Use AWS Transit Gateway with Confluent Cloud¶

You can use AWS Transit Gateway to connect your VPCs to your Confluent Cloud clusters. The transit gateway acts as a cloud router, with each connection only made once. Your data is encrypted and never travels over the public internet.

Requirements¶

To use AWS Transit Gateway with Confluent Cloud, you need the followings:

An AWS Transit Gateway must be configured and ready to use for your AWS account.

To create a transit gateway, see Create a transit gateway in the AWS documentation.
A resource share for your Confluent Cloud network must be created in your AWS Resource Access Manager (RAM) Console.

For details, see Creating a resource share in AWS RAM and Share a transit gateway in the AWS documentation.

To share your AWS transit gateway with your Confluent Cloud network, use the Confluent Cloud AWS Account ID as the principal. In the Confluent Cloud Console, you can find the Confluent Cloud AWS Account listed in your Confluent Cloud network under Network overview.
A Confluent Cloud network of type TRANSITGATEWAY on AWS.
All AWS availability zones, except use1-az3, are supported in the us-east-1 region.
Cluster Linking

Cluster links between two AWS Transit Gateway clusters are supported in the following CIDR blocks:
- RFC 1918
  - 10.0.0.0/8
  - 172.16.0.0/12
  - 192.168.0.0/16
- RFC 6598
  - 100.64.0.0/10
All CIDR blocks are compatible with Cluster Linking between a public internet cluster and an AWS Transit Gateway cluster, or between a Confluent Platform (version 7.0 or later) cluster and an AWS Transit Gateway cluster.

Add an AWS transit gateway attachment¶

After you create a Confluent Cloud network for your AWS Transit Gateway hub, you can:

Add an AWS transit gateway attachment to a Confluent Cloud network
Migrate from AWS VPC Peering to AWS Transit Gateway

Existing Confluent Cloud clusters using public internet or AWS PrivateLink cannot be converted to use AWS Transit Gateway.

Add an AWS transit gateway attachment to a Confluent Cloud network¶

Sign in to Confluent Cloud Console at https://confluent.cloud/login, go to your environment, and then click Network management.
Click the Confluent Cloud network (configured for AWS Transit Gateway) that you want to add a transit gateway attachment to, and then click the Connections tab.
Click + Transit Gateway. The Add Transit Gateway Attachment page appears.
On the Add Transit Gateway Attachment page, enter the following information, and then click Add.
- Name: Enter a meaningful name for your attachment.
- AWS RAM share ID: The Amazon Resource Name (ARN) of resource share for the transit gateway attachment. You can find the resource share ARN in your AWS Resource Access Manager console.
  
  Example: arn:aws:ram:us-west-2:587051064079:resource-share/9d4ab048-9bde-4a9f-8cc6-d19a83635747
- AWS Transit Gateway ID: The identifier (ID) of the AWS Transit Gateway that you are connecting to the Confluent Cloud network.
- AWS VPC CIDR: The CIDR block for your AWS VPC.
  
  The CIDR block is the specific route used for the Confluent VPC and AWS Transit Gateway route tables.
  
  See CIDR blocks in Confluent Cloud network for the requirements.
Your Transit Gateway Attachment will transition to READY in the Confluent Cloud Console. You may need to check if Auto accept shared attachments is configured on your Transit Gateway.

Here is an example REST API request:

REST request

POST https://api.confluent.cloud/networking/v1/transit-gateway-attachments

REST authentication

See Authentication.

REST request body

In the request specification, include values for cloud, region, environment, connection type, and, optionally, add the display name, CIDR, and zones for the Confluent Cloud network. Update the attributes below with the correct values.

See CIDR blocks requirements for detail requirements.

{
   "spec":{
      "display_name":"prod-tgw-use1",
      "cloud":{
         "kind":"AwsTransitGatewayAttachment",
         "ram_share_arn":"arn:aws:ram:us-west-3:000000000000:resource-share/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx",
         "transit_gateway_id":"tgw-xxxxxxxxxxxxxxxxx",
         "routes":[
            "100.64.0.0/10",
            "10.0.0.0/8",
            "192.168.0.0/16",
            "172.16.0.0/12"
         ]
      },
      "environment":{
         "id":"env-00000",
         "environment":"string"
      },
      "network":{
         "id":"n-00000",
         "environment":"string"
      }
   }
}

After provisioning, your new transit gateway attachment is available for use. Before you can use the transit gateway attachment, you should:

Confirm your VPC and transit gateway routes are correct.
Update the routing tables for your VPCs.

