Virtual clusters

Virtual clusters are the primary way clients interact with the Event Gateway proxy. They allow you to isolate clients from each other when connecting to the same backend cluster, and provide each client with modified view while still appearing as a standard Kafka cluster.

The virtual cluster workflow operates as follows:

1. The Kafka client produces a request.
2. A listener forwards it to the correct virtual cluster.
3. The virtual cluster applies policies and proxies the modified request to the backend cluster.
4. The backend cluster, representing a Kafka cluster, receives the request and sends a response.

 
flowchart LR
    
    A[Kafka 
    client]
    B[Listener 
    &#40TCP socket&#41
    + listener policies]
    C@{ shape: processes, label: "Virtual clusters
    + consume, produce, 
    and cluster policies"}
    D[Backend 
    cluster]
    E[Kafka 
    cluster]

    A --> B
    subgraph id1 [Event Gateway]
    B --> C 
    C --> D
    end
    D --> E

    style C stroke:#86e2cc

    style id1 rx:7,ry:7
  

Note: Each virtual cluster can only expose one backend cluster, but you can have multiple virtual clusters connected to one backend. In other words, a single virtual cluster can’t aggregate data from multiple backend clusters.

Virtual clusters let you apply governance and security features to event streams. This way, a single Kafka cluster can be sliced into multiple access points, each with its own security policy.

Managing multiple environments or products

You will need to increase the number of virtual clusters if you want to create multiple environments or products on top of the same physical cluster.

Here are some common patterns:

• Environment isolation: You can create isolated dev, test, and prod namespaces on top of the same physical Kafka cluster. If you have a topic named orders in each virtual cluster, this will map transparently to different backend topics: dev-orders, test-orders, and prod-orders. This provides isolation and automatic name resolution per environment.

  When clients create new topics through a virtual cluster using Kafka’s CreateTopics request, the namespace prefix is automatically applied, ensuring that clients always stay within their designated namespace.

• External partner isolation: You can expose the same backend topic to different external partners with data filtering. For instance, a single orders topic can be exposed through separate virtual clusters (customer-a, customer-b, customer-c), with each customer seeing only their own orders.

• Reverse mapping: One backend topic (orders) can appear as multiple separate topics (dev-orders, test-orders, prod-orders) across different virtual clusters, each pre-filtered for specific users.

Authentication on the virtual cluster is used to authenticate clients to the proxy. The virtual cluster supports multiple authentication methods and can mediate authentication between clients and backend clusters. See Backend cluster authentication to learn more.

Virtual clusters support the following auth methods:

Credential mediation

With virtual clusters, you can control how client credentials are handled between the proxy and backend cluster, and reuse existing credentials and principals defined on the backend cluster.

Use the virtual cluster authentication.mediation setting to configure a mediation mode. Choose the mode based on your security requirements and backend cluster configuration:

• Passthrough (passthrough): Authentication from the client passes through the proxy to the backend without validation. This method is required for SCRAM authentication.
• Terminate (terminate): Checks whether the client’s connection is authorized based on their credential, and then terminates the authentication. Then, a new authentication session starts with the backend cluster.
• Validate and forward (validate_forward): The client’s OAuth token is first validated by the proxy, and then sent to the backend as-is. This will “fail fast” if the token is invalid before sending it to the backend.

With namespaces, you can preserve any naming systems that you have in place, and ensure they remain consistent. Namespaces let you:

• Rewrite and enforce topics, consumer groups, and transaction IDs with a consistent prefix
• Expose topics and consumer groups through the virtual cluster

This allows you to expose clean, simple names to clients while maintaining organization on the backend.

For example, a virtual cluster exposes a topic named orders to the client. Behind the scenes, this maps to team-a-orders on the actual Kafka cluster. The client doesn’t need to know about or manage the team-a- prefix. This enables transparent multitenancy, where multiple teams can share the same Kafka cluster without needing to manually prefix every topic and consumer group name in their applications.

The following examples provide some common use cases for namespaces and show how to set them up.

Apply prefixes automatically

The most common use case for namespaces is to automatically prefix read and create operations when interacting with topics and consumer groups. This helps avoid overlapping from multiple tenants.

