# Get started with Gateway A free Kafka proxy that connects clients to clusters sitting in other VPCs, clouds, or private networks, with no changes to your brokers or credentials. Get a free license [Read the docs →](https://docs.conduktor.io/guide/conduktor-in-production/manage-licenses/gateway-community-edition) ### Quickstart Run this on any machine with Docker. It clones the quickstart, prompts for your license, and brings up a working demo so you can watch clients reach Kafka across networks. ```bash bash <(curl -fsSL https://releases.conduktor.io/gateway-community-quickstart) ``` [View on GitHub →](https://github.com/conduktor/gateway-community-quickstart) ## When to Use Gateway Community Edition Three patterns where the proxy fits. Reach Kafka without adding peerings Every new client VPC would otherwise need its own peering with the cluster. Route them through one proxy in an already-peered VPC. The cluster sees one attachment, no matter how many client networks reach in. Reach private clusters from outside In situations where a cluster has no public endpoint, a proxy on the boundary lets external clients, partners, or cross-cloud workloads reach in. No cluster reconfiguration or per-client endpoints. Single egress point Each internal client opens its own connection to remote Kafka. One proxy funnels them all. One firewall rule, one TLS termination, and one audit trail. ## How It Works Three steps from unreachable cluster to working client. Drop in Update bootstrap.servers to the proxy's address. No client code changes. Existing SASL credentials. Translate The proxy rewrites broker addresses in Kafka's metadata responses, so clients see addresses they can actually reach. Route Each broker gets its own port on the proxy. Traffic routes deterministically per broker. SASL passes straight through. Without Gateway Community Edition With Gateway Community Edition Cluster-side attachments One peering or PrivateLink per client network attached to the cluster One attachment to the cluster, new networks attach to the proxy instead Exposing the cluster externally Per-broker NLB or PrivateLink endpoint, DNS, and TLS cert One ingress to the proxy, per-broker routing handled inside Adding network paths Rolling restart with reconfigured listeners, or impossible on managed Kafka New paths added on the proxy, the cluster stays untouched Egress for many internal clients Each client opens its own outbound path to firewall and audit Single egress chokepoint, one path to audit What You Don't Add The proxy adds reachability. Nothing else. No broker reconfiguration Adds new advertised addresses to clusters you can't change. Works with managed Kafka where listener config is locked. No new credentials SASL flows straight through. Existing API keys and OAuth tokens authenticate directly against Kafka. No new auth model Kafka ACLs and Confluent RBAC remain the source of truth. The proxy doesn't issue or store identities. Conduktor Gateway Ready to govern, secure, and control Kafka traffic? Everything in Community Edition, plus the governance and security controls teams need to run Kafka in production. The same proxy, fully unlocked. Encryption and field-level masking Schema validation and enforcement Virtual Clusters and multi-tenancy Interceptors for custom policies Disaster recovery and failover Partner data sharing [Get Gateway Enterprise →](https://www.conduktor.io/pricing#gateway) Get a free license Free to use. We'll send your license and install instructions by email. ## Frequently Asked Questions **Why is Gateway Community Edition free?** We built it because customers kept asking for the reachability piece of Gateway without the full governance stack. Free isn't a trial. There's no time limit, no expiration, and no plan to put it behind a paywall. **What's the difference between Gateway Community Edition and Conduktor Gateway?** Gateway Community Edition is a license-restricted mode of Conduktor Gateway. It handles broker address translation and passes SASL credentials through to Kafka. Full Conduktor Gateway adds governance, encryption, masking, schema enforcement, virtual clusters, disaster recovery, and partner data sharing. [See Gateway →](https://www.conduktor.io/gateway) **What features are not included?** A Gateway Community Edition license excludes Interceptors, topic views, alias topics, Virtual Clusters, Gateway service accounts, Gateway groups, topic concentration, and failover. These all require a full Conduktor Gateway license. **Does the proxy terminate or store my Kafka credentials?** No. SASL flows straight through to Kafka in KAFKA_MANAGED mode. The broker authenticates the client, and Kafka ACLs or Confluent RBAC enforce authorization. **Which Kafka providers are supported?** Any Kafka 2.7+, including Confluent Cloud, Confluent Platform, AWS MSK, GCP Managed Service for Apache Kafka, Aiven, Redpanda, and self-managed Apache Kafka. SASL_PLAINTEXT and SASL_SSL only. **How does this compare to Grepplabs kafka-proxy, Kroxylicious, or AWS MSK Multi-VPC?** Grepplabs kafka-proxy is an open-source passthrough proxy with similar scope, without commercial support or operational tooling. Kroxylicious is a filter framework with broader scope that requires authoring and operating filters. AWS MSK Multi-VPC Private Connectivity is AWS-only and MSK-only. Gateway Community Edition is the right choice when you want a narrow-scope address translator that works across any Kafka, with an upgrade path to full Conduktor Gateway when you need governance, encryption, or schema enforcement. **Does it work across cloud providers?** Yes. Cross-cloud is a common use case. For example, on-prem or AWS clients reaching a Confluent Cloud cluster on GCP. **What level of support does Gateway Community Edition come with?** Same as [Console Community Edition](https://www.conduktor.io/pricing#console-community-edition): email support, plus docs and Slack as available. Last updated: June 2026