Private connectivity for Astra Streaming

By default, Astra Streaming shared clusters and Streaming Capacity Units use secure connections over the public internet.

With Streaming Capacity Units, you have the option to connect your Astra Streaming clusters to a private link service for inbound connections or to a private endpoint for outbound connections.

Private connection requirements

  • Private connections are only available for Streaming Capacity Units. This option isn’t available for shared clusters.

  • Your private link service or private endpoint must exist in the same cloud provider and region as your Astra Streaming cluster.

    If you want to use private connections for multiple clusters or tenants, you must prepare at least one private link service or private endpoint in each applicable cloud provider and region.

  • Astra Streaming supports AWS Private Link, Microsoft Azure Private Link, and Google Cloud Private Service Connect.

Enable private connections

To use a private link service or private endpoint for Astra Streaming, do the following:

  1. Get the name of the Astra Streaming clusters where you want to enable private connectivity.

    In the Astra Portal, click Streaming, and then find cluster names in the Tenants list.

  2. Get your cloud provider resource identifier:

  3. Contact DataStax Support to request private connectivity for Astra Streaming.

Private connections for inbound traffic

Astra Streaming supports private inbound traffic flowing from your private endpoint to Astra Streaming. Inbound traffic includes Apache Pulsar™, Apache Kafka®, and RabbitMQ messaging traffic, as well as Prometheus metrics traffic.

You create a connection to the DataStax private link service, and then DataStax routes traffic to your Astra Streaming Streaming Capacity Units.

If you have multiple tenants, they can have different VPCs. Each VPC will have the same private FQDN with different VNETs. The traffic on separate private end point connections is isolated until it reaches the DataStax load balancer.

The private link service pattern is the same across cloud providers, but the hostname depends on your Astra Streaming cluster’s cloud provider and region:

Inbound private link service endpoints
Service Endpoint pattern

Pulsar messaging

pulsar-PROVIDER-REGION.private.streaming.datastax.com:6651

Kafka messaging

kafka-PROVIDER-REGION.private.streaming.datastax.com:9093

RabbitMQ messaging

rabbitmq-PROVIDER-REGION.private.streaming.datastax.com

Prometheus metrics

prometheus-PROVIDER-REGION.private.streaming.datastax.com

Private connections for outbound traffic

On a case-by-case basis, Astra Streaming can support private outbound traffic flowing from a Astra Streaming private endpoint to your private link service.

DataStax opens a port on the tenant’s firewall to allow connectors and functions running in a dedicated namespace on an Astra Streaming cluster to connect to your private network. Each tenant has its own firewall.

Was this helpful?

Edit this page

Give Feedback

How can we improve the documentation?

© 2025 DataStax | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com