# Confluent + Conduktor Make your Confluent investment work harder with enterprise governance, data quality enforcement, and wire-level security. [Book a demo](https://www.conduktor.io/contact/demo) Trusted by ## How Conduktor extends Confluent ### Wire-level enforcement Policies enforced at the protocol level-clients can't bypass them. ### Field-level encryption Encrypt sensitive fields at the wire-zero code changes. ### Data quality enforcement Catch bad data before it breaks downstream systems. ### Self-service with guardrails Onboard teams without bottlenecks-or bad configurations. ### Client configuration enforcement Stop bad client configurations at the wire. ### Developer-first experience A UI developers actually want to use. ### Multi-environment governance One interface for Cloud, Platform, and hybrid. ### External data sharing Share data with partners without replication. ## Why Confluent + Conduktor - **Wire-level security** — Encryption, masking, and policies enforced at the protocol level. Clients can't bypass-even with standard serializers. - **No artificial limits** — No caps on API keys, role bindings, or service accounts. Your microservices architecture won't hit ceilings. - **GitOps your governance** — Terraform provider for RBAC, policies, data quality, encryption, self-service-not just Kafka resources. - **Developer experience** — A UI developers actually want to use-not an ops console with a steep learning curve. - **Wire-Level Enforcement** — Policies enforced at the protocol level. Clients can't bypass-unlike client-side rules. - **Field-Level Encryption** — 6 KMS backends, zero code changes. Selective decryption by role. - **Data Quality** — Validate payloads with or without schemas. CEL rules, dead-letter routing, alerts. - **Client Enforcement** — Require compression, acks, idempotence at the wire. No code changes. - **Self-Service Catalog** — Request/approve workflows with CEL-based resource policies and guardrails. - **Developer-First UI** — Explore messages visually, self-serve with guardrails, modern interface developers love. - **GitOps Everything** — Terraform provider for clusters, RBAC, policies, data quality, self-service-not just Kafka resources. - **Virtual Clusters** — Logical multi-tenancy on shared infrastructure. No cluster proliferation. ## No artificial limits Confluent Cloud enforces quota limits that require support escalation at scale. Conduktor removes the ceiling. [Confluent Cloud limits](https://docs.confluent.io/cloud/current/quotas/service-quotas.html) API keys to 1,000 per org, role bindings to 500-25,000 per cluster, and service accounts to 1,000 per org. Conduktor has no such limits. | Resource | Confluent Cloud | Conduktor | |----------|-----------------|-----------| | **API keys** | 1,000 per org, 50–2,000 per cluster | Unlimited | | **Role bindings** | 500 per cluster (25K on Dedicated) | Unlimited | | **Service accounts** | 1,000 per org | Unlimited | > **Example:** A single Kafka Streams application creates ~6 role bindings. At 500 per cluster (Standard/Enterprise), you hit the ceiling at ~80 applications. Even Dedicated clusters cap at ~4,000. A microservices architecture with 1,000+ services? You'll exhaust API keys and service accounts. Conduktor provides virtual clusters with unlimited service accounts and RBAC bindings. ## Results with Confluent + Conduktor - [$380K](https://www.conduktor.io/year) — Saved — A major payroll provider avoided infrastructure costs by encrypting at the wire, not duplicating data. - **3** — days — To production — New teams go from Kafka request to producing events-down from weeks. ## Read more customer stories - [Bitvavo: DORA Compliance for Crypto Exchange](https://www.conduktor.io/customer-stories/how-bitvavo-secures-real-time-crypto-data-with-conduktor) - [FlixBus: Scaling Event-Driven Architecture](https://www.conduktor.io/customer-stories/how-flix-uses-conduktor-to-scale-their-event-driven-architecture) - [Swiss Post: Governing Kafka at Scale](https://www.conduktor.io/customer-stories/how-swiss-post-governs-democratizes-kafka-usage) ## Frequently Asked Questions **Does Conduktor work with both Confluent Cloud and Confluent Platform?** Yes. Conduktor connects to Confluent Cloud (Dedicated, Standard, Basic) and self-managed Confluent Platform clusters. Manage all cluster types from a single interface. **What's the difference between wire-level and client-side enforcement?** Confluent Stream Governance data quality rules run in client serializers-if a producer uses a standard Kafka serializer, those rules don't apply. Stream processors like ksqlDB and Flink bypass them entirely. Conduktor Gateway intercepts at the wire: every message passes through, no bypass possible, works with any client. **How does selective decryption work?** Conduktor Gateway encrypts fields at the wire, then selectively decrypts based on consumer identity. AI team with decrypt permission sees salary: $95,000. Support team without permission sees: XXXXX. Same topic, same data, different views. Zero producer code changes. **What can I manage with Terraform?** Conduktor's Terraform provider covers more than just Kafka resources: cluster connections, RBAC policies, topic policies, data quality rules, self-service catalog, applications, and Conduktor Gateway interceptors. GitOps your entire governance layer, not just topics. **How does data quality validation work without Schema Registry?** Conduktor Gateway validates payloads using CEL expressions and field-level rules-independent of Schema Registry. You can enforce formats, ranges, and required fields on JSON payloads without schemas. This enables gradual migration from schema-less to schema-ful architectures. **What client configurations can Conduktor enforce?** Compression type (require GZIP/LZ4/ZSTD), acks mode (enforce acks=-1), idempotence, offset commit rate limits, connection rate limits, and client ID naming conventions. All enforced at the wire level-no application code changes. **What are the limits on Conduktor vs Confluent Cloud?** Confluent Cloud limits: 1,000 API keys per org, 500 role bindings per cluster (25K on Dedicated), 1,000 service accounts per org. Conduktor has no such limits-virtual clusters support unlimited service accounts and RBAC bindings. **What are virtual clusters?** Logical isolation on shared infrastructure. Each team gets their own namespace with separate service accounts, topic prefixes, and rate limits-without spinning up separate Kafka clusters. Reduces cost while maintaining isolation. **How is Console different from Control Center?** Control Center is ops-centric with a steep learning curve. Console is developer-first: explore messages visually, self-serve topic creation with guardrails, schema browser with compatibility tracking. Developers actually want to use it. **Can I use Confluent Schema Registry with Conduktor?** Yes. Conduktor integrates natively with Confluent Schema Registry for schema validation, evolution tracking, and compatibility enforcement. Data quality rules can work alongside or independent of Schema Registry. **Does Conduktor require changes to my Confluent setup?** No. Conduktor connects via standard Kafka protocols. No configuration changes to your Confluent clusters. **Is Conduktor a replacement for Confluent?** No. Conduktor is complementary. Confluent handles your Kafka infrastructure; Conduktor adds enterprise governance, data quality, and security capabilities on top. **How do I encrypt Kafka messages without code changes?** Conduktor Gateway encrypts fields at the wire level using your KMS (AWS, Azure, GCP, HashiCorp Vault, Fortanix). Producers send plaintext; Gateway encrypts before the message hits the broker. Consumers with permission see decrypted data; others see masked values. Zero application code changes required. ## Running Kafka on Confluent? Whether you're using Confluent Cloud, Confluent Platform, or a hybrid setup, our team can help you design the right governance architecture for your workloads. See our [architecture overview](https://www.conduktor.io/architecture) for deployment options. [Book a Confluent + Conduktor demo](https://www.conduktor.io/contact/demo)