FAQ for Confluent Cloud

Find answers to frequently asked questions about Confluent Cloud, a fully-managed, cloud-native data streaming platform. This page provides information on security, support plans, and more.

How do I sign up for free trial of Confluent Cloud?

Sign up at https://confluent.cloud. For details on the temporary free trial that Confluent Cloud offers, see Deploy Free Clusters on Confluent Cloud.

What version of Kafka does Confluent Cloud use?

Confluent Cloud is built upon a cloud-native Kafka engine, Kora, that maintains strict compatibility with and tracks the latest version of Apache Kafka®. Client compatibility is covered in depth in our Clients Overview documentation.

Confluent Platform builds on a subset of the Kora engine, but does not share the same release cycle as Confluent Cloud. For more details of Confluent Platform compatibility, see Confluent Platform support versions.

What client and protocol versions are supported?

  • Confluent Cloud follows the Confluent Platform client version support policy.
  • To connect to Confluent Cloud, compatible clients must support and implement TLS encryption and SASL_PLAIN or SASL_OAUTHBEARER (with OAuth-OIDC configured) authentication.
  • All client features since 0.10.0.0 are supported, including exactly-once delivery semantics.

What security, compliance, and privacy features does Confluent Cloud provide?

Confluent’s product offerings are designed to support the needs of enterprise customers for security, compliance, and privacy. For information on compliance and security, see the Trust & Security page page.

See What specific security features does Confluent Cloud offer? for more details about security features.

What specific security features does Confluent Cloud offer?

  • All traffic over the wire requires TLS 1.2 encryption and authentication for SASL_PLAIN or SASL_OAUTHBEARER (with OAuth-OIDC identity provider configured).
  • All data is encrypted at rest on encrypted volumes. Confluent Cloud ensures encryption on customer data stored at rest through the native encryption services offered by our cloud providers.
  • BYOK encryption is supported for data at rest for Dedicated clusters on AWS, Azure, and Google Cloud.
  • You control the API keys and secrets specific to your cluster which you can revoke or reissue if necessary.
  • All data is stored on secure infrastructure, with access controls that are restricted to Confluent engineers, inside a Confluent controlled VPC.
  • Confluent Cloud Dedicated clusters provide dedicated compute and storage resources.
  • VPC Peering (optional) provides network-level security for customers with Dedicated Clusters in Confluent Cloud.
  • Single sign-on (SSO) using your existing SAML-based identity provider (IdP). Confluent Cloud SSO provides access control for multiple independent software systems.

For more information, see the Confluent Cloud Security Addendum and the Confluent Cloud Security Controls whitepaper.

What version of TLS is supported on Confluent Cloud?

TLS version 1.2 is supported.

Important

Effective March 15, 2020, connections made by using TLS 1.0 and 1.1 are no longer supported. TLS 1.0 and 1.1 are legacy cryptographic protocols that do not support modern cryptographic algorithms. They contain security vulnerabilities that can be exploited by attackers. The Internet Engineering Task Force is planning to officially deprecate both protocols. The majority of encrypted internet traffic is now over TLS 1.2. TLS 1.2 has been the recommended version for IETF protocols since 2008.

Is Kerberos supported on Confluent Cloud?

Kerberos authentication is not supported.

Are Confluent Cloud IP addresses and hostnames static?

In most cases, no. Because the cloud infrastructure used by Confluent Cloud does not guarantee static IP addresses or hostnames across cluster changes, DNS is used to provide a consistent address. The underlying IP addresses and hostnames might be stable for a period of time, but are subject to change at any time, so they should not be relied upon for any use.

Confluent provides egress public IP addresses that you can use for communicating between Kafka clusters (with public networking) in Confluent Cloud and external data sources and sinks. For more information, see Use Public Egress IP Addresses on Confluent Cloud for Connectors and Cluster Linking and Public IP address for Confluent Cloud connectors.

  • Planned changes to the list of public egress IP addresses is considered a Major Upgrade and we will follow the policy outlined in Major Upgrades for Confluent Cloud.
  • In the event of an unplanned change, Confluent will send out notifications as soon as possible.
  • You may be required to take immediate action to update your firewall rules.

The following blogs describe how the common outbound proxies handle IP address changes:

How do I connect Confluent Platform components to Confluent Cloud?

Connection instructions vary by by Confluent Platform component.

See Connect Confluent Platform Components to Confluent Cloud for a list of topics.

How do I grant other users access to my cluster?

Confluent provides a variety of ways to manage access to your data. See User account types for more information.

Can I use the same user account for multiple Confluent Cloud organizations?

Yes. For details, see Manage Multiple Organizations on Confluent Cloud.

Can I be auto-notified about failures or incidents?

Yes, you can view and subscribe to the Confluent Cloud status page.

Can I get help troubleshooting failures on my own before I contact support?

