Cloudera

As organizations continue shifting toward fully managed cloud data platforms, network security and connectivity architecture have become core priorities. Confluent Cloud—powered by Apache Kafka—addresses these challenges by deeply integrating with Private Link technologies from AWS, Azure, and Google Cloud. By using Private Link, Confluent Cloud enables fully private, non-internet-exposed connections between customer environments and Kafka clusters. In this article, we explore how Confluent Cloud uses inbound and outbound Private Link endpoints, along with its Private Link Service (PLS), to deliver secure, compliant, and simplified data connectivity. What Is Private Link and Why It Matters Private Link technologies—including AWS PrivateLink, Azure Private Link, and GCP Private Service Connect (PSC)—allow organizations to establish direct, private communication paths between their VPCs/VNets and external cloud services. For Confluent Cloud users, this means Kafka clusters and connected systems can communicate without ever traversing the public internet. The result: reduced risk, simplified networking, and streamlined compliance. Important Note on Connectivity Options While Private Link provides service-level connectivity, Confluent Cloud also supports alternative private networking approaches for different architectural needs: VPC Peering: Offers full bidirectional connectivity but requires CIDR coordination AWS Transit Gateway: Simplifies multi-VPC architectures by acting as a cloud router; popular for large-scale deployments GCP VPC Peering: Similar to AWS peering for Google Cloud environments Private Link provides unidirectional, service-specific connectivity, making it ideal for organizations requiring strict access controls and simplified network architecture. Inbound Private Link Endpoints Inbound Private Link endpoints give customer applications a private IP path to Confluent Cloud Kafka clusters from within their own VPC or VNet. Why This Matters Secure Access – No public endpoints or public IP exposure Reduced Attack Surface – All traffic remains on the cloud provider’s private backbone Simplified Networking Across Regions – Eliminates the need for VPC peering, complex routing, or VPN setups Lower Latency & Higher Throughput – Direct connectivity through Private Link often results in measurably lower latency and higher throughput compared to public endpoints or complex routing architectures, improving application performance Inbound Private Link is the recommended method for securely connecting applications to Confluent Cloud. Outbound Private Link Endpoints Outbound endpoints allow Confluent Cloud services—such as managed connectors, ksqlDB, and other data processing components—to privately access systems running inside a customer’s environment. Why This Matters Secure Integration – Private access to internal databases, APIs, and applications Multi-Cloud Consistency – Works across AWS, Azure, and GCP with a uniform model. Confluent Cloud now supports cross-cloud Cluster Linking with private networking across AWS, Azure, and Google Cloud, enabling multi-region and multi-cloud strategies Compliance-Friendly – Sensitive data stays private and never requires public exposure Granular Access Control – Private Link provides granular mapping of endpoints to specific resources, restricting access to only the mapped service. In a security incident, only that specific resource would be accessible, not the entire peered network Important Operational Details Managed Connectors: Can use Egress Private Link Endpoints to access private internal systems, but they can still use public IP addresses to connect to public endpoints when Egress Private Link isn’t configured ksqlDB Provisioning: New ksqlDB instances require internet access for provisioning; they become fully accessible over Private Link connections once provisioned Schema Registry Internet Access: Confluent Cloud Schema Registry remains partially accessible over the internet even when Private Link is configured. Specifically, internal Confluent components (fully-managed connectors, Flink SQL, and ksqlDB) continue to access Schema Registry through the public internet using uniquely identified traffic that bypasses IP filtering policies. This must be accounted for in security and firewall planning Outbound Private Link is particularly valuable when connectors need to interact with internal databases or APIs securely. Private Link Service: The Core of the Architecture At the center of Confluent’s Private Link implementation is the Private Link Service (PLS). This service: Privately exposes Kafka clusters through endpoint connections Maps customer endpoints to Confluent-managed infrastructure using SNI (Server Name Indication) routing at Layer 7 Maintains stable, resilient connectivity even as brokers scale or rotate through SNI-based traffic routing, ensuring connectivity remains stable even when brokers are replaced or the underlying infrastructure changes PLS supports both inbound and outbound Private Link connections, ensuring a unified private networking model. Architecture Overview The flow below illustrates how Confluent Cloud’s Private Link model works end-to-end: All traffic remains completely private—no public ingress or egress required (except for noted Schema Registry internal component access and provisioning requirements). Key Benefits of Confluent Cloud Private Link 1. Enhanced Security Your data stays fully within the cloud provider’s private network. This dramatically reduces exposure and eliminates the need for public-facing endpoints. Private Link provides defense-in-depth through isolated service-level connections, ensuring that network access is restricted to only the specific Confluent Cloud resources you’ve explicitly configured. 