HiveMQ Cloud Enterprise Feature Availability and Applicability

This page is the reference for what a HiveMQ Cloud Enterprise deployment includes and where it differs from the self-operated HiveMQ Enterprise MQTT Broker. This page displays the availability for each capability in Cloud Enterprise: available, available on request, restricted, or not supported. Each entry links to the product documentation for how the capability works.

Availability Legend

Status Meaning

Available

Included in HiveMQ Cloud Enterprise.

On request

Included, but HiveMQ enables or configures the capability at your request through your account team or support.

Restricted

Available with a cloud-specific limitation or difference from the self-operated broker.

Not supported

Not offered in HiveMQ Cloud Enterprise.

Because HiveMQ Cloud Enterprise is a managed service, HiveMQ configures many capabilities on request. These capabilities are self-service in the self-operated HiveMQ broker.

HiveMQ Enterprise MQTT Broker Capabilities

These are the core capabilities of the dedicated HiveMQ broker. For detailed information on how they work, see the HiveMQ Platform documentation.

Capability Status Notes

MQTT 3.1, 3.1.1, and 5

Available

Interoperable protocol support.

Sparkplug awareness

On request

Sparkplug-aware extension enabled on request.

Masterless, distributed cluster

Available

HiveMQ operates the cluster with high availability.

Multiple simultaneous listeners, including WebSocket

Available

See Public listener. Additional listeners on request.

Rolling upgrades

Available

HiveMQ performs upgrades as part of the managed service.

Cluster overload protection

Available

Handshake overload protection

Available

Pre-declared shared subscriptions

On request

MQTT add-ons

On request

For example, expired, dropped, and dead-message queues.

PROXY protocol (v1 and v2)

Available

Disaster recovery mechanisms

Available

HiveMQ operates these mechanisms.

REST API

Available

See HiveMQ Cloud REST API.

Maintenance exclusion windows

On request

Customer-defined windows during which HiveMQ does not update the cluster.

Static IPs for MQTT endpoints

On request

Fixed IP range for firewall allow lists.

Broker certificate rotation

Available

HiveMQ manages rotation.

Audit log

Restricted

HiveMQ captures the broker audit log internally and can provide it on request. It is not a self-service feature.

Security and Access Control

For how authentication and authorization work, see TLS and authentication and the Enterprise Security Extension documentation.

Capability Status Notes

TLS-secured communication

Available

HiveMQ enables TLS by default on all listeners.

Username and password authentication

Available

Default method.

Client certificate authentication (mTLS, X.509)

Available

JSON Web Token (JWT) authentication

Available

Includes OAuth/OpenID Connect integration.

LDAP authentication and authorization

Not supported

Not offered in Cloud. See Not Supported in HiveMQ Cloud Enterprise.

Role-based access control (RBAC)

Available

Permissions are assigned to roles; roles are assigned to credentials.

Per-credential permissions (non-RBAC)

Not supported

Cloud uses role-based access control: permissions are assigned to roles, and roles are assigned to credentials, client certificates, or JWT authentication — not directly to individual credentials.

Fine-grained REST API access control

Available

Client certificate revocation (CRL) and OCSP

On request

Certificate revocation lists (CRL) and Online Certificate Status Protocol (OCSP).

OCSP stapling

On request

Managed Cloud Capabilities

These capabilities are specific to the managed HiveMQ Cloud Enterprise service.

Capability Status Notes

Enterprise uptime SLA

Available

Applies to the production environment.

Custom domain names (Let’s Encrypt via ACME)

Available

See Custom domains.

Custom domain names (custom CA via cert-manager)

On request

Integrates with your public key infrastructure (PKI).

REST API for credentials, roles, and rights

Available

See Authentication and authorization.

PrivateLink for MQTT endpoints

On request

See Private networking.

Mounting PrivateLink endpoints for Enterprise Extensions

On request

Where the target service supports it.

Push logs and metrics to OTLP endpoints

On request

Ships to your OpenTelemetry Protocol (OTLP) endpoint. See Observability.

Cloud Console single sign-on (SSO)

Available

See Enterprise Single Sign-On.

