Use Public Egress IP Addresses on Confluent Cloud for Connectors and Cluster Linking¶
Confluent Cloud provides public egress IP addresses for managed connectors and Cluster Linking. The IP addresses are used to securely establish outbound connections to endpoints of external data sources and sinks over the secure public endpoints. Egress IP addresses are beneficial for:
- IP allowlisting. Adding egress IP addresses to the allowlist of an external resource ensures that only traffic originating from a known and consistent IP address is allowed to connect to the external resource.
- Regulatory compliance. Some organizations require that all outbound traffic is initiated from an IP address.
- Logging and monitoring. Egress IP addresses can be used to identify the source of traffic in logs and metrics.
Public egress IP addresses in Confluent Cloud can be used to:
- Establish outbound connections to external data sources and sinks over the internet using Confluent Cloud managed connectors on AWS, Azure, and Google Cloud.
- Configure the allowlist of an external resource to allow connections from Confluent Cloud services for Cluster linking on AWS.
Public egress IP addresses are not exclusive to specific Confluent Cloud accounts. All Confluent Cloud managed connectors that use the same cloud service provider and region share the same available public egress IP addresses.
Requirements and considerations¶
When using public egress IP addresses, review the following requirements and considerations:
Public egress IP addresses are not guaranteed to be static although Confluent will make the best effort to minimize changes.
For detail, see FAQ.
The IP addresses are associated with specific cloud service providers and regions. If you change the region of a Confluent Cloud cluster, you need to update your allowlists to use the IP addresses available for the region.
Public egress IP addresses are not available for privately networked clusters (PrivateLink, VPC/Vnet Peering, or TGW) through the Confluent Cloud Console, Confluent REST API, or Confluent CLI.
For private networking connectivity IP address details, refer to Egress IP address ranges.
Azure does not support IP-based allowlisting if the managed connectors on Confluent Cloud and the Azure service reside in the same Azure region.
For more information, see Grant access from a public IP range.
List the available public egress IP addresses¶
The public egress IP addresses only appear for the publicly networked Kafka cluster.
You can view the list of available public egress IP addresses in the Confluent Cloud Console under the Cluster networking page for your Kafka cluster or when you add a new managed connector to a Kafka cluster.
On Cluster networking page:
- In the Confluent Cloud Console, select your Kafka cluster.
- Click Networking.
- On the Cluster networking page, the list of available public egress IP addresses appear under Egress IPs and can be copied for later use with managed connectors.
When adding a managed connector:
- In the Confluent Cloud Console, select your Kafka cluster.
- Click Cluster settings, and then click Connector.
- On the Connectors page, select the managed connector that you want to add. The Add connector page appears.
- On the Authentication page, click Add Confluent cluster IP addresses to your firewall’s allowlist. The list of available public egress IP addresses are listed and can be copied for later use.
For details, see Cloud API reference.
HTTP GET request
GET https://api.confluent.cloud/networking/v1/ip-addresses
HTTP query parameters
cloud
: Cloud provider, specifically,AWS
,GCP
, orAZURE
region
: Cloud provider regions, e.g.us-west-2
application
:CONNECT
for a managed connectorKAFKA
for Cluster Linking
address-type
:EGRESS
orINGRESS
Example requests:
List all public egress IP addresses for a cloud and region:
GET /ip-addresses?cloud=AWS®ion=us-east-1
List all public egress IP addresses:
GET /ip-addresses?address_type=EGRESS
List all public egress IP addresses for Connect for a cloud and region:
GET /ip-addresses?cloud=aws®ion=us-east-1&services=CONNECT
Authentication
See Authentication.
REST response example
{
"api_version": "networking/v1",
"data": [
{
"api_version": "networking/v1",
"kind": "IpAddress",
"ip_prefix": "1.1.1.1/32",
"services": ["KAFKA"],
"cloud": "AWS",
"region": "us-west-2",
"address_type": "EGRESS"
},
{
"api_version": "networking/v1",
"kind": "IpAddress",
"ip_prefix": "10.10.10.10/32",
"services": ["CONNECT"],
"cloud": "AWS",
"region": "us-east-1",
"address_type": "EGRESS"
},
...
],
"kind": "IpAddressList",
"metadata": {
"first": "https://api.confluent.cloud/networking/v1/ip-addresses",
"next": "",
"total_size": 2
}
}
Use the confluent network ip-address list Confluent CLI command to retrieve Confluent Cloud public egress IP addresses:
confluent network ip-address list <flags>
You can specify optional CLI flags described in the Confluent CLI command
reference,
such as --environment
.