink connection from your virtual private cloud (VPC) to regional services in a Confluent Cloud environment. A gateway belongs to an environment in the Confluent resource hierarchy.

  • Access point: An access point is a registration of VPC interface endpoints that are allowed to connect to Confluent Cloud. An access point belongs to a specific gateway. From the same VPC, you can create multiple access points in the same region to connect to different Confluent Cloud environments, such as production and development.

You can create the gateway and access point by using the Confluent Cloud Console, Confluent REST API, Confluent CLI, or Terraform.

The overall process consists of the following steps:

  1. In Confluent Cloud, create a gateway.

  2. In AWS, create a VPC interface endpoint that connects to the gateway’s service.

  3. In Confluent Cloud, create an access point for your endpoint.

  4. Set up your DNS resolution.

The setup wizard in the Confluent Cloud guides you through this process.

If you have an existing AWS PrivateLink connection for your Confluent Cloud account and have previously configured a private network using these AWS PrivateLink instructions, you can select that existing network from the wizard and proceed to the next section.

Requirements and considerations

  • You can connect to multiple Confluent Cloud environments in the same region from a single VPC by creating a separate gateway for each environment.

  • Cross-region AWS access point resources are not supported.

AWS supported regions

The following list shows the supported AWS regions, grouped geographically.

  • Asia Pacific:

    • ap-south-1 (Mumbai)

    • ap-southeast-1 (Singapore)

    • ap-southeast-2 (Sydney)

  • Canada:

    • ca-central-1 (Canada Central)

  • Europe:

    • eu-central-1 (Frankfurt)

    • eu-west-1 (Ireland)

    • eu-west-2 (London)

  • United States:

    • us-east-1 (N. Virginia)

    • us-east-2 (Ohio)

    • us-west-2 (Oregon)

Create a gateway in Confluent Cloud

To establish a private network connection, first create a gateway in the Confluent Cloud wizard. This process generates the unique service name that you need to create the VPC endpoint in your AWS account.

  1. On the Select network configuration page of the wizard, click Add network configuration.

  2. In the Configure gateway panel, enter the following information:

    • Gateway name: A descriptive name for your network connection.

    • Cloud provider: Select aws.

    • Region: Select the AWS region that matches your VPC.

  3. Click Continue.

  4. The next panel displays the PrivateLink Service ID. Copy this ID (for example, com.amazonaws.vpce.us-west-2.vpce-svc-...) to use it in the next step in the AWS console.

  5. Keep this Confluent Cloud browser tab open. Confluent Cloud provisions the gateway, and its state changes to CREATED.

    A gateway can have one of the following states:

    • CREATED: You provisioned the gateway and can now add an access point.

    • READY: You created the access point, and it can accept connections.

    • EXPIRED: You didn’t provision a valid access point in the allotted time. Create a new gateway to continue.

  1. Send a request to create a gateway resource:

    REST request

    POST https://api.confluent.cloud/networking/v1/gateways

    REST request body

    {
  "spec": {
    "display_name": "<A custom name for the gateway>",
    "config": {
      "kind": "AwsIngressPrivateLinkGatewaySpec",
      "region": "<AWS region of the gateway>"
    },
    "environment": {
      "id": "<The ID of the environment to add the gateway to>"
    }
  }
}

    For more information, see Gateways in the Confluent REST API reference.

Use the following Confluent CLI command to create an AWS gateway:

confluent network gateway create <gateway-name> <flags>

The following command-specific flags are supported:

  • --cloud: Required. The cloud provider. Set to aws.

  • --region: Required. The AWS region of the gateway.

  • --type: Required. The type of gateway configuration. Set to ingress-privatelink.

For more information, see confluent network gateway create.

The following is an example Confluent CLI command to create a gateway:

confluent network gateway create my-ingress-gateway \
  --cloud aws \
  --region us-west-2 \
  --type ingress-privatelink

Use the confluent_gateway resource from the Confluent Terraform Provider to create a gateway.

An example snippet of Terraform configuration for a gateway:

resource "confluent_gateway" "aws_ingress" {
  display_name = "my-gateway"
  environment {
    id = "env-123abc"
  }
  aws_ingress_private_link_gateway {
    region = "us-west-2"
  }
}

Create a VPC endpoint in AWS

In a new browser tab, log in to your AWS Management Console. Use the gateway ID that you created in Confluent Cloud to create and configure the VPC endpoint.

