Create Confluent Cloud Network on AWS

Each Confluent Cloud network is a virtual network that is provisioned in your Confluent Cloud AWS account.

Confluent Cloud is available through AWS Marketplace or directly from Confluent.

This network allows inbound connections from the connected network to services in Confluent Cloud. It also allows inbound connections from services in Confluent Cloud that are configured to interact with data in the Confluent Cloud network.

You can create multiple Dedicated Kafka clusters within each Confluent Cloud network.

For details on default service quotas, see Network service quotas.

Requirements and considerations

Review the following requirements and considerations when you set up a Confluent Cloud network.

Region and availability zones

Dedicated clusters you create in your Confluent Cloud network inherit the selected Region and Availability Zones.

Confluent Cloud network CIDR blocks and block size for peering and Transit Gateway

When you set up a Confluent Cloud network for VPC peering or Transit Gateway, the CIDR blocks you specify must meet the follow requirements.

• Specify Confluent Cloud network CIDR blocks in one of the following private IP ranges:

  • Private IP address range (RFC 1918): 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16

  • Shared address space (Carrier-grade NAT) (RFC 6598): 100.64.0.0/10

  • Benchmark address space (RFC 2544): 198.18.0.0/15

    This CIDR block is incompatible with Transit Gateway-to-Transit Gateway Cluster Linking.

• Do not select CIDR blocks that overlap with the following CIDR blocks that are reserved by Confluent Cloud: 10.100.0.0/16, 10.255.0.0/16, 172.17.0.0/16, 172.20.0.0/16, 172.31.0.0/16

  You cannot use the above CIDRs for peering or Transit Gateways due to routing conflicts with Confluent services. For example, managed connectors cannot reach the sources or sinks in those IP ranges.

• The CIDR block must comply with the IPv4 CIDR block association restrictions for restricted VPC CIDR block associations.

  For example, if any one of the /27 CIDR is from the 10.0.0.0/15 range, the other two /27 CIDRs cannot be from 10.0.0.0/16, 172.16.0.0/12, or 192.168.0.0/16.

• When a /16 CIDR range is provided, the range is broken up into 3 predictable /27 ranges in Confluent Cloud.

  Specifically, from a given /16, the first range starts at the 0 IP, the second range starts at the 32, and the third at the 64.

  For example, if you provide 10.1.0.0/16, the ranges are: 10.1.0.0/27, 10.1.0.32/27, 10.1.0.64/27

• 10.0.0.0/16 CIDR block is not supported in Confluent Cloud when you use a /16 CIDR range.

• The CIDR of the AWS VPC you want to peer with Confluent Cloud network should not be identical and not completely within the Confluent Cloud network CIDRs.

Create a Confluent Cloud network

Follow the procedure below to create a Confluent Cloud network on AWS.

You can host multiple clusters within one Confluent Cloud network. For details on service quotas, see Networks.

Confluent Cloud Console

1. In the Confluent Cloud Console, select an environment for the Confluent Cloud network.

2. In the Network management tab in the environment, click For dedicated clusters.

3. Click Add network configuration.

4. Select AWS as the cloud service provider and select the geographic region in Region. Click Continue.

5. Select the connectivity type: Transit Gateway, VPC Peering, or PrivateLink.

   Depending on the option selected, different Zone Placement options and CIDR for Confluent Cloud fields will appear.

   • Transit Gateway: Cluster is accessible using the Transit Gateway endpoint.

   • VPC Peering: Cluster is accessible using the VPC peering endpoint.

   • PrivateLink: Cluster is accessible using AWS PrivateLink connections.

6. Complete the steps for the connectivity type you selected.

   /27 Peering & Transit Gateway

   Important

   After provisioning your new Confluent Cloud network, you cannot change your selected Availability Zone (AZ) IDs or CIDR block size.

   1. In the Zone placement section, click the /27 CIDR ranges tab to configure your Confluent Cloud network to use /27 CIDR blocks.

   2. For three availability zones you want to use, specify non-overlapping and different /27 CIDR blocks, one for each zone.

      /27 CIDR blocks cannot overlap with 172.20.255.0/24.

      For more information about CIDR block options, see Confluent Cloud network CIDR blocks and block size for peering and Transit Gateway above.

   3. In the Confluent Cloud CIDR management section, you can optionally specify reserved CIDR blocks.

   4. Click Continue.

   /16 Peering & Transit Gateway

   Important

   After provisioning your new Confluent Cloud network, you cannot change your selected availability zones or CIDR block size.

