Create Confluent Cloud Network on AWS¶

Each Confluent Cloud network is a virtual network that is provisioned in your Confluent Cloud AWS account.

Confluent Cloud is available through AWS Marketplace or directly from Confluent.

This network allows inbound connections from the connected network to services in Confluent Cloud. It also allows inbound connections from services in Confluent Cloud that are configured to interact with data in the Confluent Cloud network.

You can create multiple Dedicated Kafka clusters within each Confluent Cloud network.

For details on default service quotas, see Network service quotas.

Prerequisites¶

Before you create a Confluent Cloud network, you need the following information.

Name your Confluent Cloud network¶

The name you choose is used to identify your network in the Confluent Cloud Console and when using the Confluent CLI. Choose a meaningful name, but also consider including the connection type in the name, for example, My-Transit-Gateway-CCN-1.

Select Region and Availability Zones¶

Dedicated clusters you create in your Confluent Cloud network inherit the selected Region and Availability Zones.

Select CIDR blocks and block size¶

Important

Limited Availability

Support for /27 CIDR blocks is in Limited Availability to a subset of Confluent customers. To be considered for access before General Availability, contact Confluent Support.

By default, you can select a /16 CIDR block for use with your VPC Peering and Transit Gateway Confluent Cloud networks on AWS.

With the Limited Availability feature enabled, you can select either one /16 CIDR block or multiple /27 CIDR blocks (one for each Availability Zone).

The CIDR block must be in one of the following private IP ranges:

RFC 1918 private address spaces:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
RFC 6598 private address space:
- 100.64.0.0/10
RFC 2544 private address space:
- 198.18.0.0/15
  
  This CIDR block is incompatible with Transit Gateway-to-Transit Gateway Cluster Linking.

Additional requirements for selecting a /16 CIDR block:

Selected CIDR block cannot overlap with existing Confluent Cloud /16 CIDR blocks.
The CIDR block cannot overlap with the following IP ranges:
- 10.100.0.0/16
- 10.255.0.0/16
- 172.17.0.0/16
- 172.20.0.0/16
CIDRs for your VPCs that need to be directly routable cannot overlap with the above CIDR blocks due to routing conflicts with Confluent services. More specifically:
- You cannot peer the Confluent Cloud network with your VPCs using any of the above CIDRs.
- You cannot set up routes to those networks using the above CIDR blocks through the transit gateways. For example, managed connectors cannot reach the sources or sinks in those IP ranges.
You cannot switch to /27 CIDR blocks after the Confluent Cloud network is provisioned.

During Limited Availability:

You can request this option by creating a support ticket with Confluent Cloud Support to be considered for access before General Availability.
In Confluent Cloud, Cluster Linking and managed connectors that point to private networks are not supported.

Additional requirements for selection of /27 CIDR blocks:

Three different CIDR blocks, one for each Availability Zone (AZ), are required.
The three /27 AZ CIDR blocks cannot overlap.
Selected CIDR blocks cannot overlap with existing Confluent Cloud CIDR blocks.
The CIDR block cannot overlap with 172.20.255.0/24.
See IPv4 CIDR block association restrictions for restricted VPC CIDR block associations.

For example, if any one of the /27 CIDR is from the 10.0.0.0/15 range, the other two /27 CIDRs cannot be from 10.0.0.0/16, 172.16.0.0/12, or 192.168.0.0/16.
You cannot switch to /16 CIDR blocks after the Confluent Cloud network is provisioned.
You can use fetch from follower functionality with Confluent Cloud networks created with a /27 CIDR block. For more information, see Optimize Egress Costs with Follower Fetching on Confluent Cloud using AWS VPC Peering.

Create a Confluent Cloud network on AWS¶

Follow the procedure below to create a Confluent Cloud network on AWS.

You can host multiple clusters within one Confluent Cloud network. For details on service quotas, see Networks.

In the Confluent Cloud Console, go to the Network management page for your environment.
Click Create your first network if this is the first network in your environment, or click + Add Network if your environment has existing networks.
Select AWS as the cloud service provider and select the geographic region in Region.
Select the connectivity type: Transit Gateway, VPC Peering, or PrivateLink.

