Aklivity becomes a certified Connect with Confluent partner! Read the
announcement→
Secure Public Access to Confluent Cloud with Zilla+

Seamlessly connect to privately-networked Confluent Cloud clusters across the internet

Enable Confluent and Kafka® clients to access the full functionality of your Confluent Cloud cluster even if they are running outside the cluster's AWS VPC network.

Zilla Plus is a certified Confluent and AWS Solution
Unleash Your Confluent Cloud Cluster

A private network deployment provides an extra layer of security for Confluent Cloud clusters. However, it also makes such clusters inaccessible over the internet. This holds back hybrid/multi-cloud setups and partner integration initiatives. By configuring Zilla Plus as public Kafka proxy and deploying it in front of a privately-networked cluster, your external clients can subscribe to and manage topics, publish messages, and run ksqlDB queries.

MSK public access use cases
Partner Access

Allow external partners to subscribe to topics in your private Confluent Cloud cluster over a custom DNS domain. Enterprise-grade security is guaranteed through integrations with AWS Secrets Manager for public server certificates, ACM PCA for private client ones, and support for Confluent Cloud API keys used by external Kafka clients.

Incremental Migration

Zilla Plus relieves forklift efforts when migrating a Kafka deployment running outside of AWS to a privately-networked Confluent Cloud deployment. With it, your existing Kafka clients can reach your newly setup Confluent Cloud cluster from their native environment, allowing them to continue running as-is. Once ready, they can be incrementally carried over into the AWS cloud.

Local Access

Leverage your favorite Kafka tools directly from your local environment to streamline Confluent Cloud development and testing efforts in a secure setting.

Allow external partners to subscribe to topics in your private Confluent Cloud cluster over a custom DNS domain. Enterprise-grade security is guaranteed through integrations with AWS Secrets Manager and Certificate Manager as well as client authentication via Confluent Cloud API keys.

Zilla Plus relieves forklift efforts when migrating a Kafka deployment running outside of AWS to a privately-networked Confluent Cloud deployment. With Zilla Plus, your existing Kafka clients can reach your newly setup Confluent Cloud cluster from their native environment, allowing them to continue running as-is. Once ready, they can be incrementally carried over into the AWS cloud.

Leverage your favorite Kafka tools directly from your local environment to streamline Confluent Cloud development and testing efforts in a secure setting.

Secure, Scalable, Flexible

Zilla Plus is a proxy that relies on native Kafka wire protocol support to route connectivity between Kafka clients and brokers. By deploying it in front of a privately networked Confluent Cloud cluster, it allows creating publicly reachable Kafka entry points that external clients can use to connect, publish messages and subscribe to topics in the cluster. Offered as an AMI and configured via CloudFormation, a Zilla Plus deployment consists of an auto-scaling proxy group inside a public VPC that is PrivateLinked to a secure Confluent Cloud cluster.

While Public Access is a feature of MSK, it exposes brokers directly to the public internet and lacks support for custom domain names.

Static Custom Domain Names

Integrations with AWS Secrets and Certificate Managers enable configuring Kafka entry points with a custom domain name. A custom domain not only helps achieve a properly branded interface for external parties, but provides a static DNS name should it become necessary to modify your Confluent Cloud cluster behind the scenes. A single Zilla Plus deployment can support multiple custom domains and run in front of multiple Confluent Cloud clusters.

Confluent Cloud API Keys

Confluent Cloud API Keys are passed through Zilla proxies ensuring clients can be properly authenticated.

Stateless Design

Zilla proxies are stateless and only require a single Network Load Balancer. This reduces both the complexity and costs of scaling out.

Available on
AWS Marketplace ➔
Setup Guide
Get up and running in minutes.
Docs ➔
Solution Brief
Zilla Plus for Confluent Cloud.
Download ➔

Comparing connectivity patterns

The Aklivity Public MSK Proxy is an AWS Qualified solution.

Features
Native Public Access
Configuration
Cloud
Formation Templates
Manual
Does not expose brokers to the public internet
Yes
No
No broker configuration changes required
Yes
No
Supports custom domain names
Yes
No
Requires only one EIP address (simplified firewall policies and client integrations)
Yes
No
Supports a multi-cluster deployment
Yes
No
Integration with AWS Secrets Manager for public server certificates
Yes
Yes
Integration with ACM PCA for client certificates
Yes
Yes
TLS client identity propagation
Yes
Yes
Support for IAM authentication
No
Yes
Cost
$$
$
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.