Create Confluent Cloud Network on AWS¶
Each Confluent Cloud network is a virtual network that is provisioned in your Confluent Cloud AWS account.
Confluent Cloud is available through AWS Marketplace or directly from Confluent.
This network allows inbound connections from the connected network to services in Confluent Cloud. It also allows inbound connections from services in Confluent Cloud that are configured to interact with data in the Confluent Cloud network.
You can create multiple Dedicated Kafka clusters within each Confluent Cloud network.
For details on default service quotas, see Network service quotas.
Requirements and considerations¶
Review the following requirements and considerations when you set up a Confluent Cloud network.
Region and availability zones¶
Dedicated clusters you create in your Confluent Cloud network inherit the selected Region and Availability Zones.
Confluent Cloud network CIDR blocks and block size for peering and Transit Gateway¶
When you set up a Confluent Cloud network for VPC peering or Transit Gateway, the CIDR blocks you specify must meet the follow requirements.
Specify Confluent Cloud network CIDR blocks in one of the following private IP ranges:
Private IP address range (RFC 1918):
10.0.0.0/8,172.16.0.0/12,192.168.0.0/16Shared address space (Carrier-grade NAT) (RFC 6598):
100.64.0.0/10Benchmark address space (RFC 2544):
198.18.0.0/15This CIDR block is incompatible with Transit Gateway-to-Transit Gateway Cluster Linking.
Do not select CIDR blocks that overlap with the following CIDR blocks that are reserved by Confluent Cloud:
10.100.0.0/16,10.255.0.0/16,172.17.0.0/16,172.20.0.0/16You cannot use the above CIDRs for peering or Transit Gateways due to routing conflicts with Confluent services. For example, managed connectors cannot reach the sources or sinks in those IP ranges.
The CIDR block must comply with the IPv4 CIDR block association restrictions for restricted VPC CIDR block associations.
For example, if any one of the /27 CIDR is from the
10.0.0.0/15range, the other two /27 CIDRs cannot be from10.0.0.0/16,172.16.0.0/12, or192.168.0.0/16.When a /16 CIDR range is provided, the range is broken up into 3 predictable /27 ranges in Confluent Cloud.
Specifically, from a given /16, the first range starts at the
0IP, the second range starts at the32, and the third at the64.For example, if you provide
10.1.0.0/16, the ranges are:10.1.0.0/27,10.1.0.32/27,10.1.0.64/2710.0.0.0/16CIDR block is not supported in Confluent Cloud when you use a /16 CIDR range.The CIDR of the AWS VPC you want to peer with Confluent Cloud network should not be identical and not completely within the Confluent Cloud network CIDRs.
Create a Confluent Cloud network¶
Follow the procedure below to create a Confluent Cloud network on AWS.
You can host multiple clusters within one Confluent Cloud network. For details on service quotas, see Networks.
In the Confluent Cloud Console, select an environment for the Confluent Cloud network.
In the Network management tab in the environment, click For dedicated clusters.
Click Add network configuration.
Select AWS as the cloud service provider and select the geographic region in Region. Click Continue.
Select the connectivity type: Transit Gateway, VPC Peering, or PrivateLink.
Depending on the option selected, different Zone Placement options and CIDR for Confluent Cloud fields will appear.
- Transit Gateway: Cluster is accessible using the Transit Gateway endpoint.
- VPC Peering: Cluster is accessible using the VPC peering endpoint.
- PrivateLink: Cluster is accessible using AWS PrivateLink connections.
Complete the steps for the connectivity type you selected.
Important
After provisioning your new Confluent Cloud network, you cannot change your selected Availability Zone (AZ) IDs or CIDR block size.
In the Zone placement section, click the /27 CIDR ranges tab to configure your Confluent Cloud network to use /27 CIDR blocks.
For three availability zones you want to use, specify non-overlapping and different /27 CIDR blocks, one for each zone.
/27 CIDR blocks cannot overlap with
172.20.255.0/24.For more information about CIDR block options, see Confluent Cloud network CIDR blocks and block size for peering and Transit Gateway above.