2. Simplified Networking with Important Caveats With Private Link, you can avoid: VPC/VNet peering and associated CIDR coordination complexity VPNs with their associated latency and complexity NAT gateways and associated costs Traditional firewall reconfiguration for IP whitelisting Infrastructure becomes cleaner, easier to manage, and more scalable. However, simplified networking does require DNS configuration: Organizations must: Create private hosted zones in their DNS service (Route 53 for AWS, equivalent for Azure/GCP) Create CNAME records mapping Confluent domains to their VPC endpoints Ensure DNS requests to public authorities can traverse to private DNS zones While simpler than VPC peering, Private Link DNS configuration does have operational complexity that security and networking teams should account for. 3. Internet Connectivity Requirements Organizations implementing fully private networking with Private Link must understand that VPCs using Private Link still require outbound internet access for: Confluent Cloud Schema Registry access (particularly for internal component connectivity) ksqlDB provisioning and management Confluent CLI authentication DNS requests to public authorities (particularly important for private hosted zone delegation) Management and control plane operation This is a critical consideration for firewall rules and egress filtering policies. 4. Performance Improvements Direct connectivity through Private Link often results in lower latency and higher throughput compared to public endpoints or complex routing architectures. This translates to improved application performance and better data pipeline efficiency, particularly important for real-time streaming

Introduction Organizations using CDH for their Big Data requirements typically rely on Cloudera Navigator for features like search, auditing, and data lifecycle management. However, with the advent of CDP (Cloudera Data Platform), Apache Atlas replaces Navigator, offering enhanced data discovery, cataloging, metadata management, and data governance. In this guide, we will explore the differences between Cloudera Navigator and Apache Atlas, explain why an organization may need these tools, and outline the steps for migrating from Navigator to Atlas. What is Cloudera Navigator? Cloudera Navigator is the tool that powers data discovery, lineage tracking, auditing, and policy management within CDH. It helps businesses efficiently manage large datasets, ensuring regulatory compliance, data governance, and data security. Why Do Organizations Use Cloudera Navigator? Self-Service Data Access: Enables business users to find and access data efficiently. Auditing and Security: Tracks all data access attempts, ensuring security and compliance. Provenance and Integrity: Allows tracing data back to its source to ensure data accuracy and trustworthiness. What is Apache Atlas? Apache Atlas, introduced in CDP, enhances data governance, offering rich metadata management, data classification, and lineage tracking. Key Features of Apache Atlas: Data Classification: Classify data entities with labels (e.g., PII, Sensitive). Lineage Tracking: Visualize the flow of data through its transformations. Business Glossary: Create and manage definitions for business terms, enabling common understanding across teams. Why Switch to Atlas? Organizations migrating to CDP benefit from the advanced governance capabilities provided by Atlas: Enhanced Metadata Management: Covering broader data entities and sources. Modern Data Governance: Better support for emerging data governance needs. Better Integration: Works seamlessly with CDP components like Apache Ranger for auditing and security. Comparison of Cloudera Navigator and Apache Atlas Feature Cloudera Navigator Atlas Metadata Entities HDFS, S3, Hive, Impala, Yarn, Spark, Pig, Sqoop HDFS, S3, Hive, Impala, Spark, HBase, Kafka Custom Metadata Yes Yes Lineage Yes Yes Tags Yes Yes Audit Yes No** (Handled by Ranger in CDP) Key Notes for Migration: HDFS Entities in Atlas are only referenced by services like Hive. Sqoop, Pig, MapReduce, Oozie, and YARN metadata are not migrated to Atlas. Audits are managed by Apache Ranger in CDP. Steps for Sidecar Migration from Navigator to Atlas 1. Pre-Requisites: Ensure the last Navigator purge is complete. Check disk space: For every million entities, allocate 100MB of disk space. 2. Extracting Metadata from Navigator Log into the Navigator host. Ensure JAVA_HOME and java.tmp.dir are configured correctly. Locate the cnav.sh script (typically at /opt/cloudera/cm-agent/service/navigator/cnav.sh). Run the script with the following options: nohup sh /path/to/cnav.sh -n http://<Navigator Hostname>:7187 -u <user> -p <password> -c <Cluster Name> -o <output.zip> For error handling, use the repair option: nohup sh /path/to/cnav.sh -r ON -n http://<Navigator Hostname>:7187 -u <user> -p <password> -c <Cluster Name> -o <output.zip> & 3. Transforming Metadata for Atlas Locate the nav2atlas.sh script (typically at /opt/cloudera/parcels/CDH/lib/atlas/tools/nav2atlas/nav2atlas.sh). Set JAVA_HOME and update the atlas-application.properties file with the following atlas.nav2atlas.backing.store.temp.directory=/var/lib/atlas/tmp Run the transformation script: nohup /path/to/nav2atlas.sh -cn cm -f /path/to/cnavoutput.zip -o /path/to/nav2atlasoutput.zip 4. Loading Data into Atlas Increase the Java Heap size for HBase hbase_reginserver_java_heapsize to 31Gb Increase the Java Heap size for Solr solr_java_heapsize to 31Gb Increase the Java Heap size for Atlas atlas_max_heapsize to 31Gb Set Atlas to Migration mode by adding the following properties in conf/atlas-application.properties_role_safety_valve atlas.migration.data.filename=<full path to the nav2atlas output file.zip> (If multiple files are generated by the nav2atlas.sh script you can use a regex and import all at once) atlas.migration.mode.batch.size=3000 atlas.migartion.mode.workers=32 atlas.patch.numWorkers=32 atlas.patch.batchSize=300 Restart Atlas service to start import Check the logs from /var/log/atlas/application.log file After the Load is done Once the Migration is complete you can bring Atlas out of migration mode by taking out the properties that were added to load the data in our previous step Once Atlas is out of migration mode you can verify the number of entities migrated and also some samples for the migrated entities. There might be a few entities dropped because of some missing parameters in the source cluster Conclusion Migrating from Cloudera Navigator to Apache Atlas offers improved data governance and cataloging features, crucial for modern data-driven organizations. By following the steps outlined, organizations can smoothly transition their metadata management while maintaining compliance and audit-readiness. Authored by Hruday Kumar Settipalle, Solution Architect at Alephys.