VPC Peering in Confluent Cloud

You can use virtual private clouds (VPC) with Confluent Cloud Enterprise to maximize the security of your cloud infrastructure. All communication in Confluent Cloud is encrypted, but a VPC can decrease the available surface area for potential attackers.

You can create VPCs with private IP CIDR (Classless Inter-Domain Routing) blocks and run your instances inside the VPCs on these private networks. The VPC can include applications and all of your cloud services. You can then peer your VPCs with Confluent VPCs so that you can access Confluent Cloud within the linked private networks.

Important

  • If you use VPC peering, your clusters will not have public endpoints and you can only access them from peered VPCs.
  • After a cluster has been provisioned with VPC peering, you cannot change the VPC peering details.

Supported Features

Confluent Cloud Enterprise supports the following VPC peering features:

  • Single (1:1) VPC peering to one or more Confluent Cloud VPCs. You can peer one private VPC with one or more Confluent Cloud VPCs.
  • Confluent Cloud VPC can contain any number of clusters.

Limitations

  • All clusters in a Confluent Cloud VPC must have same HA configuration (i.e., all single AZ or multi-AZ clusters).
  • Private and Confluent Cloud VPCs must be in the same region (e.g. AWS us-east-1).
  • You cannot directly connect from an on-premises datacenter to Confluent Cloud. To do so, you must first land in a shared services VPC that you own that is peered to Confluent. Transitive VPC peering is not supported. For more information about how to configure your Amazon Web Services (AWS) (AWS) VPCs to achieve transitivity across VPCs, see Multiple-VPC VPN Connection Sharing.

Getting Started

To implement VPC peering in your environment, order Confluent Cloud Enterprise with VPC peering enabled. You will be asked to provide the following information to your Confluent representative.

Confluent Cloud on AWS

Provide the following information to your Confluent representative.

  • The account ID associated with the VPC that you are peering to Confluent.
  • The VPC ID that you are peering with Confluent.
  • The AWS region of the VPC that you are peering with Confluent. This must be the same region as the Confluent Cloud cluster.
  • The VPC CIDR or list of CIDRs for your side. You cannot use a CIDR in 198.18.0.0/15 or 10.255.0.0/16.
  • The VPC CIDR for the Confluent side will be provided by Confluent. It will come from the 198.18.0.0/15 netblock.
    • You must have route tables to Confluent CIDR block.
    • You must have security group rules that allow traffic to the Confluent CIDR block.

Important

If you add more subnet blocks to your VPC after the initial setup, you must notify Confluent. The routes on the Confluent side must be updated to route back to your new subnets.

For more information about VPC peering with AWS, see What Is Amazon VPC?.

Confluent Cloud on Google Cloud Platform

Provide the following information to your Confluent representative.

  • The project ID.
  • The network ID.
  • A VPC CIDR block for Confluent to use. The CIDR must be in /16.
    • You might need to increase your route quota when you use a VPC peering in Google Cloud Platform (GCP) because the Confluent and GCP routes are shared.

For more information about VPC peering with GCP, see VPC Network Peering.