Applies To
Confluent Cloud Private Link, VPC Peered and Transit Gateway users using Proxy for Confluent Cloud UI access to their topics
Summary
We would like to provide you with information about an upcoming change to Confluent Cloud. The Confluent Cloud Console UI will no longer display Kafka Topics in browsers for Private Link clusters via a proxy or reverse SSH tunnel if action is not taken. This change will begin rolling out on January 31, 2023. Produce and consume operations will not be affected as this change is limited to Confluent Cloud Console UI only.
Please see the following for an explanation of the change, the scope of impact, and necessary actions:
Today the Confluent Cloud Console uses private endpoints on port 443 (as listed below) to display Topics and other administrative information.
For Private Link networking:
lkac<lkc-12345>-<nid>.us-west-2.aws.glb.confluent.cloud:443
For Transit Gateway or VPC peering:
<pkac-67890>.us-west-2.aws.confluent.cloud:443
For browsers displaying these resources, a proxy or reverse SSH tunnel may be configured to send requests over the private network connection. While using these solutions, users must update their local DNS configuration to resolve these hostnames accordingly.
The change will adapt the Confluent Cloud UI to use the REST Endpoint along with the “lkaclkc/pkac” endpoint.
The Kafka Bootstrap hostname remains unchanged and produce/consume operations will not be affected.
Once the change is introduced the endpoints that power the Confluent Cloud UI for cluster ID lkc-12345 will be as follows:
For Private Link networking:
Existing endpoint:
lkac<lkc-12345>-<nid>.us-west-2.aws.glb.confluent.cloud:443
(New) REST endpoint:
<lkc-12345>-<nid>.us-west-2.aws.glb.confluent.cloud:443
For Transit Gateway or VPC peering:
Existing endpoint:
<pkac-12345>.us-west-2.aws.confluent.cloud:443
(New) REST endpoint:
<pkc-67890>.us-west-2.aws.confluent.cloud:443
Note: The Kafka REST FQDN is the same as the Kafka bootstrap FQDN, but uses port 443 being a RESTful HTTP service.
Action Required
The action is requested only for Private Networking (Private Link, VPC Peered, Transit Gateway) users using a proxy or a reverse SSH tunnel to enable the Confluent Cloud UI access to their topics. In order for the Confluent Cloud Console UI to display resources properly, you must update your proxy or reverse SSH tunnel and local DNS resolution.
- You may need to add the DNS record for the REST endpoint and update proxy configurations.
- Endpoint-specific proxy configurations may require updating (e.g. HAProxy) whereas no changes are needed for endpoint-agnostic proxy configurations (e.g. NGINX).
- Reverse SSH tunnels may need to be re-established.
- The Kafka Bootstrap endpoint remains unchanged.
Please see the below example for the endpoint that must be added to the configuration.
For Private link networking:
(New) REST endpoint:
<lkc-12345>-<nid>.us-west-2.aws.glb.confluent.cloud:443
For Transit Gateway or VPC peering:
(New) REST endpoint:
<pkc-67890>.us-west-2.aws.confluent.cloud:443
To discover the REST endpoint for a given cluster, please run this command via the Confluent CLI:
confluent kafka cluster describe <cluster id>
In the event this is not done, after the change is made, the connection disruption may manifest as shown below in the UI. Notice the red banner in the top portion of the page indicating connection issues between the UI and the cluster.
Troubleshooting
Please refer to the following article for troubleshooting steps:
Troubleshooting guide for Kafka REST enablement for private networking