Strengthen Security With TLS 1.3 for Confluent Cloud Clusters

Security standards continue to evolve, and organizations need infrastructure that evolves along with them. TLS 1.3 brings stronger encryption to streaming infrastructure for data in transit while ensuring alignment with strict security and compliance requirements.

We’re excited to announce that TLS 1.3 is currently available as an opt-in feature on Confluent Cloud Dedicated clusters and all other Confluent Cloud APIs, including Stream Governance, Metrics, and Control Plane. On April 30, 2026, it will be enabled by default across all newly created clusters and all existing Enterprise, Freight, Standard, and Basic clusters. 

Meet Security and Compliance Requirements With TLS 1.3

TLS 1.3 delivers stronger encryption for your streaming workloads. With TLS 1.3 enabled, you can:

• Strengthen your security posture with improved cryptographic algorithms that defend against evolving threats and keep data streams secure at enterprise scale

• Meet compliance requirements by leveraging the latest transport layer security standards as required by regulatory frameworks and internal policies

• Maintain complete control over your security configuration on Dedicated clusters by opting into TLS 1.3 when needed or enforcing TLS 1.3-only connections by disabling TLS 1.2 entirely

How to Enable TLS 1.3 on Dedicated Clusters

TLS 1.3 is generally available as an opt-in feature on new and existing Dedicated clusters. You can enable TLS 1.3 on a per-cluster basis by following the configuration steps. This per-cluster approach gives you granular control over your security settings, allowing you to enable TLS 1.3 based on your specific requirements and compliance needs.

Use the following command to enable TLS 1.3 on a Dedicated cluster:

confluent kafka cluster configuration update \
  --cluster <cluster-id> \
  --config ssl.enabled.protocols=TLSv1.3,TLSv1.2

On April 30, 2026, TLS 1.3 will be enabled by default along with TLS 1.2 on newly created Dedicated clusters. You can turn off TLS 1.3 or TLS 1.2 at any point after a Dedicated cluster has been provisioned using the steps in our documentation. TLS 1.3 will not be enabled by default on existing Dedicated clusters. 

Using TLS 1.3 on Autoscaling Cluster Types

On April 30, 2026, TLS 1.3 will be enabled by default, along with TLS 1.2, across all other cluster types, including Enterprise, Freight, Standard, and Basic clusters. This will include new and existing clusters. For these cluster types, TLS 1.3 will not be an opt-in feature on a per-cluster basis. 

Continued Support for TLS 1.2

TLS 1.2 is still an industry standard, and Confluent Cloud will continue to support TLS 1.2 for the foreseeable future. If you are using a Dedicated cluster, you can choose to disable TLS 1.2 on a per-cluster basis after enabling TLS 1.3. For all other cluster types, TLS 1.3 will be enabled alongside TLS 1.2. 

Get Started With TLS 1.3 Today

If you are on Dedicated clusters, check out our documentation for step-by-step guidance on how to enable TLS 1.3 starting now. 

If you are on Enterprise, Freight, Standard, and/or Basic clusters, no action is required. Your existing connections will continue to work seamlessly when TLS 1.3 is automatically enabled on April 30, 2026.

Confluent and associated marks are trademarks or registered trademarks of Confluent, Inc.

Apache® and Apache Kafka® and the respective logos are either registered trademarks or trademarks of the Apache Software Foundation in the United States and/or other countries. No endorsement by the Apache Software Foundation is implied by using these marks. All other trademarks are the property of their respective owners.