.. _cloud-vpc:

VPC Peering in |ccloud|
=======================

You can use `virtual private clouds (VPC) <https://en.wikipedia.org/wiki/Virtual_private_cloud>`__
with |ccloud-ent| to maximize the security of your cloud infrastructure. All communication in |ccloud| is encrypted, but
a VPC can decrease the available surface area for potential attackers.

You can create VPCs with private IP `CIDR (Classless Inter-Domain Routing) <https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing>`__
blocks and run your instances inside the VPCs on these private networks. The VPC can include applications and all of your
cloud services. You can then peer your VPCs with Confluent VPCs so that you can access |ccloud| within the linked private
networks.

.. important:: - If you use VPC peering, your clusters will not have public endpoints and you can only access them from
                 peered VPCs.
               - After a cluster has been provisioned with VPC peering, you cannot change the VPC peering details.

Supported Features
------------------

|ccloud-ent| supports the following VPC peering features:

- Single (1:1) VPC peering to one or more |ccloud| VPCs. You can peer one private VPC with one or more |ccloud| VPCs.
- |ccloud| VPC can contain any number of clusters.


Limitations
-----------

- All clusters in a |ccloud| VPC must have same HA configuration (i.e., all single AZ or multi-AZ clusters).
- Private and |ccloud| VPCs must be in the same region (e.g. |aws| us-east-1).
- You cannot directly connect from an on-premises datacenter to |ccloud|. To do so, you must first land in a shared services
  VPC that you own that is peered to Confluent. Transitive VPC peering is not supported.
  For more information about how to configure your |aws-long| (|aws|) VPCs to achieve transitivity
  across VPCs, see  `Multiple-VPC VPN Connection Sharing <https://aws.amazon.com/answers/networking/aws-multiple-vpc-vpn-connection-sharing/>`__.

Getting Started
---------------

To implement VPC peering in your environment, order |ccloud-ent| with VPC peering enabled. You will be asked to provide
the following information to your Confluent representative.

-----------------
|ccloud| on |aws|
-----------------
Provide the following information to your Confluent representative.

- The account ID associated with the VPC that you are peering to Confluent.
- The VPC ID that you are peering with Confluent.
- The |aws| region of the VPC that you are peering with Confluent.  This must be the same region as the Confluent Cloud cluster.
- The VPC `CIDR <https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing>`__ or list of CIDRs for your side. You cannot
  use a CIDR in ``198.18.0.0/15`` or ``10.255.0.0/16``.
- The VPC CIDR for the Confluent side will be provided by Confluent. It will come from the ``198.18.0.0/15`` netblock.

  - You must have route tables to Confluent CIDR block.
  - You must have security group rules that allow traffic to the Confluent CIDR block.

.. important:: If you add more subnet blocks to your VPC after the initial setup, you must notify Confluent. The routes
               on the Confluent side must be updated to route back to your new subnets.

For more information about VPC peering with |aws|, see `What Is Amazon VPC? <https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Introduction.html>`__.

----------------------
|ccloud| on |gcp-long|
----------------------

Provide the following information to your Confluent representative.

- The project ID.
- The network ID.
- A VPC `CIDR <https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing>`__ block for Confluent to use. The CIDR must
  be in ``/16``.

  - You might need to increase your route quota when you use a VPC peering in |gcp-long| (|gcp|) because the Confluent and |gcp|
    routes are shared.

For more information about VPC peering with |gcp|, see `VPC Network Peering <https://cloud.google.com/vpc/docs/vpc-peering>`__.

.. _sr-ccloud-vpc:

Using |sr-ccloud| in a VPC Peered Environment
---------------------------------------------

If you have VPC peered environment and you want to use |sr-ccloud|, you must open outbound calls (egress) to a public
|sr| endpoint. This is because |sr-ccloud| is a multi-tenant |sr|.

Prerequisites
    |sr-ccloud| is :ref:`enabled and configured <cloud-sr-config>`. |sr-ccloud| is currently available as a preview. For
    more information, see :ref:`sr-prv`.

#.  From the **Environment Overview** page, click **SCHEMA REGISTRY**. From the Usage tab you should see the |sr| endpoint.
    For example ``https//confluent.us-east-2.aws.confluent.cloud``.

    .. image:: ../images/cloud-sr-view.png

#.  Open outbound calls to the |sr-ccloud| endpoint. Follow the instructions based on your cloud provider.

    |aws| VPC
        Configure outbound call access for these |aws| VPC networking components:

        -   Follow the instructions in the |aws|
            `Internet Gateway documentation <https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html>`_.
        -   Follow the instructions in the |aws|
            `NAT Gateway documentation <https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html>`_.
        -   Follow the instructions in the |aws|
            `NAT Instance documentation <https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html>`_.


    |gcp| VPC
        Configure outbound call access for |gcp| `networking components <https://cloud.google.com/vpc/docs/vpc#internet_access_reqs>`_.


#.  .. include:: includes/sr-verify.rst