  1. In the AWS Management Console, go to the VPC dashboard.

  2. Verify that DNS hostnames and DNS resolution are enabled for your VPC.

    1. In the navigation menu, under VIRTUAL PRIVATE CLOUD, click Your VPCs.

    2. Select your VPC and click Edit VPC settings.

    3. Under DNS settings, ensure that Enable DNS resolution and Enable DNS hostnames are selected, and then click Save changes.

  3. In the navigation menu under VIRTUAL PRIVATE CLOUD, click Endpoints, and then click Create endpoint.

    1. In the Name tag field, enter a name for the endpoint.

    2. For Service category, select PrivateLink Ready partner services.

    3. In the Service name field, enter the PrivateLink Service ID of the gateway you created in Create a gateway in Confluent Cloud, and then click Verify service.

      You can also use the value of the PrivateLink Service ID from your Network overview of the gateway in the Confluent Cloud Console.

      If you get an error, verify that your account is allowed to create PrivateLink connections, and try again.

    4. In the VPC field, enter the ID of this VPC.

    5. Under Additional settings, uncheck Enable DNS name. This option appears after you select a VPC.

    6. In Subnets, select the subnets in which to create an endpoint network interface.

    7. Select or create a security group for the VPC Endpoint.

      • Add three inbound rules for each of ports 80, 443, and 9092 from your desired source (your VPC CIDR). The Protocol should be TCP for all three rules.

      • Port 80 is not required, but is available as a redirect only to https/443, if desired.

  4. Click Create endpoint.

  5. After the endpoint is created, make a note of the VPC endpoint ID.

aws ec2 create-vpc-endpoint --vpc-id <id of this VPC> \
  --service-name <PrivateLink Service ID of the gateway> \
  --subnet-ids <subnet IDs for the endpoint> \
  --region <region to use> \
  --private-dns-enabled false \
  --vpc-endpoint-type Interface

From the command output, make a note of the VPC endpoint ID.

For example, using the PrivateLink Service ID of the gateway:

aws ec2 create-vpc-endpoint --vpc-id vpc-097799943f9fc059d \
  --service-name com.amazonaws.vpce.us-east-1.vpce-svc-123abcc1298abc123 \
  --subnet-ids subnet-7b16de0c \
  --region us-east-1 \
  --private-dns-enabled false \
  --vpc-endpoint-type Interface

Use the aws_vpc_endpoint AWS Terraform Provider resource to create a VPC endpoint in AWS.

Create an access point

Return to Confluent Cloud and create an access point resource. An access point represents a VPC interface endpoint in your VPC.

You don’t need to provide the VPC Endpoint Service name. Confluent checks which VPC Endpoint Service is associated with the gateway that has a pending VPC Endpoint with the given ID.

  1. In the Access points tab, click Create access point.

    1. Create a VPC interface endpoint in AWS using the PrivateLink Service ID shown in step 3 on the sliding panel.

    2. In VPC Endpoint ID from AWS, specify the VPC interface endpoint ID you created in the previous step.

    3. In the Access point name field, enter a name for the access point.

    4. Click Create access point.

      After the VPC Endpoint connection is accepted, the statuses for the gateway and the access point change to READY.

  1. Send a request to create an access point resource:

    REST request

    POST https://api.confluent.cloud/networking/v1/access-points

    REST request body

    {
  "spec": {
    "display_name": "<A custom name for the access point>",
    "config": {
      "kind": "AwsIngressPrivateLinkEndpoint",
      "vpc_endpoint_id": "<The ID of your VPC interface endpoint in AWS>"
    },
    "environment": {
      "id": "<The ID of the environment that has the gateway for this access point>"
    },
    "gateway": {
      "id": "<The ID of the gateway to add the access point to>"
    }
  }
}

    For more information, see Access Points in the Confluent REST API reference.

Use the following Confluent CLI command to create an access point:

confluent network access-point private-link ingress-endpoint create <access-point-name> <flags>

The following command-specific flags are supported:

  • --cloud: Required. The cloud provider. Set to aws.

  • --gateway: Required. The ID of the gateway to add the access point to.

  • --vpc-endpoint-id: Required. The ID of your VPC interface endpoint in AWS.

For more information, see confluent network access-point private-link ingress-endpoint create.