Enterprise Security Extension

The Enterprise Security Extension (ESE) expands role, user, and permission management. For how it works, see the Enterprise Security Extension documentation.

Capability Status Notes

Structured security access log

Available

OAuth/OpenID Connect integration via JWT

Available

Client certificate revocation

On request

ESE variables in permissions

Available

General-purpose variables in self-service are limited. HiveMQ configures complex setups on request.

Custom authentication pipelines using default preprocessors

On request

Integrations with SQL databases, LDAP, or Active Directory

Not supported

Authentication and authorization run on the critical path of the broker. To keep the managed service reliable, HiveMQ does not depend on authentication components outside its control, such as customer-hosted databases or directories. Contact us to discuss your requirements.

Custom authentication SDK / custom preprocessors

Not supported

Custom authentication code runs on the critical path of the broker. To protect service reliability, HiveMQ does not offer custom authentication SDKs or preprocessors. Contact us to discuss your requirements.

Enterprise Extensions (Data Integrations)

Enterprise Extensions integrate the broker with third-party services. In HiveMQ Cloud Enterprise, HiveMQ enables and configures these extensions on request.

Extension Status Learn more

Apache Kafka

On request

Kafka extension

Amazon Kinesis

On request

Kinesis extension

Google Cloud Pub/Sub

On request

Pub/Sub extension

MongoDB

On request

MongoDB extension

PostgreSQL

On request

PostgreSQL extension

MySQL

On request

MySQL extension

Microsoft SQL Server

On request

Microsoft SQL Server extension

Snowflake

On request

Snowflake extension

Data Lake (S3-compatible)

On request

Data Lake extension

Bridge

On request

Bridge extension

HiveMQ reviews custom transformers for Enterprise Extensions before use to confirm they do not affect service availability. HiveMQ Cloud Enterprise does not support Workload Identity Federation for the Google Cloud Pub/Sub extension.

Data Hub

HiveMQ Data Hub is the integrated policy engine for data integrity and quality. For how it works, see the Data Hub documentation.

Capability Status Notes

Data Hub (policies, behavior models, schemas, transformations)

On request

Disabled by default. HiveMQ enables it on request.

Manage Data Hub via Control Center

On request

HiveMQ enables the Control Center view on request.

REST API for Data Hub

Not supported

The Cloud REST API does not include Data Hub.

Observability: Logs, Metrics, and Tracing

For metrics details, see HiveMQ Cloud Metrics; for logs, see HiveMQ Cloud Troubleshooting.

Capability Status Notes

Metrics via REST API endpoint

Available

Prometheus-compatible. See Metrics.

Logs via REST API endpoint

Available

Includes access, event, and Data Hub logs.

Logs via Cloud Console troubleshooting view

Available

See Troubleshooting.

Push metrics to OTLP-compatible endpoints

On request

HiveMQ ships metrics to your OpenTelemetry collector.

Push logs to OTLP-compatible endpoints

On request

Enterprise capability. HiveMQ ships logs to your OpenTelemetry collector.

Push traces to OTLP-compatible endpoints

Not supported

HiveMQ Cloud Enterprise does not yet support distributed trace exports.

Configurable log subset and log level

On request

Not Available in HiveMQ Cloud Enterprise

The following capabilities are part of the self-operated HiveMQ product. HiveMQ Cloud Enterprise does not support them:

  • Custom (customer-owned) extensions, the Community SDK, and the Enterprise Extension SDK.

  • LDAP authentication and authorization, and ESE integrations with SQL databases, LDAP, or Active Directory.

  • Identity federation mechanisms, other than OAuth and OpenID Connect via JWT.

  • The HiveMQ Distributed Tracing Extension, because HiveMQ Cloud Enterprise does not yet support trace exports.

  • HiveMQ Swarm, available only as a self-operated tool.

  • Cluster backup and restore, and diagnostic archive creation. The HiveMQ Cloud team uses these capabilities internally, and they are not available to customers.

  • Viewing license information in the Control Center.

  • Virtual Private Cloud (VPC) peering and shared-VPC networking. See Private networking.