Private connectivity

To better protect your streaming connections, connect Astra Streaming to a private link service for inbound connectivity, or to a private endpoint for outbound connectivity.

Private connections are only available within the same cloud provider and region as your Astra Streaming cluster.

To open a private link service or private endpoint, open a support ticket and include the credentials required for your cloud provider.

Inbound traffic

Astra Streaming supports inbound traffic (i.e. Your private endpoint → Astra Streaming). The first inbound traffic pattern describes Pulsar, Kafka, and RabbitMQ messaging traffic, as well as Prometheus metrics traffic, flowing from a user’s private endpoint to Astra Streaming.

You create a connection to our private link service, and we route traffic to your Astra Streaming cluster. If you have multiple tenants, they can have different VPCs. The different VPCs will have the same private FQDN with differing VNETs. The traffic on different private end point connections is isolated until it reaches our load balancer.

The private link service pattern is the same across cloud providers, but the hostname will vary depending on your cloud provider and region.

Inbound private link service endpoints
Service Endpoint pattern

Pulsar Messaging

Kafka Messaging

RabbitMQ Messaging

Prometheus Metrics

Outbound traffic

Astra Streaming also supports private outbound traffic (i.e. Astra Streaming → Your private endpoint) on a case-by-case basis.

The outbound traffic pattern creates a private endpoint in Astra Streaming that connects to your private link service. We open a port on the tenant’s firewall (firewalls are per tenant) so connectors and functions (running in a dedicated namespace on our cluster) can connect to your private network.

To open an outbound private endpoint, open a support ticket and include the credentials required for your cloud provider.

Cloud provider credentials

For more on connecting to your cloud provider, see your cloud provider’s documentation. Each cloud provider will require different credentials to connect to the private endpoint.

Cloud providers
Cloud provider Credentials required Documentation


AWS account number(s)

AWS Private Link


Azure subscription id(s)

Azure Portal


GCP project id(s)

GCP Private Service Connect

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000,