Home / Gateway / Community Edition

Get started with Gateway

A free Kafka proxy that connects clients to clusters sitting in other VPCs, clouds, or private networks, with no changes to your brokers or credentials.

Read the docs →

Quickstart

Run this on any machine with Docker. It clones the quickstart, prompts for your license, and brings up a working demo so you can watch clients reach Kafka across networks.

bash <(curl -fsSL https://releases.conduktor.io/gateway-community-quickstart)

View on GitHub →

When to Use Gateway Community Edition

Three patterns where the proxy fits.

Diagram: Client reaches Kafka through Gateway Community Edition in a peered VPC

Reach Kafka without adding peerings

Every new client VPC would otherwise need its own peering with the cluster. Route them through one proxy in an already-peered VPC. The cluster sees one attachment, no matter how many client networks reach in.

Diagram: External Client reaches Kafka through Gateway Community Edition on the private network boundary

Reach private clusters from outside

In situations where a cluster has no public endpoint, a proxy on the boundary lets external clients, partners, or cross-cloud workloads reach in. No cluster reconfiguration or per-client endpoints.

Diagram: App 1, App 2, and App 3 on an internal network funnel through Gateway Community Edition to Kafka

Single egress point

Each internal client opens its own connection to remote Kafka. One proxy funnels them all. One firewall rule, one TLS termination, and one audit trail.

How It Works

Three steps from unreachable cluster to working client.

1

Drop in

Update bootstrap.servers to the proxy's address. No client code changes. Existing SASL credentials.

2

Translate

The proxy rewrites broker addresses in Kafka's metadata responses, so clients see addresses they can actually reach.

3

Route

Each broker gets its own port on the proxy. Traffic routes deterministically per broker. SASL passes straight through.

Without Gateway Community Edition
With Gateway Community Edition
Cluster-side attachments
One peering or PrivateLink per client network attached to the cluster
One attachment to the cluster, new networks attach to the proxy instead
Exposing the cluster externally
Per-broker NLB or PrivateLink endpoint, DNS, and TLS cert
One ingress to the proxy, per-broker routing handled inside
Adding network paths
Rolling restart with reconfigured listeners, or impossible on managed Kafka
New paths added on the proxy, the cluster stays untouched
Egress for many internal clients
Each client opens its own outbound path to firewall and audit
Single egress chokepoint, one path to audit

What You Don't Add

The proxy adds reachability. Nothing else.

No broker reconfiguration

Adds new advertised addresses to clusters you can't change. Works with managed Kafka where listener config is locked.

No new credentials

SASL flows straight through. Existing API keys and OAuth tokens authenticate directly against Kafka.

No new auth model

Kafka ACLs and Confluent RBAC remain the source of truth. The proxy doesn't issue or store identities.

Conduktor Gateway

Ready to govern, secure, and control Kafka traffic?

Everything in Community Edition, plus the governance and security controls teams need to run Kafka in production. The same proxy, fully unlocked.

  • Encryption and field-level masking
  • Schema validation and enforcement
  • Virtual Clusters and multi-tenancy
  • Interceptors for custom policies
  • Disaster recovery and failover
  • Partner data sharing

Get Gateway Enterprise →

Frequently Asked Questions

Why is Gateway Community Edition free?

We built it because customers kept asking for the reachability piece of Gateway without the full governance stack. Free isn't a trial. There's no time limit, no expiration, and no plan to put it behind a paywall.

What's the difference between Gateway Community Edition and Conduktor Gateway?

Gateway Community Edition is a license-restricted mode of Conduktor Gateway. It handles broker address translation and passes SASL credentials through to Kafka. Full Conduktor Gateway adds governance, encryption, masking, schema enforcement, virtual clusters, disaster recovery, and partner data sharing. See Gateway →

What features are not included?

A Gateway Community Edition license excludes Interceptors, topic views, alias topics, Virtual Clusters, Gateway service accounts, Gateway groups, topic concentration, and failover. These all require a full Conduktor Gateway license.

Does the proxy terminate or store my Kafka credentials?

No. SASL flows straight through to Kafka in KAFKA_MANAGED mode. The broker authenticates the client, and Kafka ACLs or Confluent RBAC enforce authorization.

Which Kafka providers are supported?

Any Kafka 2.7+, including Confluent Cloud, Confluent Platform, AWS MSK, GCP Managed Service for Apache Kafka, Aiven, Redpanda, and self-managed Apache Kafka. SASL_PLAINTEXT and SASL_SSL only.

How does this compare to Grepplabs kafka-proxy, Kroxylicious, or AWS MSK Multi-VPC?

Grepplabs kafka-proxy is an open-source passthrough proxy with similar scope, without commercial support or operational tooling. Kroxylicious is a filter framework with broader scope that requires authoring and operating filters. AWS MSK Multi-VPC Private Connectivity is AWS-only and MSK-only. Gateway Community Edition is the right choice when you want a narrow-scope address translator that works across any Kafka, with an upgrade path to full Conduktor Gateway when you need governance, encryption, or schema enforcement.

Does it work across cloud providers?

Yes. Cross-cloud is a common use case. For example, on-prem or AWS clients reaching a Confluent Cloud cluster on GCP.

What level of support does Gateway Community Edition come with?

Same as Console Community Edition: email support, plus docs and Slack as available.

Last updated: June 2026