Use AWS Transit Gateway with Confluent Cloud

You can use AWS Transit Gateway to connect your VPCs to your Confluent Cloud clusters. The transit gateway acts as a cloud router, with each connection only made once. Your data is encrypted and never travels over the public internet.

Requirements and considerations

To use AWS Transit Gateway with Confluent Cloud, you need the followings:

• A Confluent Cloud network of type TRANSITGATEWAY on AWS.

  After you create a Confluent Cloud network for your AWS Transit Gateway hub, you can:

  • Add an AWS transit gateway attachment to a Confluent Cloud network

  • Migrate from AWS VPC Peering to AWS Transit Gateway

    Existing Confluent Cloud clusters using public internet or AWS PrivateLink cannot be converted to use AWS Transit Gateway.

• All AWS availability zones, except use1-az3 in the us-east-1 region, are supported.

• Cluster Linking

  Cluster links between two AWS Transit Gateway clusters are supported in the following CIDR blocks:

  • RFC 1918
    • 10.0.0.0/8
    • 172.16.0.0/12
    • 192.168.0.0/16
  • RFC 6598
    • 100.64.0.0/10

  The source and destination clusters in Cluster Linking must be in the same region.

  All CIDR blocks are compatible with Cluster Linking between a public internet cluster and an AWS Transit Gateway cluster, or between a Confluent Platform (version 7.0 or later) cluster and an AWS Transit Gateway cluster.

Add an AWS transit gateway connection

To create an AWS transit gateway:

1. In AWS, create a transit gateway.
2. In Confluent Cloud, add a transit gateway attachment.
3. In AWS, update the AWS route table.

Add an AWS transit gateway in AWS

1. In Confluent Cloud Console, in the Network management tab for your environment, click the Transit Gateway network resource to retrieve the Confluent Cloud AWS Account ID of the network resource you want to use.

2. In the Amazon VPC console, add an AWS Transit Gateway for your AWS account. For details, see Create a transit gateway.

3. In AWS Resource Access Manager (RAM) Console, create a resource share for your Confluent Cloud network.

   For details, see Creating a resource share in AWS RAM and Share a transit gateway in the AWS documentation.

   Use the Confluent Cloud AWS Account ID you retrieved in the first step as the principal of the resource share.

4. Save the Amazon Resource Name (ARN) of the resource share. You need to provide the name when you create a transit gateway attachment.

Add an AWS transit gateway attachment in Confluent Cloud

Confluent Cloud ConsoleREST API

1. In the Confluent Cloud Console, select your environment, and click Network management.

2. In the Network management tab, select the AWS Transit Gateway network resource that you want to add a transit gateway attachment to, and click the Connections tab.

3. Click + Transit Gateway. The Add Transit Gateway Attachment page appears.

4. Specify the following information, and click Add.

   • Name: Enter a name for your attachment.

   • AWS RAM Share ARN: Use the ARN you saved in the last step of creating a resource share in AWS.

   • AWS Transit Gateway ID: The identifier (ID) of the AWS Transit Gateway that you are connecting to the Confluent Cloud network.

   • AWS VPC CIDR: The CIDR blocks for your AWS VPC.

     The CIDR block is the specific route used for the Confluent VPC and the AWS Transit Gateway route table.

     These are the IP address ranges routed back to your VPC Transit Gateway from Confluent Cloud.

     The RFC 1918 and RFC 6598 private address ranges are supported as described in Select CIDR blocks and block size.

     Public IP address ranges are not allowed.

     The routes should not be identical and not completely within the Confluent Cloud network CIDRs. For example, with the Confluent Cloud network CIDR of 10.0.0.0/16, 10.0.0.0/8 is a valid Transit Gateway route, but 10.0.0.0/24 is not a valid route.

5. Your Transit Gateway Attachment will transition to READY in the Confluent Cloud Console.

   You may need to check if Auto accept shared attachments is configured on your Transit Gateway on AWS.

If your transit gateway attachment fails, delete the attachment and create a new one.

Attachment failures can occur for the following reasons:

• The attachment is not shared with the correct AWS principal for the Confluent Cloud network.

  Even if the auto-accept all attachment option is turned on, you still need to add the Confluent Cloud AWS Account ID to the AWS resource share you create in Add an AWS transit gateway in AWS.

• The transit gateway was not added to the AWS resource share.

• The AWS resource share ARN is not correct.