The following is an example Confluent CLI command to create an access point:

confluent network access-point private-link ingress-endpoint create my-ingress-access-point \
  --cloud aws \
  --gateway gw-123abc \
  --vpc-endpoint-id vpce-1234567890abcdef0

Use the confluent_access_point Confluent Terraform Provider resource to create an access point.

An example snippet of Terraform configuration for an access point:

resource "confluent_access_point" "aws_ingress_1" {
  display_name = "my_access_point"
  environment {
    id = "env-123abc"
  }
  gateway {
    id = "gw-123abc"
  }
  aws_ingress_private_link_endpoint {
    vpc_endpoint_id = "vpce-1234567890abcdef0"
  }
  depends_on = [
    confluent_gateway.aws_ingress
  ]
}

Set up DNS resolution

Confluent Cloud requires that you set up private DNS records for each access point pointing its DNS domain to the VPC endpoint you created.

For new access points, when connecting to Confluent Cloud using access-point-specific hostnames, you must allow public DNS resolution from your network or VPC. Confluent Cloud advertises these hostnames in the public DNS resolver, and these hostnames then redirect to match the domains that you input to your private DNS resolver.

DNS resolution happens in two steps:

  1. The Confluent Cloud Global DNS Resolver returns a CNAME for your hostnames, removing the glb subdomain and converting your access point ID to be a subdomain.

    For example, with the given hostname:

    api-<accessPointId>.<region>.aws.accesspoint.glb.confluent.cloud

    The CNAME returned is:

    api.<accessPointId>.<region>.aws.accesspoint.confluent.cloud

  2. The CNAME then resolves to your VPC private endpoints based on the private DNS configuration.

To use AWS Route 53 as your private DNS resolver, set up a private hosted zone in your AWS VPC.

  1. In Confluent Cloud, verify that the status of the access point is READY.

  2. In Confluent Cloud, open the newly created gateway to get the DNS domain value of Confluent Cloud.

    The DNS domain value depends on the type of access point:

    • Legacy access points: The value follows the pattern <region>.aws.private.confluent.cloud. Use this as the Domain name for your Route 53 private hosted zone.

    • New access points: Take the FrontDoor URL shown in the Confluent Cloud Console and remove .glb and the api- prefix. Use the resulting <accessPointId>.<region>.aws.accesspoint.confluent.cloud as the Domain name for your Route 53 private hosted zone.

      For example, if the FrontDoor URL is api-ap123.us-west-2.aws.accesspoint.glb.confluent.cloud, the Route 53 hosted zone domain name is ap123.us-west-2.aws.accesspoint.confluent.cloud.

  3. In the AWS Route 53 console, create a private hosted zone with the following settings:

    • Domain name: Enter the Confluent Cloud DNS domain value that you copied in the previous step.

    • Type: select Private hosted zone.

    • VPC ID: Enter the ID of the VPC where you added the VPC endpoint.

    1. Click Create hosted zone.

  4. Create a DNS record for the hosted zone you created in the previous step.

    This record is regional DNS and is used for all the target Confluent Cloud resources in the region.

    1. Click Create Record from within the previously created hosted zone.

    2. Specify the following values:

      • Record name: *

        Enter * as the subdomain name.

        The record name consists of the subdomain and the DNS domain name. The DNS domain name is filled in with the Confluent Cloud DNS domain value you specified when you created the Route 53 private hosted zone in the previous step.

        If you are creating DNS resolution for Schema Registry for a single VPC connecting to multiple Schema Registry clusters in the same region across different environments, enter the id of the Schema Registry, lsrc-xxxxx in the Record name field to connect to a specific Schema Registry.

      • Record type: Select CNAME.

      • Value: Enter the DNS name of the VPC endpoint that you created in Create a VPC endpoint in AWS.

        The value must be the fully qualified DNS name of the VPC endpoint. For example: vpce-012c2200321aff207-gz49hgc1.vpce-svc-00da8c4990b89436d.us-west-2.vpce.amazonaws.com. Do not specify the VPC endpoint name.

        To find this value, go to the Endpoint details page in the AWS console and look in the DNS names section.

      Note

      In Confluent Cloud with private linking, Kafka broker names you retrieve from the metadata are not static. Do not hardcode the broker names in DNS records.

    3. Click Create Record.

      A summary of the new record appears.

What’s next

Related content