You are viewing documentation for an older version of Confluent Platform. For the latest, click here.

VPC Peering in Confluent Cloud

You can use virtual private clouds (VPC) with Confluent Cloud Enterprise to maximize the security of your cloud infrastructure. All communication in Confluent Cloud is encrypted, but a VPC can decrease the available surface area for potential attackers.

You can create VPCs with private IP CIDR (Classless Inter-Domain Routing) blocks and run your instances inside the VPCs on these private networks. The VPC can include applications and all of your cloud services. You can then peer your VPCs with Confluent VPCs so that you can access Confluent Cloud within the linked private networks.


  • If you use VPC peering, your clusters will not have public endpoints and you can only access them from peered VPCs.
  • After a cluster has been provisioned with VPC peering, you cannot change the VPC peering details.

Supported Features

Confluent Cloud Enterprise supports the following VPC peering features:

  • Single (1:1) VPC peering to one or more Confluent Cloud VPCs. You can peer one private VPC with one or more Confluent Cloud VPCs.
  • Confluent Cloud VPC can contain any number of clusters.


  • All clusters in a Confluent Cloud VPC must have same HA configuration (i.e., all single AZ or multi-AZ clusters).
  • Private and Confluent Cloud VPCs must be in the same region (e.g. AWS us-east-1).
  • You cannot directly connect from an on-premises datacenter to Confluent Cloud. To do so, you must first land in a shared services VPC that you own that is peered to Confluent. Transitive VPC peering is not supported. For more information about how to configure your Amazon Web Services (AWS) (AWS) VPCs to achieve transitivity across VPCs, see Multiple-VPC VPN Connection Sharing.

Getting Started

To implement VPC peering in your environment, order Confluent Cloud Enterprise with VPC peering enabled. You will be asked to provide the following information to your Confluent representative.

Confluent Cloud on AWS

Provide the following information to your Confluent representative.

  • The account ID associated with the VPC that you are peering to Confluent.
  • The VPC ID that you are peering with Confluent.
  • The AWS region of the VPC that you are peering with Confluent. This must be the same region as the Confluent Cloud cluster.
  • The VPC CIDR or list of CIDRs for your side. You cannot use a CIDR in or
  • The VPC CIDR for the Confluent side will be provided by Confluent. It will come from the netblock.
    • You must have route tables to Confluent CIDR block.
    • You must have security group rules that allow traffic to the Confluent CIDR block.


If you add more subnet blocks to your VPC after the initial setup, you must notify Confluent. The routes on the Confluent side must be updated to route back to your new subnets.

For more information about VPC peering with AWS, see What Is Amazon VPC?.

Confluent Cloud on Google Cloud Platform

Provide the following information to your Confluent representative.

  • The project ID.
  • The network ID.
  • A VPC CIDR block for Confluent to use. The CIDR must be in /16.
    • You might need to increase your route quota when you use a VPC peering in Google Cloud Platform (GCP) because the Confluent and GCP routes are shared.

For more information about VPC peering with GCP, see VPC Network Peering.

Using Confluent Cloud Schema Registry in a VPC Peered Environment

If you have VPC peered environment and you want to use Confluent Cloud Schema Registry, you must open outbound calls (egress) to a public Schema Registry endpoint. This is because Confluent Cloud Schema Registry is a multi-tenant Schema Registry.

Confluent Cloud Schema Registry is enabled and configured. Confluent Cloud Schema Registry is currently available as a preview. For more information, see Confluent Cloud Schema Registry Preview.
  1. From the Environment Overview page, click SCHEMA REGISTRY. From the Usage tab you should see the Schema Registry endpoint. For example https//

  2. Open outbound calls to the Confluent Cloud Schema Registry endpoint. Follow the instructions based on your cloud provider.


    Configure outbound call access for these AWS VPC networking components:


    Configure outbound call access for GCP networking components.

  3. Optional: Verify that your Schema Registry credentials are properly configured, where Schema Registry API key (<schema-registry-api-key>), API secret (<schema-registry-api-secret>), and endpoint (<schema-registry-url>) are specified.

    Run this command to authenticate with the cluster and list the topics registered in your schema.

    curl -u <schema-registry-api-key>:<schema-registry-api-secret> \

    If no subjects are created, your output will be empty ([]). If you have subjects, your output should resemble:


    Here is an example command:

    curl -u schemaregistry5000:alsdkjaslkdjqwemnoilbkjerlkqj123123opwrqpru \