If you delete the transit gateway attachment, you must also delete the transit gateway route table entry for the Confluent Cloud network.

Add an AWS transit gateway attachment in AWS

To connect with the AWS transit gateway, add a transit gateway attachment in the AWS console as described in Create a transit gateway attachment to a VPC.

To connect with an on-premise networks, refer to Transit gateway attachments to a Direct Connect gateway.

Add the transit gateway route to the AWS route table

In the Amazon VPC console, add the Confluent Cloud CIDR to the route table with the target of your AWS transit gateway.

For details, see Update AWS route table.

Migrate from AWS VPC peering connections to AWS transit gateway attachments

Warning

Establish a maintenance window

Maintaining concurrent transit gateway attachments and VPC peering connections might result in a degraded experience due to asymmetric routing with MTU mismatches between the two connectivity types. Confluent recommends establishing a planned “maintenance window” during which both connection types exist to avoid packet losses for your critical workloads. While concurrent connections exist, traffic will be charged at AWS transit gateway rates.

Because of the potential for degraded experience, migrations between VPC peering connections and transit gateway attachments on the same network require filing a Confluent Support ticket.

To migrate from a Confluent Cloud network that uses AWS VPC Peering to a network using an AWS Transit Gateway hub, perform the following steps:

1. Sign in to the Confluent Support Portal at https://support.confluent.io/hc/, click SUBMIT A REQUEST, and then click AWS Transit Gateway Provisioning.

   • Request to migrate your Confluent Cloud VPC Peering network (with existing VPC peering connections) to an AWS Transit Gateway network.
   • Include your Confluent Cloud network name and network ID (available from the Confluent Cloud Console).

2. After Confluent Support temporarily enables concurrent connection types (for both VPC peering connections and transit gateway attachments), you will be informed that you can proceed with your migration, and you can continue to the next step.

3. For each existing VPC peering connection, perform the following steps:

   1. In the Confluent Cloud Console, create an AWS transit gateway attachment.
   2. In the Confluent Cloud Console, delete the existing VPC peering connection.
   3. In the AWS VPC console, delete the AWS peering resource and the associated routes in the VPC route table.

   Warning

   If your VPC resources are not deleted, asymmetric routing and packet losses occur, resulting in a degraded experience.

4. Validate connectivity succeeds over the newly provisioned resources.

5. After you complete the migration and validation steps, inform Confluent Support so that they can disable VPC peering connections and close the ticket.

Validate connectivity to Confluent Cloud

To validate that the connectivity between your Confluent Cloud Kafka clusters and AWS Transit Gateway works correctly:

1. From an instance within the VPC (or anywhere the previous step’s DNS is set up), perform the OpenSSL test. Use <bootstrap URL> from the Confluent Cloud Console which includes the host value and the 9092 port.

   openssl s_client -connect <bootstrap URL>
   

   For details about the openssl command, see the OpenSSL documentation.

   Upon a successful connection, you will see a CONNECTED message in the output.

2. Verify connectivity using the Confluent Cloud CLI.

   1. Sign in to Confluent CLI with your Confluent Cloud credentials.

      confluent login
      

   2. List the clusters in your organization.

      confluent kafka cluster list
      

   3. Select the cluster with AWS Transit Gateway you wish to test.

      confluent kafka cluster use ...
      

      For example:

      confluent kafka cluster use lkc-a1b2c
      

   4. Create a cluster API key to authenticate with the cluster.

      confluent api-key create --resource ... --description ...
      

      For example:

      confluent api-key create --resource lkc-a1b2c --description "connectivity test"
      

   5. Select the API key you just created.

      confluent api-key use ... --resource ...
      

      For example:

      confluent api-key use WQDMCIQWLJDGYR5Q --resource lkc-a1b2c
      

   6. Create a test topic.

      confluent kafka topic create test
      

   7. Start consuming events from the test topic.

      confluent kafka topic consume test
      

   8. Open another terminal tab or window.

   9. Start a producer.

      confluent kafka topic produce test
      

   10. Type anything into the produce tab and hit Enter; press Ctrl+D or Ctrl+C to stop the producer.

   11. The tab running consume will print what was typed in the tab running produce.

Next steps

Try Confluent Cloud on AWS Marketplace with $400 of free usage for 30 days, and pay as you go. No credit card necessary.

• Cluster Linking between AWS Transit Gateway attached Confluent Cloud clusters