📣 Virtual Clusters with Zilla: Simplifying Multi-Tenancy in Kafka
Read the Blog Post ➔
Secure Public Access for Confluent Cloud with Zilla+

Seamlessly connect to privately-networked clusters across the internet

Enable Confluent and Apache Kafka® clients to access the full functionality of your privately-networked Confluent Cloud cluster even if they are running outside the cluster's AWS VPC network.

Zilla Plus is a certified Confluent and AWS Solution

Unleash Your Confluent Cloud Cluster

Private network deployments enhance the security of Confluent Cloud clusters—but they also block internet access, limiting hybrid cloud workflows and partner integrations. Zilla Plus solves this by acting as a public Kafka proxy in front of your privately networked cluster. With Zilla Plus, external clients can connect securely to publish messages, subscribe to topics, and run ksqlDB queries—without compromising your network boundaries.

MSK public access use cases
Partner Access

Allow external partners to subscribe to topics in your private Confluent Cloud cluster over a custom DNS domain. Enterprise-grade security is guaranteed through integrations with AWS Secrets Manager for public server certificates, ACM PCA for private client ones, and support for Confluent Cloud API keys used by external Kafka clients.

Incremental Migration

Zilla Plus relieves forklift efforts when migrating a Kafka deployment running outside of AWS to a privately-networked Confluent Cloud deployment. With it, your existing Kafka clients can reach your newly setup Confluent Cloud cluster from their native environment, allowing them to continue running as-is. Once ready, they can be incrementally carried over into the AWS cloud.

Local Access

Leverage your favorite Kafka tools directly from your local environment to streamline Confluent Cloud development and testing efforts in a secure setting.

Allow external partners to subscribe to topics in your private Confluent Cloud cluster over a custom DNS domain. Enterprise-grade security is guaranteed through integrations with AWS Secrets Manager and Certificate Manager as well as client authentication via Confluent Cloud API keys.

Zilla Plus relieves forklift efforts when migrating a Kafka deployment running outside of AWS to a privately-networked Confluent Cloud deployment. With Zilla Plus, your existing Kafka clients can reach your newly setup Confluent Cloud cluster from their native environment, allowing them to continue running as-is. Once ready, they can be incrementally carried over into the AWS cloud.

Leverage your favorite Kafka tools directly from your local environment to streamline Confluent Cloud development and testing efforts in a secure setting.

Secure, Scalable, Flexible

Zilla Plus is a Kafka-native proxy that routes traffic between Kafka clients and brokers using the native Kafka wire protocol. When deployed in front of a privately networked Confluent Cloud cluster, it enables secure, publicly accessible Kafka endpoints—allowing external clients to connect, publish, and subscribe without direct access to the cluster. Available as an AMI or container, Zilla Plus runs as an auto-scaling proxy group in a public VPC connected via PrivateLink to your secure Confluent Cloud deployment.

While Public Access is a feature of MSK, it exposes brokers directly to the public internet and lacks support for custom domain names.

Static Custom Domain Names

Zilla Plus integrates with AWS Secrets Manager and Certificate Manager to make it easy to configure Kafka entry points with custom domain names. This not only gives your external-facing endpoints a branded, professional appearance, but also provides a stable DNS name—even if you need to make changes to your Confluent Cloud cluster behind the scenes. One Zilla Plus deployment can support multiple custom domains and seamlessly front multiple Confluent Cloud clusters.

Confluent Cloud API Keys

Confluent Cloud API Keys are passed through Zilla proxies ensuring clients can be properly authenticated.

Stateless Design

Zilla proxies are stateless and only require a single Network Load Balancer. This reduces both the complexity and costs of scaling out.

Ready to Get Started?

Free trial available!
Available on
AWS Marketplace ➔
Setup Guide
Get up and running in minutes.
Docs ➔
Solution Brief
Zilla Plus for Confluent Cloud.
Download ➔

Comparing connectivity patterns

The Aklivity Public MSK Proxy is an AWS Qualified solution.

Features
Native Public Access
Configuration
Cloud
Formation Templates
Manual
Does not expose brokers to the public internet
Yes
No
No broker configuration changes required
Yes
No
Supports custom domain names
Yes
No
Requires only one EIP address (simplified firewall policies and client integrations)
Yes
No
Supports a multi-cluster deployment
Yes
No
Integration with AWS Secrets Manager for public server certificates
Yes
Yes
Integration with ACM PCA for client certificates
Yes
Yes
TLS client identity propagation
Yes
Yes
Support for IAM authentication
No
Yes
Cost
$$
$
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.