VPC Peering on AWS

The following information is required.

  • The AWS account ID associated with the VPC that you are peering to Confluent Cloud.
  • The VPC ID that you are peering with Confluent Cloud.
  • The AWS region of the VPC that you are peering with Confluent Cloud.
  • The CIDR block of the VPC that you are peering with Confluent Cloud. This is used by Confluent Cloud to route traffic back to your network. The CIDR block must be a private range.
  • The VPC CIDR block for Confluent Cloud to use.
    • Cannot be modified after the cluster is provisioned.
    • Cannot overlap with an existing Confluent Cloud CIDR block.
    • Must not overlap with any ranges your organization is using.
    • The RFC 6598 shared address space is supported on AWS.
    • Must be a /16 CIDR block.
    • For AWS, the CIDR block must be in one of the following supported private networks:
    • For AWS, the following CIDR blocks are denied from the above mentioned larger CIDR blocks:
    • You might need to increase your route quota when you use VPC peering because the Confluent Cloud and AWS routes are shared.

For more information about VPC peering with AWS, see What Is Amazon VPC?

Create a VPC Peering Connection to Confluent Cloud on AWS

Follow this procedure to create a VPC network peering connection to a Confluent Cloud cluster on AWS.

A Dedicated Kafka cluster in AWS with VPC Peering enabled. The cluster must be provisioned in its own network and provide a CIDR for Confluent Cloud. For more information about how to create a dedicated cluster, see Create a Cluster in Confluent Cloud.
  1. In the Confluent Cloud Console, go to the Cluster Settings page, click the Networking tab, and then click Add Peering.

  2. In the Add Peering page, enter the AWS Account Number, AWS VPC ID, and AWS VPC CIDR for your peering connection, and then click Save. Your peering connection status will transition from “Pending” to “Inactive” in the Confluent Cloud Console.

    AWS Account Number

    AWS Account ID of the peer VPC owner.


    Unique identifier of the peer VPC. Must start with vpc-.


    AWS VPC CIDR block or subset. This must be from the supported CIDR blocks as mentioned above and must not overlap with your Confluent Cloud CIDR block or any other network peering connection VPC CIDR.

  3. When the connection status is “Inactive” in the Confluent Cloud Console, navigate to the Amazon VPC Console and accept the peering request. You have seven days to accept the request before it expires. For more information on accepting peering connections, see the AWS documentation.


    If your request has expired, contact Confluent to resend the request. After you have accepted the peering request, the status of the peering connection will change to “Active”.

  4. Add the new peering connection to the route table for your VPC in the AWS Management Console. For more information about updating route tables, see the AWS documentation.

    1. Go to the VPC section of the AWS Management Console and click Route Tables.
    2. Select the route table for your VPC and click Edit routes.
    3. Click Add route.
    4. Add the Confluent Cloud VPC CIDR blocks to the Destination column. You can find the Confluent Cloud VPC CIDR blocks in the Cluster Settings page in the Networking tab.
    5. Add the AWS Peering Connection ID to the Target column. This value is prefixed with pcx-.
    6. Click Save routes.

    When you are done, the VPC peering status should display “Active” in the Confluent Cloud Console.