HiveMQ Cloud Enterprise Feature Availability and Applicability
This page is the reference for what a HiveMQ Cloud Enterprise deployment includes and where it differs from the self-operated HiveMQ Enterprise MQTT Broker. This page displays the availability for each capability in Cloud Enterprise: available, available on request, restricted, or not supported. Each entry links to the product documentation for how the capability works.
Availability Legend
| Status | Meaning |
|---|---|
Available |
Included in HiveMQ Cloud Enterprise. |
On request |
Included, but HiveMQ enables or configures the capability at your request through your account team or support. |
Restricted |
Available with a cloud-specific limitation or difference from the self-operated broker. |
Not supported |
Not offered in HiveMQ Cloud Enterprise. |
| Because HiveMQ Cloud Enterprise is a managed service, HiveMQ configures many capabilities on request. These capabilities are self-service in the self-operated HiveMQ broker. |
HiveMQ Enterprise MQTT Broker Capabilities
These are the core capabilities of the dedicated HiveMQ broker. For detailed information on how they work, see the HiveMQ Platform documentation.
| Capability | Status | Notes |
|---|---|---|
MQTT 3.1, 3.1.1, and 5 |
Available |
Interoperable protocol support. |
Sparkplug awareness |
On request |
Sparkplug-aware extension enabled on request. |
Masterless, distributed cluster |
Available |
HiveMQ operates the cluster with high availability. |
Multiple simultaneous listeners, including WebSocket |
Available |
See Public listener. Additional listeners on request. |
Rolling upgrades |
Available |
HiveMQ performs upgrades as part of the managed service. |
Cluster overload protection |
Available |
|
Handshake overload protection |
Available |
|
Pre-declared shared subscriptions |
On request |
|
MQTT add-ons |
On request |
For example, expired, dropped, and dead-message queues. |
PROXY protocol (v1 and v2) |
Available |
|
Disaster recovery mechanisms |
Available |
HiveMQ operates these mechanisms. |
REST API |
Available |
|
Maintenance exclusion windows |
On request |
Customer-defined windows during which HiveMQ does not update the cluster. |
Static IPs for MQTT endpoints |
On request |
Fixed IP range for firewall allow lists. |
Broker certificate rotation |
Available |
HiveMQ manages rotation. |
Audit log |
Restricted |
HiveMQ captures the broker audit log internally and can provide it on request. It is not a self-service feature. |
Security and Access Control
For how authentication and authorization work, see TLS and authentication and the Enterprise Security Extension documentation.
| Capability | Status | Notes |
|---|---|---|
TLS-secured communication |
Available |
HiveMQ enables TLS by default on all listeners. |
Username and password authentication |
Available |
Default method. |
Client certificate authentication (mTLS, X.509) |
Available |
|
JSON Web Token (JWT) authentication |
Available |
Includes OAuth/OpenID Connect integration. |
LDAP authentication and authorization |
Not supported |
Not offered in Cloud. See Not Supported in HiveMQ Cloud Enterprise. |
Role-based access control (RBAC) |
Available |
Permissions are assigned to roles; roles are assigned to credentials. |
Per-credential permissions (non-RBAC) |
Not supported |
Cloud uses role-based access control: permissions are assigned to roles, and roles are assigned to credentials, client certificates, or JWT authentication — not directly to individual credentials. |
Fine-grained REST API access control |
Available |
|
Client certificate revocation (CRL) and OCSP |
On request |
Certificate revocation lists (CRL) and Online Certificate Status Protocol (OCSP). |
OCSP stapling |
On request |
Managed Cloud Capabilities
These capabilities are specific to the managed HiveMQ Cloud Enterprise service.
| Capability | Status | Notes |
|---|---|---|
Enterprise uptime SLA |
Available |
Applies to the production environment. |
Custom domain names (Let’s Encrypt via ACME) |
Available |
See Custom domains. |
Custom domain names (custom CA via cert-manager) |
On request |
Integrates with your public key infrastructure (PKI). |
REST API for credentials, roles, and rights |
Available |
|
PrivateLink for MQTT endpoints |
On request |
See Private networking. |
Mounting PrivateLink endpoints for Enterprise Extensions |
On request |
Where the target service supports it. |
Push logs and metrics to OTLP endpoints |
On request |
Ships to your OpenTelemetry Protocol (OTLP) endpoint. See Observability. |
Cloud Console single sign-on (SSO) |
Available |
Enterprise Security Extension
The Enterprise Security Extension (ESE) expands role, user, and permission management. For how it works, see the Enterprise Security Extension documentation.
