Use VPC Peering Connections with Confluent Cloud on AWS¶

A VPC peering connection is a networking connection between your VPC and Confluent Cloud that enables you to route traffic using private IPv4 addresses. VPCs can communicate with each other as if they are within the same network.

For more information about VPC peering with AWS, see What Is Amazon VPC?

You can have multiple VPC peering connections. For information about limits, see Network quotas in Confluent Cloud.

Important

Managed connectors created in a VPC-peered cluster can access data sources and sinks hosted in all peered VPCs, if the firewall rules allow connector traffic to and from the peered VPCs.

Requirements and considerations¶

A Confluent Cloud network of type PEERING in AWS.

If a network does not exist, see Confluent Cloud Network on AWS.
All AWS availability zones, except use1-az3 in the us-east-1 region, are supported.
Transitive VPC peering is not supported.

If you peer Network A to Network B, and peer Network B to Confluent Cloud, applications running in Network A will not be able to access Confluent Cloud. Although they don’t provide transitive routing, shared AWS VPCs can be leveraged to enable Confluent Cloud connectivity. For more information, see AWS Working with Shared VPCs.

To achieve transitivity, you can link an AWS Transit Gateway to a Confluent Cloud cluster in AWS.
You can colocate multiple Confluent Cloud Dedicated clusters in the same Confluent Cloud network, but this is limited by the expected number and size of the clusters. The applicable limits are specified in Network.

Create a VPC peering connection¶

Note

Cross-region peering is not supported through the Confluent Cloud Console. Contact Confluent Support to see if your regions are supported and to request configuration.

This section describes how to create a VPC peering connection to a Confluent Cloud network on AWS using the Confluent Cloud Console or REST APIs.

See Terraform configuration for creating a AWS peering connection using Terraform.

The following information is required:

The AWS account ID associated with the VPC you are peering to Confluent Cloud network.
The VPC ID you are peering with Confluent Cloud network.
The CIDR block of the VPC you are peering with Confluent Cloud network. See CIDR blocks in Confluent Cloud network for the requirement details.
You might need to increase your route quota when you use VPC peering because the Confluent Cloud and AWS routes are shared.

Follow this procedure to create a VPC network peering connection to a Confluent Cloud cluster on AWS.

Create a peering connection from your VPC to the Confluent Cloud network:
1. In the Confluent Cloud Console, go to your Confluent Cloud network resource and click + VPC Peering.
2. Enter Name, AWS Account Number, AWS VPC ID, AWS VPC CIDR, and click Add.
  
  The AWS VPC CIDR value should not be identical and not completely within the Confluent Cloud network CIDRs. For example, with the Confluent Cloud network CIDR of 10.0.0.0/16, 10.0.0.0/8 is a valid AWS VPC CIDR, but 10.0.0.0/24 is not a valid AWS VPC CIDR.
  
  Peering connection provisioning will take a few minutes to complete. Your peering connection status will transition from “Provisioning” to “Inactive” in the Confluent Cloud Console.
A peering connection must be created from your VPC to the Confluent Cloud network in order to access Confluent Cloud clusters and services in the Confluent Cloud network.

REST request
POST https://api.confluent.cloud/networking/v1/peerings
REST authentication

See Authentication.

REST request body
{ "spec":{ "display_name":"My-Peering-1", "cloud":{ "kind":"AwsPeering", "account":"000000000000", "vpc":"vpc-00000000000000000", "routes":[ "10.0.0.0/16" ], "customer_region":"us-west-2" }, "environment":{ "id":"env-00000" }, "network":{ "id":"n-000000" } } }
The routes should not be identical and not completely within the Confluent Cloud network CIDRs. For example, with the Confluent Cloud network CIDR of 10.0.0.0/16, 10.0.0.0/8 is a valid route, but 10.0.0.0/24 is not a valid route.
When the connection status is “Inactive” in the Confluent Cloud Console, go to the Amazon VPC Console and accept the peering request. You have seven days to accept the request before it expires. For details on accepting peering connections, refer to Create and accept VPC peering connections in Amazon Virtual Private Cloud in the AWS documentation.

Tip

If your request has expired, contact Confluent to resend the request. After you have accepted the peering request, the status of the peering connection will change to “Active”.
Add the new peering connection to the route table for your VPC in the AWS Management Console. For details on updating route tables, see the AWS documentation.

For the routing to become effective, the route table must be associated with subnet(s).
1. Go to the VPC section of the AWS Management Console and click Route Tables.
2. Select the route table for your VPC and click Edit routes.
3. Click Add route.
4. Add the Confluent Cloud network VPC CIDR block to the Destination column. You can find the Confluent Cloud network VPC CIDR block in the Network Overview of your Confluent Cloud network.
5. Add the AWS Peering Connection ID to the Target column. This value is prefixed with pcx-.
6. Click Save routes.
When you are done, the VPC peering status should display “Active” in the Confluent Cloud Console.

VPC Peering using /27 CIDR blocks¶

After creating a VPC Peering Confluent Cloud network that uses /27 CIDR blocks, perform the following steps to ensure that traffic can flow between your VPCs and the Confluent Cloud network:

Add routes for all three /27 CIDR blocks to all your VPC route tables, not just the zone-aligned routes.
Update the ACLs on your VPCs as needed.

Next steps¶

Try Confluent Cloud on AWS Marketplace with $400 of free usage for 30 days, and pay as you go. No credit card necessary.