Yes, use this support article to troubleshoot connectivity issues with Confluent Cloud.

Can I access logs for Confluent Cloud services?

Internal service logs for Confluent Cloud managed services (such as Kafka brokers, Schema Registry, and other infrastructure components) are not directly accessible to customers, but there are several tools and approaches to help you debug and monitor your streaming applications.

General monitoring and debugging tools:

The Confluent Cloud Metrics provides actionable operational metrics about your Confluent Cloud deployment. The Confluent Cloud Console shows cluster activity and usage relative to your cluster’s capacity. The Cloud Console also includes topic management and consumer lag monitoring. Build Streaming Applications details best practices for configuring, monitoring, and debugging Kafka clients.

Component-specific logging options:

For some Confluent Cloud services, specific logging and monitoring capabilities are available:

For comprehensive monitoring guidance, see Confluent Cloud Metrics.

Can I chat live in Cloud Console?

Yes, to chat with a live sales representative from the AI Assistant, you must have pop-ups enabled in your browser.

Can deleted Confluent Cloud components be restored?

No. When you delete components from your Confluent Cloud account, they are permanently deleted and cannot be restored.

How do I change support plans?

You can manage your support plan by clicking the help icon in the upper-right corner of the Confluent Cloud window. From the menu that appears, click Support Plans.

_images/cloud-support-option.png

The Support Plans page shows which plan you have currently. You can also choose a different plan from this page by clicking Select in the description of the plan. The next window that opens shows the pricing details for that plan and asks you to confirm your support plan upgrade. Click Confirm upgrade to upgrade, or click Close to cancel. See Confluent Support for Confluent Cloud for more information.

Important

Downgrade restrictions apply to support plan purchases. Your current support level will stay in effect until the end of the current calendar month. However, if you downgrade within the month of purchase, your current support plan level is maintained until the end of the next full calendar month.

How do I access the Cloud Console?

Access the Cloud Console at the following URL:

https://confluent.cloud

To access the console, you will be required to sign in to your Confluent Cloud account. You can sign up for a free account, if you don’t have an account.

What web browsers does Cloud Console support?

The latest stable versions of the following web browsers are supported by Confluent Cloud Console:

What user session timeouts does Cloud Console require?

Each time you access your Confluent Cloud account in the Cloud Console from a web browser, you will be required to sign in. There are limits on how long you can remained signed in to your account with and without activity. The limits are as follows:

  • Idle timeout: If no activity is seen in the Cloud Console browser tab for 30 minutes, you will be logged out.
  • Maximum timeout: You can be logged in to Confluent Cloud for a maximum of 8 hours. After 8 hours, you will be logged out and must sign in again. This is enforced regardless of activity.

These are default settings and cannot be configured or changed.

What domains does the Cloud Console require?

The Cloud Console requires access to the following domains to function properly:

  • https://confluent.cloud
  • https://login.confluent.io
  • https://api.confluent.cloud
  • Access to static assets, such as fonts and images:
    • https://cloud-static.confluent.io
    • https://fonts.googleapis.com
    • https://fonts.gstatic.com
  • Access to Stripe (payment info):
    • https://js.stripe.com
    • https://m.stripe.network
    • https://m.stripe.com
    • https://q.stripe.com
  • Access to the Confluent Metrics API:
    • https://api.telemetry.confluent.cloud

The following domains are not required for the Cloud Console to operate properly, but are recommended:

  • Sentry, for debugging purposes:
    • https://o114100.ingest.sentry.io
  • For access to on-page help:
    • https://cdn.contentful.com

How do I access Confluent CLI and support from Cloud Console?

See instructions to install and use the Confluent CLI, and access Confluent support and tools from options located at the bottom of the navigation menu.

Confluent Cloud support

How do I install the CLI from Cloud Console?

Choose CLI and tools, located at the bottom of the navigation menu. Select the Confluent CLI tab for step-by-step instructions to install and access your Confluent Cloud environment with the Confluent CLI. For more information about how to install and use the Confluent CLI, see Confluent CLI.

How do I access support from Cloud Console?

To access Confluent support, choose Support located at the bottom of the navigation menu. The support plans display, with your current plan indicated. See Confluent Cloud support plans for details about the plans.

How do I change my password in Cloud Console?

  1. From the Administration menu, click Settings > Reset password.

  2. An email will be sent to the email address associated with the account to reset your password.

    Change Confluent Cloud password

How do I add users in Cloud Console?

To add a user:

  1. From the Administration menu, click Accounts & access, and click +Add user.
  2. Enter an email address, select an Access Role, and choose a Scope.
  3. Click Review and then Create.

For more information, see Local user: username/password.

How do I collect troubleshooting info about issues in Cloud Console?

If issues occur in Cloud Console, consider generating a HAR file and uploading it to the Confluent Community Slack channel or sending it to the flink preview email address. For more information, see Generate a HAR file for Troubleshooting on Confluent Cloud.