In the Confluent Cloud CIDR management section, you can optionally specify reserved CIDR blocks.
Click Continue.
Important
After provisioning your new Confluent Cloud network, you cannot change your selected availability zones or CIDR block size.
In the Zone placement section, click the /16 CIDR range (Legacy) tab to configure your Confluent Cloud network to use a /16 CIDR block.
Select three availability zones for your Confluent Cloud network.
In the CIDR for Confluent Cloud Network section, specify specify a non-overlapping /16 CIDR to use for this Confluent Cloud network.
For more information about CIDR block options, see Confluent Cloud network CIDR blocks and block size for peering and Transit Gateway above.
Click Continue.
Under Zone Placement, select three zones for your network.
Depending on the availability of supported zones, you might only have three zones to select.
Under DNS configuration, select the DNS resolution method.
Select Private DNS Resolution to resolve the private DNS name of the Confluent Cloud cluster to the private IP address of the cluster.
If Private DNS Resolution is not selected, the private DNS name of the Confluent Cloud cluster requires public DNS Resolution to resolve the private IP address of the cluster.
Before you select a DNS resolution option, review the details about DNS resolution in AWS PrivateLink in DNS resolution options.
Click Continue.
In Network name, specify the name of the connection.
The name you choose is used to identify your network in Confluent Cloud. Choose a meaningful name, but consider including the connection type in the name (for example,
aws-uswest2-privatelink).Review your configuration and click Add network configuration.
The following is an example REST API request:
REST request
POST https://api.confluent.cloud/networking/v1/networks
REST authentication
See Authentication.
REST request body
Your REST request body specification should include the following:
display_name(optional) A meaningful name for your Confluent Cloud network.environmentid– The identifier (ID) of your Confluent Cloud environment.cloud– Cloud service provider (AWS)region– The Region where the network is located.connection_types–PEERING,PRIVATELINK, orTRANSITGATEWAY.zones– An array listing the three selected Availability Zone IDs in the same Region.cidr– The CIDR block.dns_config- SetresolutiontoPRIVATEorCHASED_PRIVATE. The default value isCHASED_PRIVATE.- When
resolutionisCHASED_PRIVATE, clusters in this network require both public and private DNS to resolve cluster endpoints. - When
resolutionisPRIVATE, clusters in this network only require private DNS to resolve cluster endpoints.
Before you select a DNS resolution option, review the details about DNS resolution in AWS PrivateLink in DNS resolution options.
- When
Here are REST specification examples in JSON format. You can use these as templates for your own specification, replacing your unique values.
/27 CIDR block example:
{ "spec":{ "display_name":"My-Peered-CCN-1", "cloud":"AWS", "region":"us-east-2", "connection_types":[ "PEERING" ], "environment":{ "id":"env-abc123" }, "zones_info":[ { "zone_id":"use2-az1", "cidr":"192.168.1.0/27" }, { "zone_id":"use2-az2", "cidr":"192.168.2.0/27" }, { "zone_id":"use2-az3", "cidr":"192.168.3.0/27" } ] } }
/16 CIDR block example:
{ "spec": { "display_name": "My-Peered-CCN-1", "cloud": "AWS", "region": "us-west-2", "connection_types": [ "PEERING" ], "cidr": "10.10.0.0/16", "zones": [ "usw2-az1", "usw2-az2", "usw2-az3" ], "environment":{ "id":"env-abc123" } } }
{
"spec": {
"display_name": "AWS-PL-CCN-1",
"cloud": "AWS",
"region": "us-west-2",
"connection_types": [
"PRIVATELINK"
],
"zones": [
"usw2-az1",
"usw2-az2",
"usw2-az3"
],
"environment":{
"id":"env-abc123"
},
"dns_config": {
"resolution":"PRIVATE"
}
}
}
/16 CIDR block example:
{ "spec": { "display_name": "aws-transit-gateway-network-us-west", "environment": { "id": "env-w85hlh" }, "cloud": "AWS", "region": "us-west-2", "connection_types": [ "TRANSITGATEWAY" ], "zones": [ "usw2-az1", "usw2-az2", "usw2-az3" ], "cidr": "100.64.0.0/16" } }
/27 CIDR block example:
{ "spec": { "display_name": "aws-transit-gateway-network-us-east-1", "cloud": "AWS", "region": "us-east-1", "connection_types": [ "TRANSITGATEWAY" ], "zones": [ "use1-az2", "use1-az5", "use1-az6" ], "zone_info": [ { "zone_id": "use1-az2", "cidr": "10.2.16.0/27" }, { "zone_id": "use1-az5", "cidr": "10.2.16.32/27" }, { "zone_id": "use1-az6", "cidr": "10.2.16.64/27" } ], "environment": { "id": "env-abc123", "environment": "string" } } }
Use the confluent network create Confluent CLI command to create a Confluent Cloud network:
confluent network create <network-name> <flags>
The following command-specific flags are supported:
--cloud: Required. Set toaws.--region: Required. Cloud region ID for this network.--connection-types: Required. The network access type. Specify one ofprivatelink,peering, ortransitgateway.--cidr: A /16 IPv4 CIDR block. Required for networks of connection typepeeringandtransitgateway.--zones: A comma-separated list of availability zones for this network.--zone-info: A comma-separated list ofzone=cidrpairs or CIDR blocks. Each CIDR must be a /27 IPv4 CIDR block.--dns-resolution: Specify the DNS resolution asprivateorchased-private. The default value ischased-private.- When
resolutionischased-private, clusters in this network require both public and private DNS to resolve cluster endpoints. - When
resolutionisprivate, clusters in this network only require private DNS to resolve cluster endpoints.
Before you select a DNS resolution option, review the details about DNS resolution in AWS PrivateLink in DNS resolution options.
- When
--reserved-cidr: A /24 IPv4 CIDR block. Can be used for AWS networks of connection typepeeringandtransitgateway.
You can specify additional optional CLI flags described in the Confluent
CLI command reference,
such as --environment.
The following are example Confluent CLI commands:
confluent network create my_aws_peering_zones_cidr --cloud aws \
--region us-west-2 \
--connection-types peering \
--zones usw2-az1,usw2-az2,usw2-az4 \
--cidr 10.1.0.0/16
confluent network create my_aws_tgw --cloud aws \
--region us-west-2 \
--connection-types transitgateway \
--zones usw2-az1,usw2-az2,usw2-az4 \
--cidr 10.1.0.0/16
confluent network create my_aws_pl_zones_dns_resolution --cloud aws \
--region us-west-2 \
--connection-types privatelink \
--zones usw2-az1,usw2-az2,usw2-az3 \
--dns-resolution private
Use the confluent_network Confluent Terraform Provider resource to create a Confluent Cloud network.
An example snippet of Terraform configuration for Confluent Cloud network:
resource "confluent_environment" "development" {
display_name = "Development"
}
resource "confluent_network" "aws-private-link" {
display_name = "AWS Private Link Network"
cloud = "AWS"
region = "us-east-1"
connection_types = ["PRIVATELINK"]
zones = ["use1-az1", "use1-az2", "use1-az6"]
environment {
id = confluent_environment.development.id
}
}
An example snippet of Terraform configuration for Transit Gateway Endpoints:
resource "confluent_environment" "development" {
display_name = "Development"
lifecycle {
prevent_destroy = true
}
}
resource "confluent_network" "aws-transit-gateway-attachment" {
display_name = "AWS Transit Gateway Attachment Network"
cloud = "AWS"
region = "us-east-1"
cidr = "10.10.0.0/16"
connection_types = ["TRANSITGATEWAY"]
environment {
id = confluent_environment.development.id
}
lifecycle {
prevent_destroy = true
}
}
Next steps¶
- After successfully provisioning the Confluent Cloud network on AWS, you can add Dedicated Kafka clusters within your Confluent Cloud network.
- Try Confluent Cloud on AWS Marketplace with $1000 of free usage for 30 days, and pay as you go. No credit card is required.