VNet Peering on Azure

Important considerations before creating VPC peering connections:

  • The Tenant ID associated with the VNet that you are peering to Confluent Cloud.
    • Retrieve your Tenant/Directory ID in portal.azure.com under Azure Active Directory > Properties.
  • The VNet ID of the VNet that you are peering with Confluent Cloud.
    • Retrieve your VNet Resource ID in portal.azure.com under Virtual Networks -> Target VNet -> Properties.
  • The VNet CIDR block for Confluent Cloud to use.
    • Cannot be modified after the cluster is provisioned.
    • Cannot overlap with an existing Confluent Cloud CIDR.
    • Must be a /16 CIDR block.
    • Must not overlap with any ranges your organization is using.
    • The RFC 6598 shared address space is supported on Azure.
    • For Azure, the CIDR block must be in one of the following private networks:
      • 10.0.0.0/8
      • 100.64.0.0/10
      • 172.16.0.0/12
      • 192.168.0.0/16
      • 198.18.0.0/15
    • For Azure, the following CIDR blocks are denied from the larger CIDR blocks listed above:
      • 10.100.0.0/16
      • 10.253.0.0/16
      • 10.254.0.0/16
      • 10.255.0.0/16
      • 172.17.0.0/16
      • 172.20.0.0/16
      • 172.30.0.0/16
      • 172.31.0.0/16

In the Confluent Cloud Console, during configuration, you must run the available setup script before Confluent can create a peer connection to your VNet network.

For more information about VNet peering with Azure, see Virtual Network Peering.

Create a VNet peering connection to Confluent Cloud on Azure

Follow this procedure to create a VPC network peering connection for a Confluent Cloud cluster on Azure.

Prerequisite
A Dedicated Kafka cluster in Azure with VNet Peering enabled. The cluster must be provisioned in its own network and provide a CIDR for Confluent Cloud. For more information about how to create a dedicated cluster, see Create a Cluster in Confluent Cloud.
  1. In the Confluent Cloud Console, go to the Cluster Settings page, click the Networking tab, and then click Add Peering.

  2. In the Add Peerings page, enter the Azure Tenant ID, Azure Subscription ID, Azure VNet Resource Group Name, and the Azure VNet Name for your peering connection, and then click Save. Your peering connection status will transition from “Pending” to “Error” in the Confluent Cloud Console. You must grant Confluent Cloud access to your Azure AD Tenant in the next.

    Azure Tenant ID

    Represents an organization in Azure Active Directory. You can find this in the Azure Portal under Azure Active Directory.

    Azure Subscription ID

    Unique identifier for your Azure subscription. You can find this in the Azure Portal on Overview tab of your Azure Virtual Network.

    Azure VNet resource group name

    Identifier for the Azure resource group that the virtual network belongs to. You can find this in the Azure Portal on Overview tab of your Azure Virtual Network.

    Azure VNet Name

    Name of your Azure virtual network. You can find this in the Azure Portal on Overview tab of your Azure Virtual Network.

  3. Grant access to your Azure AD Tenant:

    1. Go to the following URL using your AD tenant ID (<tenant-id>) and approve:

      https://login.microsoftonline.com/<tenant-id>/oauth2/authorize?client_id=f0955e3a-9013-4cf4-a1ea-21587621c9cc&response_type=code
      
    2. Run the following command with your subscription ID (<subscription-id>) to create a new role.

      Tip

      If you have more than one subscription ID, you must update the AssignableScopes.

      az role definition create --output none --role-definition "{
      \"Name\": \"Confluent Cloud Peering Creator\",
      \"Description\": \"Perform cross-tenant network peering.\",
      \"Actions\": [
          \"Microsoft.Network/virtualNetworks/read\",
          \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read\",
          \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write\",
          \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete\",
          \"Microsoft.Network/virtualNetworks/peer/action\"
      ],
      \"AssignableScopes\": [
          \"/subscriptions/<subscription-id>/\",
      ]
      }"
      
    3. Run this command with your subscription ID (<subscription-id>), VNet resource group name (<resource-group-name>), and VNet Name (<vnet-name>) specified to assign the role to the service principal:

      az role assignment create \
          --role "Confluent Cloud Peering Creator" \
          --assignee "$(az ad sp list --filter "appId eq 'f0955e3a-9013-4cf4-a1ea-21587621c9cc'" --output tsv --query '[0].objectId')"  \
          --scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/virtualNetworks/<vnet-name>"
      
    4. Click Submit in the Access instructions.

  4. When you are finished, the VPC peering status should display “Active” in the Confluent Cloud Console.