You can do this by setting a prefix on the virtual cluster:

 curl  -X POST "https://us.api.konghq.com/v1/event-gateways/$EVENT_GATEWAY_ID/virtual-clusters" \
     --no-progress-meter --fail-with-body  \
     -H "Authorization: Bearer $KONNECT_TOKEN" \
     --json '{
       "name": "example-virtual-cluster",
       "destination": {
         "name": "example-backend-cluster"
       },
       "authentication": [
         {
           "type": "anonymous"
         }
       ],
       "dns_label": "virtual-cluster-1",
       "acl_mode": "passthrough",
       "namespace": {
         "mode": "hide_prefix",
         "prefix": "my-prefix"
       }
     }'

In this example, the prefix my-prefix will be used for all consumer group and topics that connect to this virtual cluster.

Access additional topics

Along with topics owned by a specific team, you can pull in a select group of additional topics. This is useful when you want to:

• Consume topics owned by other teams
• Gradually migrate to a namespace while still using old topics temporarily

Here’s an example configuration using a glob pattern:

 curl  -X POST "https://us.api.konghq.com/v1/event-gateways/$EVENT_GATEWAY_ID/virtual-clusters" \
     --no-progress-meter --fail-with-body  \
     -H "Authorization: Bearer $KONNECT_TOKEN" \
     --json '{
       "name": "example-virtual-cluster",
       "destination": {
         "name": "example-backend-cluster"
       },
       "authentication": [
         {
           "type": "anonymous"
         }
       ],
       "dns_label": "virtual-cluster-1",
       "acl_mode": "passthrough",
       "namespace": {
         "mode": "hide_prefix",
         "prefix": "my-prefix",
         "additional": {
           "topics": [
             {
               "type": "glob",
               "glob": "my-topic-*",
               "conflict": "warn"
             }
           ]
         }
       }
     }'

These topics are accessed using their full unmodified names.

This example uses a glob expression to capture topics using name patterns. You can also pass an exact list of topics as an array:

"topics": [
  {
    "type": "exact_list",
    "list": [
      {
        "backend": "allowed_topic",
        "backend": "another_allowed_topic"
      }
    ]
  }
]

Access additional consumer groups

You can access existing consumer groups to avoid migrating offsets:

 curl  -X POST "https://us.api.konghq.com/v1/event-gateways/$EVENT_GATEWAY_ID/virtual-clusters" \
     --no-progress-meter --fail-with-body  \
     -H "Authorization: Bearer $KONNECT_TOKEN" \
     --json '{
       "name": "example-virtual-cluster",
       "destination": {
         "name": "example-backend-cluster"
       },
       "authentication": [
         {
           "type": "anonymous"
         }
       ],
       "dns_label": "virtual-cluster-1",
       "acl_mode": "passthrough",
       "namespace": {
         "mode": "hide_prefix",
         "prefix": "my-prefix",
         "additional": {
           "consumer_groups": [
             {
               "type": "glob",
               "glob": "my-app-*",
               "conflict": "warn"
             }
           ]
         }
       }
     }'

End users of this virtual cluster can use their existing, unnamespaced consumer groups.

This example uses a glob expression to capture consumer groups using name patterns. You can also pass an exact list of consumer groups as an array:

"consumer_groups": [
  {
    "type": "exact_list",
    "list": [
      {
        "value": "foo",
        "value": "bar"
      }
    ]
  }
]

Virtual clusters can be modified by policies, which let you do things like modify headers, encrypt and decrypt records, validate record schemas, and much more.

To learn more, see:

• Policy entity reference
• All Event Gateway policies

Before setting up a virtual cluster, make sure you have a backend cluster configured. A virtual cluster must connect to an existing backend cluster.

curl -X POST https://{region}.api.konghq.com/v1/event-gateways/{eventGatewayId} \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "example-name",
      "destination": {
        "name": "example-backend-cluster"
      },
      "authentication": [
        {
          "type": "anonymous"
        }
      ],
      "dns_label": "virtual-cluster-1",
      "acl_mode": "passthrough"
    }
    '

terraform {
  required_providers {
    konnect-beta = {
      source  = "kong/konnect-beta"
    }
  }
}

provider "konnect-beta" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

resource "konnect_event_gateway_virtual_cluster" "my_virtual_cluster" {
  provider = konnect-beta
  destination = {
    name = "example-backend-cluster"
  }
  authentication = [
    {
      type = "anonymous"
    }  ]
  dns_label = "virtual-cluster-1"
  acl_mode = "passthrough"



  gateway_id = konnect_event_gateway.my_event_gateway.id
}