Secure streaming data with Private Service Connect for Confluent Cloud
Mark Church
Product Manager, Google Cloud
Data speed and security should not be mutually exclusive, which is why Confluent Cloud, a cloud-first data streaming platform built by the founders of Apache Kafka, secures your data through encryption at rest and enables secure data in motion.
However, for the most sensitive data — particularly data generated by organizations in highly regulated industries such as financial services and healthcare — only fully segregated private pipelines will do. That’s why we're excited to announce that Confluent Cloud now supports Google Cloud Private Service Connect (PSC) for secure network connectivity.
A better data security solution
For many companies, a multi-layer data security policy starts with minimizing network attack vectors exposed to the public internet. Blocking internet access to key resources such as Apache Kafka clusters can prevent security breaches, DDOS attacks, spam, and other issues. To enable communications, organizations have relied on virtual private cloud (VPC) peering — where two parties share network addresses across two networks — for private network connectivity, but this has its downsides.
VPC peering requires both parties to coordinate on an IP address block for communication between the networks. Many companies have limited IP space and finding an available IP address block can be challenging, requiring a lot of back and forth between teams. This can be especially painful in large organizations with hundreds of networks connected in sophisticated topologies. Applications that need access to Kafka are likely spread across many networks, and peering them all to Confluent Cloud is a lot of work.
Another concern of VPC peering is that each party has access to the other’s network. Confluent Cloud users want their clients to initiate connections to Confluent Cloud but restrict Confluent from having access back into their network.
Google Cloud PSC can overcome these shortfalls. PSC allows for a one-way, secure, and private connection from your VPC to Confluent Cloud. Confluent exposes a service attachment for each new network, for which customers can create corresponding PSC endpoints in their own VPCs on Google Cloud. There’s no need to juggle IP address blocks as clients connect using the PSC endpoint. The one-way connection from the customer to Confluent Cloud means there is less surface area for the network security team to keep secure. Making dozens or even hundreds of PSC connections to a single Confluent Cloud network doesn’t require any extra coordination, either with Confluent or within your organization.
This networking option combines a high level of data security with ease of setup and use. Benefits of using Private Service Connect with your Confluent Cloud networks include:
A secure, unidirectional gateway connection to Confluent Cloud that must be initiated from your VPC network to allow traffic to flow over Private Service Connect to Confluent Cloud
Centralized management with Google Cloud Console to configure DNS resolution for your private endpoints
Registration of Google Cloud project IDs helps ensure that only your trusted projects have access
No need to coordinate CIDR ranges between your network and Confluent Cloud
To learn how to use Private Service Connect with your Confluent Cloud networks, read the developer documentation on confluent.com.
The power of managed Kafka on Google Cloud
Confluent on Google Cloud brings the power of real-time data streaming to organizations without the exorbitant costs and technical challenges of in-house solutions. As Confluent grows and reaches across different industries, it will continue to support more customers who face more highly regulated or other risk-averse use cases. For those customers, private connectivity from a virtual network is an ideal solution for accessing Confluent’s SaaS offerings. Confluent can now address this need by offering Private Service Connect to simplify architectures and connectivity in Google Cloud while helping to eliminate the risk of data exfiltration.
With the addition of Private Service Connect support, it’s easier than ever for organizations in need of private connectivity to take advantage of Confluent’s fully managed cloud service on Google Cloud to help eliminate the burdens and risks of self-managing Kafka and focus more time on building apps that differentiate your business.
Get started with a free trial on the Google Cloud Marketplace today. And to learn more about the launch of Private Service Connect, visit cnfl.io/psc.