Depending on the option selected, different Zone Placement options and CIDR for Confluent Cloud fields will appear.
- Transit Gateway: Cluster is accessible using the transit gateway endpoint.
- VPC Peering: Cluster is accessible using the VPC peering endpoint.
- PrivateLink: Cluster is accessible using AWS PrivateLink connections.
Complete the steps for the connectivity type you selected and then click Continue.

Important

After provisioning your new Confluent Cloud network, you cannot change your selected Availability Zone (AZ) IDs or CIDR block size. Make sure to deploy a network based on your zonal requirements.
Under Zone Placement, select three zones for your network.

Depending on support for zones, you might only have three zones to choose from.

For Limited Availability users:
1. Select the Zone Placement option you want to use:
  - VPC: Uses a single /16 CIDR block.
  - AZ: Requires three /27 CIDR blocks (one for each Availability Zone).
2. Select three Availability Zones.
  - For the VPC option, assign a /16 CIDR block.
  - For the AZ, assign three /27 CIDR blocks (one for each Availability Zone).
  Note that depending on the availability of supported zones, you might have only three zones to select.
3. Click Continue.
For more information about CIDR block options, see Select CIDR blocks and block size above.
Under Zone Placement, select the /16 CIDR block for your network and then click Continue.

For Limited Availability users:
1. Select the Zone Placement option you want to use:
  - VPC: Uses a single /16 CIDR block.
  - AZ: Requires three /27 CIDR blocks (one for each Availability Zone).
2. Select three Availability Zones.
  - For the VPC option, assign a /16 CIDR block.
  - For the AZ, assign three /27 CIDR blocks (one for each Availability Zone).
  Note that depending on the availability of supported zones, you might have only three zones to select.
3. Click Continue.
For more information about CIDR block options, see Select CIDR blocks and block size above.
1. Under Zone Placement, select three zones for your network.
  
  Depending on the availability of supported zones, you might only have three zones to select.
2. Under DNS configuration, select the DNS resolution method.
  
  Select Private DNS Resolution to resolve the private DNS name of the Confluent Cloud cluster to the private IP address of the cluster.
  
  If Private DNS Resolution is not selected, the private DNS name of the Confluent Cloud cluster requires public DNS Resolution to resolve the private IP address of the cluster.
  
  Before you select a DNS resolution option, review the details about DNS resolution in AWS PrivateLink in DNS resolution options.
Specify a Network Name, review your configuration, and click Create Network.

The following is an example REST API request:

REST request

POST https://api.confluent.cloud/networking/v1/networks

REST authentication

See Authentication.

REST request body

Your REST request body specification should include the following:

display_name (optional) A meaningful name for your Confluent Cloud network.
environment
id – The identifier (ID) of your Confluent Cloud environment.
cloud – Cloud service provider (AWS)
region – The Region where the network is located.
connection_types – PEERING, PRIVATELINK, or TRANSITGATEWAY.
zones – An array listing the three selected Availability Zone IDs in the same Region.
cidr – The CIDR block.
dns_config - Set resolution to PRIVATE or CHASED_PRIVATE. The default value is CHASED_PRIVATE.
- When resolution is CHASED_PRIVATE, clusters in this network require both public and private DNS to resolve cluster endpoints.
- When resolution is PRIVATE, clusters in this network only require private DNS to resolve cluster endpoints.
Before you select a DNS resolution option, review the details about DNS resolution in AWS PrivateLink in DNS resolution options.

Here are REST specification examples in JSON format. You can use these as templates for your own specification, replacing your unique values.

/16 CIDR block example:

{
   "spec": {
       "display_name": "My-Peered-CCN-1",
       "cloud": "AWS",
       "region": "us-west-2",
       "connection_types": [
           "PEERING"
       ],
       "cidr": "10.10.0.0/16",
       "zones": [
           "usw2-az1",
           "usw2-az2",
           "usw2-az3"
       ],
       "environment":{
          "id":"env-abc123"
       }
   }
}

/27 CIDR block example:

{
   "spec":{
      "display_name":"My-Peered-CCN-1",
      "cloud":"AWS",
      "region":"us-east-2",
      "connection_types":[
         "PEERING"
      ],
      "environment":{
         "id":"env-abc123"
      },
      "zones_info":[
         {
            "zone_id":"use2-az1",
            "cidr":"192.168.1.0/27"
         },
         {
            "zone_id":"use2-az2",
            "cidr":"192.168.2.0/27"
         },
         {
            "zone_id":"use2-az3",
            "cidr":"192.168.3.0/27"
         }
      ]
   }
}

