# Configure Azure Private Link in the Cloud Console > For the complete documentation index, see [llms.txt](https://docs.redpanda.com/llms.txt). Component-specific: [cloud-data-platform-full.txt](https://docs.redpanda.com/cloud-data-platform-full.txt) --- title: Configure Azure Private Link in the Cloud Console latest-operator-version: v26.1.4 latest-console-tag: v3.7.3 latest-connect-version: 4.93.0 latest-redpanda-tag: v26.1.9 docname: azure-private-link-in-ui page-component-name: cloud-data-platform page-version: master page-component-version: master page-component-title: Cloud page-relative-src-path: azure-private-link-in-ui.adoc page-edit-url: https://github.com/redpanda-data/cloud-docs/edit/main/modules/networking/pages/azure-private-link-in-ui.adoc description: Set up Azure Private Link in the Redpanda Cloud Console. page-git-created-date: "2025-07-17" page-git-modified-date: "2026-02-02" --- > 📝 **NOTE** > > This guide is for configuring new clusters with Azure Private Link using the Redpanda Cloud Console. To configure and manage Private Link on an existing cluster, you must use the [Cloud API](https://docs.redpanda.com/cloud-data-platform/networking/azure-private-link/). The Redpanda Azure Private Link service provides secure access to Redpanda Cloud from your own VNet. Traffic over Private Link does not go through the public internet because these connections are treated as their own private Azure service. While your VNet has access to the Redpanda virtual network, Redpanda cannot access your VNet. Consider using the endpoint service if you have multiple VNets and could benefit from a more simplified approach to network management: - Azure Private Link allows overlapping [CIDR ranges](https://docs.redpanda.com/cloud-data-platform/networking/cidr-ranges/). - You control which Azure subscriptions are allowed to connect to the endpoint service. ## [](#requirements)Requirements - Your Redpanda cluster and VNet must be in the same region. - Use the [Azure command-line interface (CLI)](https://learn.microsoft.com/en-us/cli/azure/get-started-with-azure-cli?view=azure-cli-latest) to create a new client VNet or modify an existing one to use the Private Link endpoint. > 💡 **TIP** > > In Kafka clients, set `connections.max.idle.ms` to a value less than 350 seconds. ## [](#enable-endpoint-service-for-new-clusters)Enable endpoint service for new clusters 1. In the Redpanda Cloud Console, create a new cluster. 2. On the **Networking** page: 1. For **Connection type**, select **Private**. 2. For **Azure Private Link**, select **Enabled**. 3. For **Allowed subscriptions**, click **Add subscription**, and enter the Azure subscription ID that can access the cluster. You can add multiple subscriptions. ## [](#access-redpanda-services-through-vnet-endpoint)Access Redpanda services through VNet endpoint To access Redpanda services, follow the steps on the cluster’s **Overview** page. In the **How to connect** section, click **Private Link**. ![Private Link tab in Overview page](https://docs.redpanda.com/cloud-data-platform/shared/_images/private-link-tab.png) You can access Redpanda services such as Redpanda Console, Schema Registry, and HTTP Proxy from the client VPC or virtual network; for example, from a compute instance in the VPC or network. The bootstrap server hostname is unique to each cluster. The service attachment exposes a set of bootstrap ports for access to Redpanda services. These ports load balance requests among brokers. Make sure you use the following ports for initiating a connection from a consumer: | Redpanda service | Default port | | --- | --- | | Kafka API | 30292 | | HTTP Proxy | 30282 | | Schema Registry | 30081 | | Redpanda Console | 443 | ### [](#access-kafka-api-seed-service)Access Kafka API seed service Use port `30292` to access the Kafka API seed service. ```bash export RPK_BROKERS=':30292' rpk cluster info -X tls.enabled=true -X user= -X pass= ``` When