Test Connectivity to Confluent Cloud

Kafka broker hosts in Confluent Cloud do not respond to ping commands. Use alternative ways presented in this guide to test connectivity to the Kafka cluster and the Kafka REST endpoint before whitelisting those endpoints.

Note that you need to whitelist both endpoints (ports 9092 and 443) on your firewall for the Confluent CLI to work.

Run through the following steps to validate Confluent Cloud connectivity is working correctly.

  1. Test connectivity to the Confluent Cloud cluster bootstrap endpoint:
  2. If connectivity can be successfully established, test data plane operations by producing/consuming using:

Test connectivity to Confluent Cloud

For public networking, VPC peering, VNet peering, and AWS Transit Gateway, test connectivity to the Confluent Cloud cluster using one of the tools, openSSL, Netcat, or Telnet.

For public endpoint clusters, run the command from any computer that has internet access.

For the cluster in private network environments, such as VPC peering, VNet peering, and AWS Transit Gateway, run the tests from within your VPC or VNet that is connected to the Confluent Cloud cluster.

Note that the host addresses of the Kafka bootstrap server and the REST endpoint are the same, and only the port numbers differ:

  • Use port 9092 to test the connection to the Kafka bootstrap server.
  • Use port 443 to test the connection to the Kafka REST endpoint.

To only test TCP connectivity, use Telnet and Netcat (or its successor Socat):

  • Netcat

    nc -zv <bootstrap-url> 9092
    
    nc -zv <bootstrap-url> 443
    
  • Telnet

    telnet <bootstrap-url> 9092
    
    telnet <bootstrap-url> 443
    

In addition to TCP connectivity, to also test TLS handshake and the certificate, use openSSL. With openSSL, you can send an SNI header:

  • openSSL

    openssl s_client -servername <bootstrap-url> -connect <bootstrap-url>:9092
    
    openssl s_client -servername <bootstrap-url> -connect <bootstrap-url>:443
    

    For details, see the openSSL documentation for the -connect option.

It is recommended that you use openSSL to test TCP and TLS because with the TCP testing only, it is difficult to make the distinction among the various causes when a connection fails, such as:

  • Timeout because of routing problems

  • Established connection, but you as the client not initiating the TLS handshake

  • Envoy disconnecting your connection because you do not send the SNI header

    For the TLS SNI extension requirement in Kafka clients, see Self-managed Kafka clients.

Troubleshoot connectivity issues

If connectivity to the bootstrap endpoint cannot be established, check your firewalls and other security configurations and restrictions that could prevent the connection to the Confluent Cloud cluster bootstrap endpoint.

Test connectivity to Kafka using Confluent CLI

After connectivity is successfully established, test data plane operations by producing/consuming using the Confluent CLI.

If using private networking, run the steps from an instance within the VPC or VNet to validate Kafka connectivity works correctly.

  1. Sign in to Confluent CLI with your Confluent Cloud credentials.

    confluent login
    
  2. List the clusters in your organization.

    confluent kafka cluster list
    
  3. Select the cluster with a PrivateLink, Private Link, Private Service Connect you wish to test.

    confluent kafka cluster use ...
    

    For example:

    confluent kafka cluster use lkc-a1b2c
    
  4. Create a cluster API key to authenticate with the cluster.

    confluent api-key create --resource ... --description ...
    

    For example:

    confluent api-key create --resource lkc-a1b2c --description "connectivity test"
    
  5. Select the API key you just created.

    confluent api-key use ... --resource ...
    

    For example:

    confluent api-key use WQDMCIQWLJDGYR5Q --resource lkc-a1b2c
    
  6. Create a test topic.

    confluent kafka topic create test
    
  7. Start consuming events from the test topic.

    confluent kafka topic consume test
    
  8. Open another terminal tab or window.

  9. Start a producer.

    confluent kafka topic produce test
    
  10. Type anything into the produce tab and hit Enter; press Ctrl+D or Ctrl+C to stop the producer.

  11. The tab running consume will print what was typed in the tab running produce.

Troubleshoot connectivity to Kafka brokers

Test connectivity to Kafka using other tools

After connectivity is successfully established, you can use the other clients and tools to test producing/consuming messages when Confluent CLI is not a viable option. Examples are kafka-topics, kafka-console-consumer, native command line tools, or Java and other clients. The following are a few of the test workflows you can use as references: