Confluent Cloud supports public internet connectivity and private networking solutions. You can access Confluent Cloud Dedicated clusters through secure internet endpoints, Private Link connections, VPC/VNet peering, or AWS Transit Gateway. All Basic and Standard clusters are accessible through secure internet endpoints. All connections to Confluent Cloud are encrypted with TLS and require authentication using API keys, regardless of network configuration.
Using VPC/VNet peering, Private Link, or AWS Transit Gateway is a trade-off. Your cluster cannot be accessed from the public internet, which eliminates some potential security threats, but it also requires you to manage the peered or linked networks to ensure all your client applications and developers have the access they need to Confluent Cloud.
- If you use VPC/VNet peering, your cluster will not have internet endpoints and you can only access it from a peered VPC/VNet.
- If you use private networking (VPC peering, VNet peering, or private links), then you cannot directly connect from an on-premises data center to Confluent Cloud. To do this, you must first route to a shared services VPC or VNet that you own and connect that to Confluent Cloud using VPC/VNet peering (along with a proxy) or Private Link. If you are interested in this configuration for Confluent Cloud, contact your Confluent sales representative.
- If you use Private Link, your cluster will not have internet endpoints and you can only access it from Private Endpoints in accounts you have registered with Confluent Cloud.
- If you use AWS Transit Gateway, your cluster will not have internet endpoints and you can only access it from the linked AWS Transit Gateway network.
- After a cluster has been provisioned with VPC peering, AWS PrivateLink, or AWS Transit Gateway, you cannot update it to use internet endpoints.
- After a cluster has been provisioned with secure internet endpoints, you cannot change it to use VPC/VNet peering, Private Link, or AWS Transit Gateway.
- IP addresses for secure internet endpoints are not static.
Confluent Cloud clusters with internet endpoints are protected by a proxy layer that prevents some types of DoS, DDoS, syn flooding, and other network-level attacks. Confluent Cloud clusters using VPC peering, AWS PrivateLink, or AWS Transit Gateway are not accessible from the public internet.
Confluent Cloud ensures all connections to all cluster configurations use TLS 1.2 so traffic is encrypted in transit. Access to any Confluent Cloud Kafka cluster or other services is limited to clients with valid API keys and secrets. Non-TLS or unauthenticated connections are not allowed. Refer to the Confluent Cloud Security Controls whitepaper for more details on securing Confluent Cloud.
To learn more about networking in Confluent Cloud, listen to this podcast which walks you through the details of cloud networking and VPC peering.
Supported public networking solutions¶
Confluent Cloud offers data in motion services that can be shared across organizations over the public internet. Confluent Cloud services include public internet connectivity for all cluster types, including Basic, Standard, and Dedicated clusters.
For Confluent Cloud Dedicated clusters with public connectivity on AWS only, you can use static egress IP addresses to communicate with external resources (such as data sources and sinks for managed connectors) over the public internet. For details, see Confluent Cloud での静的なエグレス IP アドレスの使用.
Supported private networking solutions¶
Confluent Cloud includes support for data in motion services that are shared privately with organizations on private networks and offer additional customization and controls for security and privacy. Private networking support in Confluent Cloud is available only for Dedicated clusters.
The following table summarizes the private networking solutions supported by Confluent Cloud by the cloud service provider. For details on each solution, click the link to go to the documentation details.
|Cloud service provider||Supported networking solution|
|Amazon Web Services (AWS)||AWS VPC Peering|
|AWS Transit Gateway|
|Microsoft Azure||Azure VNet Peering|
|Azure Private Link|
|Google Cloud||Google Cloud VPC Peering|