Networking in StreamNative Cloud
StreamNative Cloud supports the following networking solutions:
-
BYOC Clusters are accessible through secure public endpoints or Private Link connections.
BYOC clusters support only one endpoint. If you use Private Link, your cluster will not have public endpoints, and you can access your cluster only from Private Endpoints in accounts you have registered with StreamNative Cloud.
-
BYOC Pro clusters are accessible through secure public endpoints, Private Link connections, VPC/VNet peering, or AWS Transit Gateway.
BYOC Pro clusters can have multiple endpoints, including both public and private endpoints.
-
Serverless and Dedicated clusters are accessible through secure public endpoints.
All connections to StreamNative Cloud are encrypted with TLS 1.2 and require authentication using OAuth2 or API keys, regardless of network configuration.
After a cluster has been provisioned, you cannot change its networking solution type between public and private.
StreamNative Cloud uses the following ports and protocols for StreamNative Cloud services:
Control Plane Services
| Service | Port | Protocol |
|---|---|---|
| StreamNative Cloud Console | 443 | HTTPS |
| StreamNative Cloud API | 443 | HTTPS |
| StreamNative Metrics API | 443 | HTTPS |
Data Plane Services
| Service | Port | Protocol |
|---|---|---|
| Pulsar Broker Service | 6651 | TLS |
| Pulsar HTTPS Service | 443 | HTTPS |
| Pulsar Websocket Service | 443 | TLS |
| Kafka Broker Service | 9093 | TLS |
| Kafka Schema Registry | 443 | HTTPS |
| Kafka Connect Admin Service | 443 | HTTPS |
| MQTT Service | 8883 | TLS |
Considerations for public vs. private networking type
Using a private or public connectivity with StreamNative Cloud is a trade-off:
-
With private networking, your cluster cannot be accessed from the public endpoints, eliminating potential security threats.
-
Private networking requires you to manage the peered or linked networks to ensure all your client applications and developers have the needed access to StreamNative Cloud.
-
If you use private networking (VPC peering, VNet peering, or Private Links), you cannot directly connect from your local laptop or an on-premises data center to StreamNative Cloud.
To do this, you must first route to a shared services VPC or VNet that you own and connect that to StreamNative Cloud using VPC/VNet peering (along with a proxy) or Private Link.
If you are interested in this configuration for StreamNative Cloud, contact your StreamNative sales representative.
-
IP addresses for ingress public endpoints are not static. These ingress public endpoints include the endpoints of each StreamNative cluster, such as the Pulsar broker service, Pulsar admin service, Pulsar websocket service, Kafka broker service, Kafka schema registry, Kafka Connect admin service, and MQTT service. They also include the endpoints for StreamNative’s control plane services.
The endpoints can assume any public IP, without a specific range.
-
Native Pulsar or Kafka clients are not designed to work seamlessly in forward proxy environments. If you are producing HTTPs records, consider using the REST API instead.
Public networking solutions
StreamNative Cloud provides secure and scalable data streaming services accessible via public endpoints. This public connectivity is available for all cluster types, offering flexibility and ease of access. Key features include:
-
Cross-organization sharing: Services can be securely shared across different organizations.
-
Availability: Public connectivity is available for all cluster types.
-
BYOC flexibility: For BYOC clusters, public endpoints can be disabled if private networking is preferred.
-
Enhanced security: All public endpoints are protected by a robust proxy layer, which provides defense against various network-level threats, including:
- Denial of Service (DoS) attacks
- Distributed Denial of Service (DDoS) attacks
- SYN flooding
- Other common network-level attack vectors
This combination of accessibility and security measures ensures that StreamNative Cloud can meet diverse organizational needs while maintaining a strong security posture.
Private networking solutions
StreamNative Cloud includes support for data streaming services that are shared privately with organizations on private networks and offer additional customization and controls for security and privacy. Private networking are currently supported in StreamNative BYOC (& BYOC Pro) clusters only.
StreamNative Cloud clusters using private networking solutions are not accessible from the public endpoints.
The following table summarizes the private networking solutions supported by StreamNative Cloud. For details on each solution, see the specific documentation for each networking type.
| Cloud service provider | Supported networing solution | Supported cluster type |
|---|---|---|
| AWS | AWS PrivateLink | BYOC, BYOC Pro |
| AWS VPC peering | BYOC Pro | |
| AWS Transit Gateway | BYOC Pro | |
| Azure | Azure Private Link | BYOC, BYOC Pro |
| Azure VNet peering | BYOC Pro | |
| Google Cloud | Google Cloud Private Service Connect | BYOC, BYOC Pro |
| Google Cloud VPC peering | BYOC Pro |