   1. In the Zone placement section, click the /16 CIDR range (Legacy) tab to configure your Confluent Cloud network to use a /16 CIDR block.

   2. Select three availability zones for your Confluent Cloud network.

   3. In the CIDR for Confluent Cloud Network section, specify specify a non-overlapping /16 CIDR to use for this Confluent Cloud network.

      For more information about CIDR block options, see Confluent Cloud network CIDR blocks and block size for peering and Transit Gateway above.

   4. Click Continue.

   PrivateLink

   1. Under Zone Placement, select three zones for your network.

      Depending on the availability of supported zones, you might only have three zones to select.

   2. Under DNS configuration, select the DNS resolution method.

      Select Private DNS Resolution to resolve the private DNS name of the Confluent Cloud cluster to the private IP address of the cluster.

      If Private DNS Resolution is not selected, the private DNS name of the Confluent Cloud cluster requires public DNS Resolution to resolve the private IP address of the cluster.

      Before you select a DNS resolution option, review the details about DNS resolution in AWS PrivateLink in DNS resolution options.

   3. Click Continue.

7. In Network name, specify the name of the connection.

   The name you choose is used to identify your network in Confluent Cloud. Choose a meaningful name, but consider including the connection type in the name (for example, aws-uswest2-privatelink).

8. Review your configuration and click Add network configuration.

Confluent REST API

The following is an example REST API request:

REST request

POST https://api.confluent.cloud/networking/v1/networks

REST authentication

See Authentication.

REST request body

Your REST request body specification should include the following:

• display_name (optional) A meaningful name for your Confluent Cloud network.

• environment

• id – The identifier (ID) of your Confluent Cloud environment.

• cloud – Cloud service provider (AWS)

• region – The Region where the network is located.

• connection_types – PEERING, PRIVATELINK, or TRANSITGATEWAY.

• zones – An array listing the three selected Availability Zone IDs in the same Region.

• cidr – The CIDR block.

• dns_config - Set resolution to PRIVATE or CHASED_PRIVATE. The default value is CHASED_PRIVATE.

  • When resolution is CHASED_PRIVATE, clusters in this network require both public and private DNS to resolve cluster endpoints.

  • When resolution is PRIVATE, clusters in this network only require private DNS to resolve cluster endpoints.

  Before you select a DNS resolution option, review the details about DNS resolution in AWS PrivateLink in DNS resolution options.

Here are REST specification examples in JSON format. You can use these as templates for your own specification, replacing your unique values.

VPC Peering

• /27 CIDR block example:

  {
     "spec":{
        "display_name":"My-Peered-CCN-1",
        "cloud":"AWS",
        "region":"us-east-2",
        "connection_types":[
           "PEERING"
        ],
        "environment":{
           "id":"env-abc123"
        },
        "zones_info":[
           {
              "zone_id":"use2-az1",
              "cidr":"192.168.1.0/27"
           },
           {
              "zone_id":"use2-az2",
              "cidr":"192.168.2.0/27"
           },
           {
              "zone_id":"use2-az3",
              "cidr":"192.168.3.0/27"
           }
        ]
     }
  }
  

• /16 CIDR block example:

  {
     "spec": {
         "display_name": "My-Peered-CCN-1",
         "cloud": "AWS",
         "region": "us-west-2",
         "connection_types": [
             "PEERING"
         ],
         "cidr": "10.10.0.0/16",
         "zones": [
             "usw2-az1",
             "usw2-az2",
             "usw2-az3"
         ],
         "environment":{
            "id":"env-abc123"
         }
     }
  }
  

PrivateLink

{
   "spec": {
       "display_name": "AWS-PL-CCN-1",
       "cloud": "AWS",
       "region": "us-west-2",
       "connection_types": [
           "PRIVATELINK"
       ],
      "zones": [
        "usw2-az1",
        "usw2-az2",
        "usw2-az3"
      ],
      "environment":{
          "id":"env-abc123"
      },
      "dns_config": {
         "resolution":"PRIVATE"
      }
  }
}

Transit Gateway

• /16 CIDR block example:

  {
     "spec": {
       "display_name": "aws-transit-gateway-network-us-west",
       "environment": {
         "id": "env-w85hlh"
       },
       "cloud": "AWS",
       "region": "us-west-2",
       "connection_types": [
         "TRANSITGATEWAY"
       ],
       "zones": [
         "usw2-az1",
         "usw2-az2",
         "usw2-az3"
       ],
       "cidr": "100.64.0.0/16"
     }
   }
  

• /27 CIDR block example:

  {
    "spec": {
      "display_name": "aws-transit-gateway-network-us-east-1",
      "cloud": "AWS",
      "region": "us-east-1",
      "connection_types": [
        "TRANSITGATEWAY"
      ],
      "zones": [
        "use1-az2",
        "use1-az5",
        "use1-az6"
      ],
      "zone_info": [
        {
          "zone_id": "use1-az2",
          "cidr": "10.2.16.0/27"
        },
        {
          "zone_id": "use1-az5",
          "cidr": "10.2.16.32/27"
        },
        {
          "zone_id": "use1-az6",
          "cidr": "10.2.16.64/27"
        }
      ],
      "environment": {
        "id": "env-abc123",
        "environment": "string"
      }
    }
  }
  

Confluent CLI

Use the confluent network create Confluent CLI command to create a Confluent Cloud network:

confluent network create <network-name> <flags>

The following command-specific flags are supported:

• --cloud: Required. Set to aws.

• --region: Required. Cloud region ID for this network.

• --connection-types: Required. The network access type. Specify one of privatelink, peering, or transitgateway.

• --cidr: A /16 IPv4 CIDR block. Required for networks of connection type peering and transitgateway.

• --zones: A comma-separated list of availability zones for this network.

• --zone-info: A comma-separated list of zone=cidr pairs or CIDR blocks. Each CIDR must be a /27 IPv4 CIDR block.

• --dns-resolution: Specify the DNS resolution as private or chased-private. The default value is chased-private.

  • When resolution is chased-private, clusters in this network require both public and private DNS to resolve cluster endpoints.

  • When resolution is private, clusters in this network only require private DNS to resolve cluster endpoints.

  Before you select a DNS resolution option, review the details about DNS resolution in AWS PrivateLink in DNS resolution options.

• --reserved-cidr: A /24 IPv4 CIDR block. Can be used for AWS networks of connection type peering and transitgateway.

You can specify additional optional CLI flags described in the Confluent CLI command reference, such as --environment.

The following are example Confluent CLI commands:

VPC Peering

confluent network create my_aws_peering_zones_cidr --cloud aws \
  --region us-west-2 \
  --connection-types peering \
  --zones usw2-az1,usw2-az2,usw2-az4 \
  --cidr 10.1.0.0/16

Transit Gateway

confluent network create my_aws_tgw --cloud aws \
  --region us-west-2 \
  --connection-types transitgateway \
  --zones usw2-az1,usw2-az2,usw2-az4 \
  --cidr 10.1.0.0/16

PrivateLink

confluent network create my_aws_pl_zones_dns_resolution --cloud aws \
  --region us-west-2 \
  --connection-types privatelink \
  --zones usw2-az1,usw2-az2,usw2-az3 \
  --dns-resolution private

Terraform

Use the confluent_network Confluent Terraform Provider resource to create a Confluent Cloud network.

An example snippet of Terraform configuration for Confluent Cloud network:

resource "confluent_environment" "development" {
  display_name = "Development"
}

resource "confluent_network" "aws-private-link" {
  display_name     = "AWS Private Link Network"
  cloud            = "AWS"
  region           = "us-east-1"
  connection_types = ["PRIVATELINK"]
  zones            = ["use1-az1", "use1-az2", "use1-az6"]
  environment {
    id = confluent_environment.development.id
  }
}

An example snippet of Terraform configuration for Transit Gateway Endpoints:

resource "confluent_environment" "development" {
  display_name = "Development"

  lifecycle {
    prevent_destroy = true
  }
}

resource "confluent_network" "aws-transit-gateway-attachment" {
  display_name     = "AWS Transit Gateway Attachment Network"
  cloud            = "AWS"
  region           = "us-east-1"
  cidr             = "10.10.0.0/16"
  connection_types = ["TRANSITGATEWAY"]
  environment {
    id = confluent_environment.development.id
  }

  lifecycle {
    prevent_destroy = true
  }
}

Next steps

• After successfully provisioning the Confluent Cloud network on AWS, you can add Dedicated Kafka clusters within your Confluent Cloud network.

• Try Confluent Cloud on AWS Marketplace with $1000 of free usage for 30 days, and pay as you go. No credit card is required.

Related content

• VPC Peering

  • Use AWS VPC Peering with Confluent Cloud

  • What is AWS VPC Peering?.

• PrivateLink

  • Use AWS PrivateLink with Confluent Cloud

  • What is AWS PrivateLink?.

• Transit Gateway

  • Use AWS Transit Gateway with Confluent Cloud

  • What is AWS Transit Gateway?.