{
   "spec": {
       "display_name": "AWS-PL-CCN-1",
       "cloud": "AWS",
       "region": "us-west-1",
       "connection_types": [
           "PRIVATELINK"
       ],
      "zones": [
        "usw2-az1",
        "usw2-az2",
        "usw2-az3"
      ],
      "environment":{
          "id":"env-abc123"
      },
      "dns_config": {
         "resolution":"PRIVATE"
      }
  }
}

/16 CIDR block example:

{
   "spec": {
     "display_name": "aws-transit-gateway-network-us-west",
     "environment": {
       "id": "env-w85hlh"
     },
     "cloud": "AWS",
     "region": "us-west-2",
     "connection_types": [
       "TRANSITGATEWAY"
     ],
     "zones": [
       "usw2-az1",
       "usw2-az2",
       "usw2-az3"
     ],
     "cidr": "100.64.0.0/16"
   }
 }

/27 CIDR block example:

{
  "spec": {
    "display_name": "aws-transit-gateway-network-us-east-1",
    "cloud": "AWS",
    "region": "us-east-1",
    "connection_types": [
      "TRANSITGATEWAY"
    ],
    "zones": [
      "use1-az2",
      "use1-az5",
      "use1-az6"
    ],
    "zone_info": [
      {
        "zone_id": "use1-az2",
        "cidr": "10.2.16.0/27"
      },
      {
        "zone_id": "use1-az5",
        "cidr": "10.2.16.32/27"
      },
      {
        "zone_id": "use1-az6",
        "cidr": "10.2.16.64/27"
      }
    ],
    "environment": {
      "id": "env-abc123",
      "environment": "string"
    }
  }
}

Use the confluent network create Confluent CLI command to create a Confluent Cloud network:

confluent network create <network-name> <flags>

The following command-specific flags are supported:

--cloud: Required. Set to aws.
--region: Required. Cloud region ID for this network.
--connection-types: Required. The network access type. Specify one of privatelink, peering, or transitgateway.
--cidr: A /16 IPv4 CIDR block. Required for networks of connection type peering and transitgateway.
--zones: A comma-separated list of availability zones for this network.
--zone-info: A comma-separated list of zone=cidr pairs or CIDR blocks. Each CIDR must be a /27 IPv4 CIDR block.
--dns-resolution: Specify the DNS resolution as private or chased-private. The default value is chased-private.
- When resolution is chased-private, clusters in this network require both public and private DNS to resolve cluster endpoints.
- When resolution is private, clusters in this network only require private DNS to resolve cluster endpoints.
Before you select a DNS resolution option, review the details about DNS resolution in AWS PrivateLink in DNS resolution options.
--reserved-cidr: A /24 IPv4 CIDR block. Can be used for AWS networks of connection type peering and transitgateway.

You can specify additional optional CLI flags described in the Confluent CLI command reference, such as --environment.

The following are example Confluent CLI commands:

confluent network create my_aws_peering_zones_cidr --cloud aws \
  --region us-west-2 \
  --connection-types peering \
  --zones usw2-az1,usw2-az2,usw2-az4 \
  --cidr 10.1.0.0/16

confluent network create my_aws_tgw --cloud aws \
  --region us-west-2 \
  --connection-types transitgateway \
  --zones usw2-az1,usw2-az2,usw2-az4 \
  --cidr 10.1.0.0/16

confluent network create my_aws_pl_zones_dns_resolution --cloud aws \
  --region us-west-2 \
  --connection-types privatelink \
  --zones usw2-az1,usw2-az2,usw2-az3 \
  --dns-resolution private

Your Confluent Cloud network is created and provisioned within 20 minutes.

Next steps¶

After successfully provisioning the Confluent Cloud network on AWS, you can add Dedicated Kafka clusters within your Confluent Cloud network by using the following options:
- Confluent Cloud Console: Manage Kafka Clusters on Confluent Cloud
- Cluster Management API: Create Kafka clusters
Try Confluent Cloud on AWS Marketplace with $1000 of free usage for 30 days, and pay as you go. No credit card is required.