successful, the `rpk` output should look like the following: ```bash CLUSTER ======= redpanda.rp-cki01qgth38kk81ard3g BROKERS ======= ID HOST PORT RACK 0* 0-3da65a4a-0532364.cki01qgth38kk81ard3g.fmc.dev.cloud.redpanda.com 32092 use2-az1 1 1-3da65a4a-63b320c.cki01qgth38kk81ard3g.fmc.dev.cloud.redpanda.com 32093 use2-az1 2 2-3da65a4a-36068dc.cki01qgth38kk81ard3g.fmc.dev.cloud.redpanda.com 32094 use2-az1 ``` ### [](#access-schema-registry-seed-service)Access Schema Registry seed service Use port `30081` to access the Schema Registry seed service. ```bash curl -vv -u : -H "Content-Type: application/vnd.schemaregistry.v1+json" --sslv2 --http2 :30081/subjects ``` ### [](#access-http-proxy-seed-service)Access HTTP Proxy seed service Use port `30282` to access the Redpanda HTTP Proxy seed service. ```bash curl -vv -u : -H "Content-Type: application/vnd.kafka.json.v2+json" --sslv2 --http2 :30282/topics ``` ### [](#verify-the-redpanda-console-network-path)Verify the Redpanda Console network path When you configure private connectivity through the Cloud API, set `connect_console: true` on the network configuration to enable Console access through the cluster’s private endpoint. The Cloud UI sets this for you when you enable private connectivity. The Redpanda Console URL is served on port `443` (HTTPS) and follows the form `[https://console-.](https://console-\.\);`. The `` is a per-cluster suffix assigned by the Redpanda control plane and is opaque to you; the full URL is shown in the **How to Connect** section of the cluster overview in the Redpanda Cloud Console. To verify that the network path to Redpanda Console is open, run the following commands from a host in the client network. First, confirm DNS resolves the hostname to a private IP on the cluster’s private endpoint: ```bash dig +short console-. ``` The response is a private IP from your client network’s address range, for example: ```bash 10.0.0.42 ``` Then confirm Redpanda Console responds over HTTPS through the endpoint: ```bash curl -sS -o /dev/null -w "%{http_code}\n" https://console-./ ``` Expected output: ```bash 200 ``` A 200 response confirms the network path. The Console UI itself does not expose a standalone login form: sign in to [cloud.redpanda.com](https://cloud.redpanda.com), navigate to the cluster, and use the cluster’s left navigation (**Topics**, **Brokers**, **Consumer groups**) to interact with Redpanda Console. > 📝 **NOTE** > > - DNS resolution for the Redpanda Console hostname is handled automatically by the cluster’s private endpoint. You don’t need to create a private hosted zone or override DNS in the client network. > > - Ensure your network access rules (for example, AWS security groups, Azure NSGs, or GCP firewall rules) on the private endpoint allow inbound TCP on port `443` from your client workload sources only (for example, the client network’s CIDR or specific client access groups). Avoid broad source ranges such as `0.0.0.0/0`. ## [](#test-the-connection)Test the connection You can test the connection to the endpoint service from any VM or container in the consumer VNet. If configuring a client isn’t possible right away, you can do these checks using `rpk` or cURL: 1. Set the following environment variables. ```bash export RPK_BROKERS=':30292' export RPK_TLS_ENABLED=true export RPK_SASL_MECHANISM="" export RPK_USER= export RPK_PASS= ``` 2. Create a test topic. ```bash rpk topic create test-topic ``` 3. Produce to the test topic. ### rpk ```bash echo 'hello world' | rpk topic produce test-topic ``` ### curl ```bash curl -s \ -X POST \ "/topics/test-topic" \ -H "Content-Type: application/vnd.kafka.json.v2+json" \ -d '{ "records":[ { "value":"hello world" } ] }' ``` 4. Consume from the test topic. ### rpk ```bash rpk topic consume test-topic -n 1 ``` ### curl ```bash curl -s \ "/topics/test-topic/partitions/0/records?offset=0&timeout=1000&max_bytes=100000"\ -H "Accept: application/vnd.kafka.json.v2+json" ```