Use AWS Transit Gateway with Confluent Cloud

You can use AWS Transit Gateway to connect your VPCs to your Confluent Cloud clusters. The transit gateway acts as a cloud router, with each connection only made once. Your data is encrypted and never travels over the internet.

Requirements and considerations

To use AWS Transit Gateway with Confluent Cloud, you need the followings:

Add an AWS transit gateway connection

To create an AWS transit gateway:

  1. In AWS, create a transit gateway.
  2. In Confluent Cloud, add a transit gateway attachment.
  3. In AWS, update the AWS route table.

Add an AWS transit gateway in AWS

  1. In Confluent Cloud Console, in the Network management tab for your environment, click the Transit Gateway network resource to retrieve the Confluent Cloud AWS Account ID of the network resource you want to use.

  2. In the Amazon VPC console, add an AWS Transit Gateway for your AWS account. For details, see Create a transit gateway.

  3. In AWS Resource Access Manager (RAM) Console, create a resource share for your Confluent Cloud network.

    For details, see Creating a resource share in AWS RAM and Share a transit gateway in the AWS documentation.

    Use the Confluent Cloud AWS Account ID you retrieved in the first step as the principal of the resource share.

  4. Save the Amazon Resource Name (ARN) of the resource share. You need to provide the name when you create a transit gateway attachment.

Add an AWS transit gateway attachment in Confluent Cloud

  1. In the Confluent Cloud Console, select your environment, and click Network management.

  2. In the Network management tab, select the AWS Transit Gateway network resource that you want to add a transit gateway attachment to, and click the Connections tab.

  3. Click + Transit Gateway. The Add Transit Gateway Attachment page appears.

  4. Specify the following information, and click Add.

    • Name: Enter a name for your attachment.

    • AWS RAM Share ARN: Use the ARN you saved in the last step of creating a resource share in AWS.

    • AWS Transit Gateway ID: The identifier (ID) of the AWS Transit Gateway that you are connecting to the Confluent Cloud network.

    • AWS VPC CIDR: A comma-separated list of destination CIDRs that you want to route to from the Confluent Cloud network when you attach Confluent Cloud to your Transit Gateway.

      This field needs to contain all CIDR blocks in your network (cloud VPC, on-prem) that needs return routes from the Confluent Cloud network via the Transit Gateway attachment.

      The RFC 1918 and RFC 6598 private address ranges are supported as described in Select CIDR blocks and block size.

      Public IP address ranges are not allowed.

      The routes should not be identical and not completely within the Confluent Cloud network CIDRs. For example, with the Confluent Cloud network CIDR of, is a valid Transit Gateway route, but is not a valid route.

  5. Your Transit Gateway Attachment will transition to READY in the Confluent Cloud Console.

    You may need to check if Auto accept shared attachments is configured on your Transit Gateway on AWS.

If your transit gateway attachment fails, delete the attachment and create a new one.

Attachment failures can occur for the following reasons:

  • The attachment is not shared with the correct AWS principal for the Confluent Cloud network.

    Even if the auto-accept all attachment option is turned on, you still need to add the Confluent Cloud AWS Account ID to the AWS resource share you create in Add an AWS transit gateway in AWS.

  • The transit gateway was not added to the AWS resource share.

  • The AWS resource share ARN is not correct.

If you delete the transit gateway attachment, you must also delete the transit gateway route table entry for the Confluent Cloud network.

Add an AWS transit gateway attachment in AWS

To connect with the AWS transit gateway, add a transit gateway attachment in the AWS console as described in Create a transit gateway attachment to a VPC.

To connect with an on-premise networks, refer to Transit gateway attachments to a Direct Connect gateway.

Add the transit gateway route to the AWS route table

In the Amazon VPC console, add the Confluent Cloud CIDR to the route table with the target of your AWS transit gateway.

For details, see Update AWS route table.

Migrate from AWS VPC peering connections to AWS transit gateway attachments

To migrate from a Confluent Cloud network that uses AWS VPC Peering to a network using an AWS Transit Gateway hub, perform the following steps:

  1. Establish a maintenance window.

    Maintaining concurrent transit gateway attachments and VPC peering connections might result in a degraded experience due to asymmetric routing with MTU mismatches between the two connectivity types. Confluent recommends establishing a planned “maintenance window” during which both connection types exist to avoid packet losses for your critical workloads. While concurrent connections exist, traffic will be charged at AWS transit gateway rates.

  2. File a Confluent Support ticket.

    Because of the potential for degraded experience, migrations between VPC peering connections and transit gateway attachments on the same network require filing a Confluent Support ticket.

    Sign in to the Confluent Support Portal at, click SUBMIT A REQUEST, and then click AWS Transit Gateway Provisioning.

    • Request to migrate your Confluent Cloud VPC Peering network (with existing VPC peering connections) to an AWS Transit Gateway network.
    • Include your Confluent Cloud network name and network ID (available from the Confluent Cloud Console).
  3. After Confluent Support temporarily enables concurrent connection types (for both VPC peering connections and transit gateway attachments), you will be informed that you can proceed with your migration, and you can continue to the next step.

  4. For each existing VPC peering connection, perform the following steps:

    1. In the Confluent Cloud Console, create an AWS transit gateway attachment.
    2. In the Confluent Cloud Console, delete the existing VPC peering connection.
    3. In the AWS VPC console, delete the AWS peering resource and the associated routes in the VPC route table.


    If your VPC resources are not deleted, asymmetric routing and packet losses occur, resulting in a degraded experience.

  5. Validate connectivity over the newly provisioned resources.

  6. After you complete the migration and validation steps, inform Confluent Support so that they can disable VPC peering connections and close the ticket.

Configure DNS forwarding

To resolve hostnames that reside within private DNS zones or a self-hosted DNS server and access your own VPC or on-prem from Confluent Cloud, set up DNS forwarding in Confluent Cloud.

For example, you can use DNS forwarding for Confluent Cloud fully-managed connectors that need to access data in your VPC.

DNS forwarding requires VPC peering or TGW connection where there is bi-directional network access between your network and Confluent Cloud clusters.

Step 1: Get DNS resolver IP addresses

To use the DNS forwarding feature with your AWS VPC, you can set up AWS Inbound Endpoints or use your own DNS server:

  • If you wish to forward DNS requests from Confluent Cloud to a Route53 hosted zone, create Inbound Endpoints for Confluent Cloud network to access your DNS servers.

    AWS recommends deploying multiple endpoints in different availability zones for availability reasons.

    For details, see Configuring inbound endpoints.

    Once the endpoints are created, as described in the next step, in Confluent Cloud, input the IP addresses of the Inbound Endpoints to which to forward requests.

  • If you want to use your self-hosted DNS server, use the IP address of that DNS server in Confluent Cloud in the next step.

Step 2: Create a DNS Forwarder in Confluent Cloud

Set up DNS forwarding in Confluent Cloud:

  1. In Confluent Cloud, navigate to the DNS Forwarding tab on the Network Detail page.
  2. Input the following information:
    • DNS server IPs: Up to 3 IP addresses of your DNS servers to which we should forward DNS requests.
    • Domain list: Up to 10 domains to which you wish to route the DNS requests.
  3. Wait until provisioning is complete and DNS is propagated.