Use VPC Peering Connections with Confluent Cloud on AWS

A virtual private cloud (VPC) peering is a networking connection between your VPC and Confluent Cloud that enables you to route traffic using private IPv4 addresses. VPCs can communicate with each other as if they are within the same network.

For more information about VPC peering with AWS, see Introduction to Amazon VPC.

Managed connectors created in a VPC-peered cluster can access data sources and sinks hosted in all peered VPCs, if the firewall rules allow connector traffic to and from the peered VPCs.

When you set up a VPC peering connection between AWS VPC and Confluent Cloud using /27 CIDR blocks, the following Confluent Cloud feature is supported:

• Fetch from Follower, a cost optimization to allow clients to consume from the nearest follower, instead of the leader

Requirements and considerations

• A Confluent Cloud network of type PEERING in AWS.

  If a network does not exist, see Confluent Cloud Network on AWS.

• All AWS availability zones, except use1-az3 in the us-east-1 region, are supported.

• Transitive VPC peering is not supported.

  If you peer Network A to Network B, and peer Network B to Confluent Cloud, applications running in Network A will not be able to access Confluent Cloud. Although they don’t provide transitive routing, shared AWS VPCs can be leveraged to enable Confluent Cloud connectivity. For more information, see AWS Working with Shared VPCs.

  To achieve transitivity, you can link an AWS Transit Gateway to a Confluent Cloud cluster in AWS.

• You can have multiple VPC peering connections. For information about limits, see Network quotas in Confluent Cloud.

• You can colocate multiple Confluent Cloud Dedicated clusters in the same Confluent Cloud network, but this is limited by the expected number and size of the clusters. The applicable limits are specified in Network.

• Cross-region peering is not supported through the Confluent Cloud Console. Contact Confluent Support to see if your regions are supported and to request configuration.

Create a VPC peering connection

This section describes how to create a VPC peering connection to a Confluent Cloud network on AWS using the Confluent Cloud Console, Confluent REST API, or Confluent CLI.

See Terraform configuration for creating a AWS peering connection using Terraform.

The following information is required:

• The AWS account ID associated with the VPC you are peering to Confluent Cloud network.
• The VPC ID you are peering with Confluent Cloud network.
• The CIDR block of the VPC you are peering with Confluent Cloud network. See CIDR blocks in Confluent Cloud network for the requirement details.
• You might need to increase your route quota when you use VPC peering because the Confluent Cloud and AWS routes are shared.

Follow this procedure to create a VPC network peering connection to a Confluent Cloud cluster on AWS.

1. Create a peering connection from your VPC to the Confluent Cloud network:

   Confluent Cloud ConsoleConfluent REST APIConfluent CLI

   1. In the Confluent Cloud Console, go to your Confluent Cloud network resource and click + VPC Peering.

   2. Enter Name, AWS Account Number, AWS VPC ID, AWS VPC CIDR, and click Add.

      The AWS VPC CIDR value should not be identical and not completely within the Confluent Cloud network CIDRs. For example, with the Confluent Cloud network CIDR of 10.0.0.0/16, 10.0.0.0/8 is a valid AWS VPC CIDR, but 10.0.0.0/24 is not a valid AWS VPC CIDR.

      Peering connection provisioning will take a few minutes to complete. Your peering connection status will transition from “Provisioning” to “Inactive” in the Confluent Cloud Console.

2. When the connection status is “Inactive” in the Confluent Cloud Console, go to the Amazon VPC Console and accept the peering request. You have seven days to accept the request before it expires. For details on accepting peering connections, refer to Create and accept VPC peering connections in Amazon Virtual Private Cloud in the AWS documentation.

   If your request has expired, contact Confluent to resend the request. After you have accepted the peering request, the status of the peering connection will change to “Active”.

3. Add the new peering connection to the route table for your VPC in the AWS Management Console. For details on updating route tables, see the AWS documentation.

   For the routing to become effective, the route table must be associated with subnet(s).

   1. Go to the VPC section of the AWS Management Console and click Route Tables.
   2. Select the route table for your VPC and click Edit routes.
   3. Click Add route.
   4. Add the Confluent Cloud network VPC CIDR block to the Destination column. You can find the Confluent Cloud network VPC CIDR block in the Network Overview of your Confluent Cloud network.
   5. Add the AWS Peering Connection ID to the Target column. This value is prefixed with pcx-.
   6. Click Save routes.

4. When you are done, the VPC peering status should display “Active” in the Confluent Cloud Console.

VPC Peering using /27 CIDR blocks

Important

Limited Availability

Support for /27 CIDR blocks is in Limited Availability to a subset of Confluent customers. To be considered for access before General Availability, contact Confluent Support.

After creating a VPC Peering Confluent Cloud network that uses /27 CIDR blocks, perform the following steps to ensure that traffic can flow between your VPCs and the Confluent Cloud network:

• Add routes for all three /27 CIDR blocks to all your VPC route tables, not just the zone-aligned routes.
• Update the ACLs on your VPCs as needed.

Configure DNS forwarding

To resolve hostnames that reside within private DNS zones or a self-hosted DNS server and access your own VPC or on-prem from Confluent Cloud, set up DNS forwarding in Confluent Cloud.

For example, you can use DNS forwarding for Confluent Cloud fully-managed connectors that need to access data in your VPC.

DNS forwarding requires VPC peering or TGW connection where there is bi-directional network access between your network and Confluent Cloud clusters.

Step 1: Get DNS resolver IP addresses

To use the DNS forwarding feature with your AWS VPC, you can set up AWS Inbound Endpoints or use your own DNS server:

• If you wish to forward DNS requests from Confluent Cloud to a Route53 hosted zone, create Inbound Endpoints for Confluent Cloud network to access your DNS servers.

  AWS recommends deploying multiple endpoints in different availability zones for availability reasons.

  For details, see Configuring inbound endpoints.

  Once the endpoints are created, as described in the next step, in Confluent Cloud, input the IP addresses of the Inbound Endpoints to which to forward requests.

• If you want to use your self-hosted DNS server, use the IP address of that DNS server in Confluent Cloud in the next step.

Step 2: Create a DNS Forwarder in Confluent Cloud

Set up DNS forwarding in Confluent Cloud:

Confluent Cloud ConsoleConfluent REST APIConfluent CLI

1. In Confluent Cloud, navigate to the DNS Forwarding tab on the Network Detail page.
2. Input the following information:
   • DNS server IPs: Up to 3 IP addresses of your DNS servers to which we should forward DNS requests.
   • Domain list: Up to 10 domains to which you wish to route the DNS requests.
3. Wait until provisioning is complete and DNS is propagated.

Next steps

Try Confluent Cloud on AWS Marketplace with $400 of free usage for 30 days, and pay as you go.