Browse Exams — Mock Exams & Practice Tests

CCAC Cheatsheet — Confluent Cloud Ops: Networking, RBAC, Governance, Connectors & Linking

Comprehensive CCAC quick reference: Confluent Cloud resource model, private networking options, service accounts + API keys + RBAC, Stream Governance and schema discipline, managed connectors operations, Cluster Linking patterns, and troubleshooting signals.

On this page

Use this for last‑mile review. Pair it with the Syllabus for coverage and Practice to harden instincts.

1) Confluent Cloud resource model (the hierarchy you must know)

    flowchart TD
	  ORG["Organization"] --> ENV["Environment"]
	  ENV --> CL["Kafka Cluster"]
	  ENV --> SR["Schema Registry"]
	  ENV --> SG["Stream Governance (Catalog)"]
	  ENV --> SA["Service Accounts"]
	  SA --> KEY["API Keys"]
	  ENV --> CONN["Connectors"]

High-yield rules

  • Treat environments as your blast-radius boundary (dev/test/prod isolation).
  • API keys belong to service accounts; rotate keys and avoid shared “human” keys.
  • Governance (catalog/schemas) is easiest when standardized at the environment level.

2) Access control: service accounts, API keys, RBAC

Authentication vs authorization

  • Authentication: “Who is calling?” (API key / identity)
  • Authorization: “What can they do?” (RBAC role bindings and scopes)

Operational key lifecycle (minimal safe baseline)

StepWhat to doWhy
Create service accountUse per-app identitiesAudit + least privilege
Grant RBAC roleScope to env/cluster/resourcesReduce blast radius
Create API keyStore in secret managerAvoid leaking credentials
Rotate regularlyDual keys during rotationZero downtime changes
Revoke on exit/incidentRemove bindings + delete keysClose access quickly

3) Networking in Confluent Cloud (public vs private)

Connectivity options (mental model)

OptionWhat it isWhen it’s usedWhat to remember
Public endpointAccess over internetDefault, fast to startUse allowlists where possible
PrivateLink / private service accessPrivate connectivity into your VPC/VNetCompliance + no public exposureDNS/routing planning matters
VPC/VNet peeringPrivate network peeringControlled private routingIP overlap pitfalls

DNS gotcha: private connectivity often requires private DNS or custom resolution so clients resolve brokers to private endpoints.

4) Kafka cluster knobs (operator level)

Topic basics: partitions and parallelism

You want…Do thisWhy
More consumer parallelismIncrease partitionsOne consumer per partition per group
Preserve ordering for an entityUse a stable keyOrdering is per partition
Reduce duplicate riskUse idempotent producer patternsRetries happen

Retention vs compaction (remember intent)

PolicyBest forMental model
Retention (delete)Event logs / audit streamsKeep full history for N days
CompactionChangelogs / latest state per keyKeep last value per key

5) Stream Governance + schemas (operator mindset)

Schema compatibility (why it shows up)

Compatibility answers: “Who can read what after change?”

ModeSafe for…Simple rule
BACKWARDNew consumers reading old dataAdd fields with defaults
FORWARDOld consumers reading new dataBe careful with removals
FULLBoth directionsStrictest; safest at scale

Operator rule: choose guardrails that prevent breaking changes in shared topics.

6) Managed connectors (what “managed” does and doesn’t do)

Connector ops checklist

QuestionWhy it matters
Is the connector authorized to read/write?RBAC + API key scope issues are common
Is the destination reachable privately?Networking and DNS routing issues
Is schema/serialization compatible?Deserialization failures can halt tasks
Is throughput bounded?Quotas/limits can cause backpressure

Failure patterns (high-yield)

  • Task failures due to auth (invalid key, missing permissions)
  • Failures due to network (private endpoint misconfigured, DNS mismatch)
  • Failures due to data (schema incompatibility, bad payload)

7) Cluster Linking (multi-cluster replication patterns)

Why Cluster Linking exists

Cluster Linking supports replicating data across clusters for:

  • multi-region reads
  • disaster recovery
  • multi-cloud topologies
    flowchart LR
	  SRC["Source cluster"] --> LINK["Cluster Link"]
	  LINK --> DEST["Destination cluster"]
	  DEST --> APPS["Consumers (region B)"]

Operational cues

  • Treat linking as a platform primitive (monitor lag/health like you would consumer groups).
  • Design for failover: know which cluster is the source of truth and how clients switch.

8) Monitoring + troubleshooting pickers

  • Clients can’t connect: advertised endpoints/DNS/private networking mismatch; allowlists; TLS/SASL config mismatch.
  • Auth errors: API key belongs to wrong service account; missing RBAC binding; wrong scope (env vs cluster).
  • Lag / backlog: insufficient partitions, slow consumers, connector throughput caps, or quota throttling.
  • Connector failing: auth/network/data; inspect task error first, then validate destination and serialization.

Mini-glossary

Environment (blast radius) • Service account (identity) • API key (credential) • RBAC (authorization) • Private connectivity (no public path) • Cluster Linking (multi-cluster replication) • Schema compatibility (safe evolution rules).

Syllabus
Practice