Use AWS Transit Gateway

You can use AWS Transit Gateway to a single transit gateway to connect your VPCs to your Confluent Cloud clusters. The transit gateway acts as a cloud router, with each connection only made once. Your data is encrypted and never travels over the public internet.

Prerequisites

To use AWS Transit Gateway with Confluent Cloud, you need:

Warning

For limitations on AWS Transit Gateway support, see Limitations below.

Create a Confluent Cloud network in AWS

To create a Dedicated cluster with AWS VPC Peering, you must first create a Confluent Cloud network in the required cloud and region.

Note

You can create multiple clusters within one Confluent Cloud network. For details on default service quotas, see Network quotas.

The following information is needed to create a Confluent Cloud network:

  • Region and availability zones for the Confluent Cloud network. The Dedicated clusters created in these Confluent Cloud networks will inherit the region and availability zones.
  • CIDR block for the Confluent Cloud network. See below for the CIDR block requirements.
  • Name for the Confluent Cloud network.

Review the following requirements for CIDR block selections.

The CIDR block must be in one of the following private networks, as mentioned in RFC 1918.

  • 10.0.0.0/8
  • 100.64.0.0/10
  • 172.16.0.0/12
  • 192.168.0.0/16
  • 198.18.0.0/15

The CIDR block cannot be any of the following:

  • 10.100.0.0/16
  • 10.255.0.0/16
  • 172.17.0.0/16
  • 172.20.0.0/16

Additional notes when selecting your CIDR block:

  • The RFC 6598 shared address space is supported on AWS.
  • Must be a /16 CIDR block.
  • Cannot be modified after the Confluent Cloud network is provisioned.
  • Must not overlap with an existing Confluent Cloud CIDR block.
  1. In the Confluent Cloud Console, go to the Network management page for your environment.
  2. Click Create your first network if this is the first network in your environment, or click + Add Network if your environment has existing networks.
  3. Select AWS as the cloud service provider and select the geographic region in Region.
  4. Select the VPC Peering connectivity type, enter your the Zone Placement and CIDR for Confluent Cloud, and then click Continue.
  5. Specify a Network Name, review your configuration, and click Create Network.

In most cases, it takes up to 15 to 20 minutes to create a Confluent Cloud network. Keep note of the Confluent Cloud network ID from the response to specify it in the following commands.

After successfully provisioning the Confluent Cloud network, you can add Dedicated clusters within your Confluent Cloud network by using either of the following procedures:

Enable a transit gateway for Confluent Cloud

To enable a transit gateway for use with Confluent Cloud, provide the following information to your Confluent representative to create your Confluent Cloud network. You may then place multiple Confluent Cloud clusters within your Confluent Cloud network:

  1. The full AWS Resource Name (ARN) for the AWS Resource Access Manager (RAM) Share ID of the transit gateways that you want Confluent Cloud attached to.
  2. The VPC CIDR block for Confluent Cloud to use.
    • Cannot be modified after the cluster is provisioned.
    • Cannot overlap with an existing Confluent Cloud CIDR block.
    • Must not overlap with any ranges your organization is using.
    • The RFC 6598 shared address space is supported on AWS.
    • Must be a /16 CIDR block.
    • The CIDR block must be in one of the following supported private networks:
      • 10.0.0.0/8
      • 100.64.0.0/10
      • 172.16.0.0/12
      • 192.168.0.0/16
      • 198.18.0.0/15
    • The following CIDR blocks are denied from the larger CIDR blocks listed above:
      • 10.100.0.0/16
      • 10.255.0.0/16
      • 172.17.0.0/16
      • 172.20.0.0/16
    • Because the Confluent Cloud and AWS routes are shared, you might need to increase your AWS Transit Gateway route quota when you use VPC peering. To request a quota increase from AWS, see Requesting a quota increase

After provisioning the Confluent Cloud clusters:

  • Confluent accepts a RAM share and attaches the Confluent Cloud VPC to the AWS Transit Gateway. Confluent installs RFC 1918 and RFC 6598 routes in the Confluent Cloud VPC to return to AWS Transit Gateway.
  • Accept the AWS Transit Gateway attachment request from Confluent Cloud.
  • You can set up the desired routing in the AWS Transit Gateway to route traffic to Confluent Cloud.
    • Any routes you install on AWS Transit Gateway outside of the CIDR block allocated to Confluent Cloud cluster are not supported and will not work with Confluent Cloud.

Limitations

Existing Confluent Cloud clusters cannot be converted to use AWS Transit Gateway.

See also, Prerequisites.

Cluster linking

Cluster links between two Confluent Cloud Transit Gateway clusters require that both clusters are in one of the following CIDR blocks (RFC 1918):

  • 10.0.0.0/8
  • 172.16.0.0/12
  • 192.168.0.0/16

The following CIDR blocks are incompatible with Transit Gateway-to-Transit Gateway cluster linking, even though they are valid Confluent Cloud CIDR blocks:

  • 198.18.0.0/15

All CIDR blocks, however, are compatible with cluster linking between a public internet cluster and an AWS Transit Gateway cluster, or between a Confluent Platform (v. 7.0 or later) cluster and an AWS Transit Gateway cluster.