| Capability | Status | Notes |
|---|---|---|
Structured security access log |
Available |
|
OAuth/OpenID Connect integration via JWT |
Available |
|
Client certificate revocation |
On request |
|
ESE variables in permissions |
Available |
General-purpose variables in self-service are limited. HiveMQ configures complex setups on request. |
Custom authentication pipelines using default preprocessors |
On request |
|
Integrations with SQL databases, LDAP, or Active Directory |
Not supported |
Authentication and authorization run on the critical path of the broker. To keep the managed service reliable, HiveMQ does not depend on authentication components outside its control, such as customer-hosted databases or directories. Contact us to discuss your requirements. |
Custom authentication SDK / custom preprocessors |
Not supported |
Custom authentication code runs on the critical path of the broker. To protect service reliability, HiveMQ does not offer custom authentication SDKs or preprocessors. Contact us to discuss your requirements. |
Enterprise Extensions (Data Integrations)
Enterprise Extensions integrate the broker with third-party services. In HiveMQ Cloud Enterprise, HiveMQ enables and configures these extensions on request.
| Extension | Status | Learn more |
|---|---|---|
Apache Kafka |
On request |
|
Amazon Kinesis |
On request |
|
Google Cloud Pub/Sub |
On request |
|
MongoDB |
On request |
|
PostgreSQL |
On request |
|
MySQL |
On request |
|
Microsoft SQL Server |
On request |
|
Snowflake |
On request |
|
Data Lake (S3-compatible) |
On request |
|
Bridge |
On request |
| HiveMQ reviews custom transformers for Enterprise Extensions before use to confirm they do not affect service availability. HiveMQ Cloud Enterprise does not support Workload Identity Federation for the Google Cloud Pub/Sub extension. |
Data Hub
HiveMQ Data Hub is the integrated policy engine for data integrity and quality. For how it works, see the Data Hub documentation.
| Capability | Status | Notes |
|---|---|---|
Data Hub (policies, behavior models, schemas, transformations) |
On request |
Disabled by default. HiveMQ enables it on request. |
Manage Data Hub via Control Center |
On request |
HiveMQ enables the Control Center view on request. |
REST API for Data Hub |
Not supported |
The Cloud REST API does not include Data Hub. |
Observability: Logs, Metrics, and Tracing
For metrics details, see HiveMQ Cloud Metrics; for logs, see HiveMQ Cloud Troubleshooting.
| Capability | Status | Notes |
|---|---|---|
Metrics via REST API endpoint |
Available |
Prometheus-compatible. See Metrics. |
Logs via REST API endpoint |
Available |
Includes access, event, and Data Hub logs. |
Logs via Cloud Console troubleshooting view |
Available |
See Troubleshooting. |
Push metrics to OTLP-compatible endpoints |
On request |
HiveMQ ships metrics to your OpenTelemetry collector. |
Push logs to OTLP-compatible endpoints |
On request |
Enterprise capability. HiveMQ ships logs to your OpenTelemetry collector. |
Push traces to OTLP-compatible endpoints |
Not supported |
HiveMQ Cloud Enterprise does not yet support distributed trace exports. |
Configurable log subset and log level |
On request |
Not Available in HiveMQ Cloud Enterprise
The following capabilities are part of the self-operated HiveMQ product. HiveMQ Cloud Enterprise does not support them:
-
Custom (customer-owned) extensions, the Community SDK, and the Enterprise Extension SDK.
-
LDAP authentication and authorization, and ESE integrations with SQL databases, LDAP, or Active Directory.
-
Identity federation mechanisms, other than OAuth and OpenID Connect via JWT.
-
The HiveMQ Distributed Tracing Extension, because HiveMQ Cloud Enterprise does not yet support trace exports.
-
HiveMQ Swarm, available only as a self-operated tool.
-
Cluster backup and restore, and diagnostic archive creation. The HiveMQ Cloud team uses these capabilities internally, and they are not available to customers.
-
Viewing license information in the Control Center.
-
Virtual Private Cloud (VPC) peering and shared-VPC networking. See Private networking.