Can I create a custom DNS name for Confluent Cloud bootstrap endpoints?

You must use the original cluster bootstrap endpoint name. If you change the bootstrap name by creating a DNS record, TLS hostname validation fails. Confluent Cloud does not support custom DNS names. Custom DNS names are domain names that you configure to point to your Confluent Cloud cluster.

How can I delete my account?

When you delete your Confluent Cloud organization, you permanently remove all data and resources associated with it. To delete your local Confluent Cloud account, follow the steps in Delete an organization.

How can I provide feedback for Confluent documentation?

To provide feedback on the Confluent documentation, click the Give us feedback button located near the footer of each page.

How do I sign up for Confluent Cloud in Jio regions?

To get access to Confluent Cloud as a Jio customer, you must contact Confluent Cloud support. You must be a Jio customer to use Confluent Cloud in Jio regions. Create your Confluent account, then then email jio-onboarding@confluent.io with your Jio subscription id and your Confluent Cloud organization id to deploy resources in Jio region.

Does Cloud Console have dark mode?

Dark mode is available in Cloud Console. With dark mode, you can set your color theme to dark, light, or system. System uses the color theme of your computer for the color theme in Cloud Console.

If you want to disable or turn off dark mode, use the following procedure:

To manage color theme:

  1. Sign in to Confluent Cloud.
  2. From Administration, select your name (Settings).
  3. Select Preferences.
  4. In Color Theme, choose one of the following:
    • Light Mode
    • Dark Mode
    • System Preferences

Is there a way to connect to a Confluent Cloud cluster using Confluent CLI and an API key?

Yes, you can connect to Confluent Cloud using the CLI and an API key. For more information, see Connect Confluent CLI to Confluent Cloud Cluster.

Can I configure a source connector to pull from a private PostgreSQL database?

Yes, however you must first set up PrivateLink or a public IP allowlist depending on your database network setup.

How do I get access to Health+ to monitor Confluent Platform?

Health+ is offered as a service that includes free access to basic features, with the option to upgrade to the paid tier for the full range of Health+ benefits. You can enable it by using the Health+ tab in your Cloud Console, or contact support for provisioning. For more information, see Monitor Confluent Platform with Health+.

Can I use the same API key across different environments in Confluent Cloud?

No, you cannot use the same API key across different environments in Confluent Cloud. API keys are scoped to specific Kafka clusters and environments. You need to generate separate API keys per environment. For more information, see Use API Keys to Authenticate to Confluent Cloud.

How do I get alerted when a connector stops or fails?

To get alerts for connector failures, use Connector notifications. For more information, see Notifications for Confluent Cloud.

Is there a way to view API usage metrics or limits?

Confluent Cloud does not expose detailed API usage stats currently. You can use audit logs and CLI scripts to monitor usage manually.

Is it possible to use REST Proxy to produce messages in Confluent Cloud?

Yes, REST Proxy is supported. Use the API endpoint structure with required headers including cluster ID and credentials. For more information, see Connect Self-Managed REST Proxy to Confluent Cloud.

How can I set up custom RBAC roles beyond the predefined ones?

Custom roles are not currently supported. You can combine existing RBAC roles with resource scoping to meet most needs.

How do I ensure a connector writes data with specific field mappings to a database?

Use transforms and custom mappings in the connector configuration. For more information, see the Single Message Transforms (SMT) documentation.

Can I set schema compatibility to “none” for a subject in Schema Registry?

Yes, this can be set using the Cloud Console, Confluent CLI, or Schema Registry REST API. For more information, see Compatibility types.

Is it possible to change a connector’s configuration without stopping it?

Most configuration changes require pausing and restarting the connector, however, some minor changes may apply dynamically. For more information, see Confluent Cloud API for Connect Usage Examples.

How do I ingest data from Google Cloud Storage to Confluent Cloud?

Set up the GCS Source Connector with proper bucket access and file format configuration. For more information, see Google Cloud Storage Source Connector for Confluent Cloud.

What causes “schema not found” errors in a connector?

Check the subject naming strategy and ensure the schema exists and is compatible in Schema Registry. For more information, see Subject name strategy.

How do I ensure a sink connector doesn’t overwrite existing data in a database?

Set insert mode to insert and disable delete.enabled in the connector configuration.

How do I configure Confluent Cloud for multi-region failover?

Use Cluster Linking or multi-region producers for disaster recovery.

Can I encrypt messages end-to-end, beyond TLS in transit?

Message encryption at rest is enabled by default. For additional security, you can implement client-side encryption.

How can I create a schema with optional fields in Protobuf?

Use Protobuf syntax and mark fields as optional using the optional keyword in your schema definition. For more information, see Protobuf Schema Serializer and Deserializer for Schema Registry on Confluent Cloud.

Related content