If your transit gateway attachment fails, delete the attachment and create a new one.

Attachment failures can occur for the following reasons:

The attachment is not shared with the correct AWS principal for the Confluent Cloud network.
The transit gateway was not added to the AWS resource share.
The AWS resource share ARN is not correct.

If you delete the transit gateway attachment, you must also delete the transit gateway route table entry for the Confluent Cloud network.

Migrate from AWS VPC peering connections to AWS transit gateway attachments¶

Warning

Establish a maintenance window

Maintaining concurrent transit gateway attachments and VPC peering connections might result in a degraded experience due to asymmetric routing with MTU mismatches between the two connectivity types. Confluent recommends establishing a planned “maintenance window” during which both connection types exist to avoid packet losses for your critical workloads. While concurrent connections exist, traffic will be charged at AWS transit gateway rates.

Because of the potential for degraded experience, migrations between VPC peering connections and transit gateway attachments on the same network require filing a Confluent Support ticket.

To migrate from a Confluent Cloud network that uses AWS VPC Peering to a network using an AWS Transit Gateway hub, perform the following steps:

Sign in to the Confluent Support Portal at https://support.confluent.io/hc/, click SUBMIT A REQUEST, and then click AWS Transit Gateway Provisioning.
- Request to migrate your Confluent Cloud VPC Peering network (with existing VPC peering connections) to an AWS Transit Gateway network.
- Include your Confluent Cloud network name and network ID (available from the Confluent Cloud Console).
After Confluent Support temporarily enables concurrent connection types (for both VPC peering connections and transit gateway attachments), you will be informed that you can proceed with your migration, and you can continue to the next step.
For each existing VPC peering connection, perform the following steps:
1. In the Confluent Cloud Console, create an AWS transit gateway attachment.
2. In the Confluent Cloud Console, delete the existing VPC peering connection.
3. Go to your AWS VPC console at https://console.aws.amazon.com/vpc/home and delete the AWS peering resource and the associated routes in your VPC route table.
Warning

If your VPC resources are not deleted, asymmetric routing and packet losses occur, resulting in a degraded experience.
Validate connectivity succeeds over the newly provisioned resources.
After you complete the migration and validation steps, inform Confluent Support so that they can disable VPC peering connections and close the ticket.

You have successfully migrated from using VPC peering connections to transit gateway attachments.

Validate connectivity to Confluent Cloud¶

To validate that the connectivity between your Confluent Cloud Kafka clusters and AWS Transit Gateway works correctly:

From an instance within the VPC (or anywhere the previous step’s DNS is set up), perform the OpenSSL test. Use <bootstrap URL> from the Confluent Cloud Console which includes the host value and the 9092 port.
```
openssl s_client -connect <bootstrap URL>
```
For details about the openssl command, see the OpenSSL documentation.

Upon a successful connection, you will see a CONNECTED message in the output.
Next, verify connectivity using the Confluent Cloud CLI.
1. Sign in to Confluent CLI with your Confluent Cloud credentials.
```
confluent login
```
2. List the clusters in your organization.
```
confluent kafka cluster list
```
3. Select the cluster with AWS Transit Gateway you wish to test.
```
confluent kafka cluster use ...
```
  For example:
```
confluent kafka cluster use lkc-a1b2c
```
4. Create a cluster API key to authenticate with the cluster.
```
confluent api-key create --resource ... --description ...
```
  For example:
```
confluent api-key create --resource lkc-a1b2c --description "connectivity test"
```
5. Select the API key you just created.
```
confluent api-key use ... --resource ...
```
  For example:
```
confluent api-key use WQDMCIQWLJDGYR5Q --resource lkc-a1b2c
```
6. Create a test topic.
```
confluent kafka topic create test
```
7. Start consuming events from the test topic.
```
confluent kafka topic consume test
```
8. Open another terminal tab or window.
9. Start a producer.
```
confluent kafka topic produce test
```
10. Type anything into the produce tab and hit Enter; press Ctrl+D or Ctrl+C to stop the producer.
11. The tab running consume will print what was typed in the tab running produce.

You’re done! The cluster is ready for use.