Use VNet Peering on Azure¶

A VNet peering connection is a networking connection between your VNet and Confluent Cloud that enables you to route traffic using private IPv4 addresses. VNets can communicate with each other as if they are within the same network.

For more information about VNet peering with Azure, see Virtual Network Peering.

Prerequisites¶

A Confluent Cloud network of type PEERING in Azure. If a network does not exist, follow the procedure below.

Create a Confluent Cloud network in in Azure¶

To create a Dedicated cluster with Azure VNet Peering, you must first create a Confluent Cloud network in the required cloud and region.

Note

You can create multiple clusters within one Confluent Cloud network. For details on default service quotas, see Network.

Review the following requirements for CIDR block selections.

The CIDR block must be in one of the following private networks, as mentioned in RFC 1918.

10.0.0.0/8
100.64.0.0/10
172.16.0.0/12
192.168.0.0/16
198.18.0.0/15

The CIDR block cannot be any of the following:

10.100.0.0/16
10.253.0.0/16
10.254.0.0/16
10.255.0.0/16
172.17.0.0/16
172.20.0.0/16
172.30.0.0/16
172.31.0.0/16

Additional notes when selecting your CIDR block:

The RFC 6598 shared address space is supported on Azure.
Must be a /16 CIDR block.
Cannot be modified after the Confluent Cloud network is provisioned.
Cannot overlap with an existing Confluent Cloud CIDR block address.
Contact Confluent Support to add a new cluster in an existing /16 CIDR block.

In the Confluent Cloud Console, go to the Network management page for your environment.
Click Create your first network if this is the first network in your environment, or click + Add Network if your environment has existing networks.
Select Microsoft Azure as the cloud provider and the desired geographic region.
Select the Peering connectivity type and enter the CIDR block.
Click Continue.
Specify a Network Name, review your configuration, and click Create Network.

The following is an example REST API request:

HTTP POST request

POST https://api.confluent.cloud/networking/v1/networks

Authentication

See Authentication.

Request specification

In the request specification, include cloud, region, environment, connection type and optionally include the display name, CIDR and zones for the Confluent Cloud network. Update the attributes below with the correct values.

{
  "spec": {
      "display_name": "My-NW1",
      "cloud": "AZURE",
      "region": "centralus",
      "connection_types": [
          "PEERING"
      ],
      "cidr": "10.0.0.0/16",
      "zones": [
          "1",
          "2",
          "3"
      ],
      "environment":{
         "id":"env-00000"
     }
  }
}

In most cases, it takes up to 15 to 20 minutes to create a Confluent Cloud network. Keep note of the Confluent Cloud network ID from the response to specify it in the following commands.

After successfully provisioning the Confluent Cloud network, you can add Dedicated clusters within your Confluent Cloud network by using either of the following procedures:

Confluent Cloud Console: Create a Cluster in Confluent Cloud
Cluster Management API: Create a cluster

Create a VNet peering connection¶

Note

Confluent provides a Terraform configuration for creating a VNet peering connection. This configuration automates the manual steps described below.
Cross-region peering is not supported through the Confluent Cloud Console. Contact Confluent Support to see if your regions are supported and to request configuration.

A peering connection has to be created from your VNet to the Confluent Cloud network in order to access Confluent Cloud clusters and services in a Confluent Cloud network.

Follow this procedure to create a VNet network peering connection for a Confluent Cloud cluster on Azure. You can have multiple VNet peering connections. For information about limits, see Kafka cluster quotas.

In the Confluent Cloud Console, go to your Confluent Cloud network resource and click + VNet Peering.
Enter Name, Azure tenant ID, Azure subscription ID, Azure VNet Resource Group Name, and Azure VNet Name.

Azure Tenant ID
Represents an organization in Azure Active Directory. You can find this value in the Azure Portal under Azure Active Directory.

Azure Subscription ID
The unique identifier for your Azure subscription. You can find this in the Azure Portal on the Overview section of your |az| Virtual Network.

Azure VNet resource group name
The identifier for the Azure resource group that the virtual network belongs to. You can find this in the Azure Portal on the Overview section of your Azure Virtual Network.

Azure VNet Name
The name of your Azure virtual network. You can find this in the Azure Portal on the Overview section of your Azure Virtual Network.
Click Add. Your peering connection status will transition from “Pending” to “Error” in the Confluent Cloud Console. You must grant Confluent Cloud access to your Azure AD Tenant in the next step.

Grant access to your Azure AD Tenant.

Go to the following URL using your AD tenant ID (<tenant-id>) and approve:

https://login.microsoftonline.com/<tenant-id>/oauth2/authorize?client_id=f0955e3a-9013-4cf4-a1ea-21587621c9cc&response_type=code

Run the following command with your subscription ID (<subscription-id>) to create a new role.

Tip

If you have more than one subscription ID, you must update the AssignableScopes.

az role definition create --output none --role-definition "{
\"Name\": \"Confluent Cloud Peering Creator\",
\"Description\": \"Perform cross-tenant network peering.\",
\"Actions\": [
    \"Microsoft.Network/virtualNetworks/read\",
    \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read\",
    \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write\",
    \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete\",
    \"Microsoft.Network/virtualNetworks/peer/action\"
],
\"AssignableScopes\": [
    \"/subscriptions/<subscription-id>/\",
]
}"

Run this command with your subscription ID (<subscription-id>), VNet resource group name (<resource-group-name>), and VNet Name (<vnet-name>) specified to assign the role to the service principal:
```
az role assignment create \
  --role "Confluent Cloud Peering Creator" \
  --assignee "$(az ad sp list --filter "appId eq 'f0955e3a-9013-4cf4-a1ea-21587621c9cc'" \
  --output tsv --query '[0].id')"  \
  --scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/virtualNetworks/<vnet-name>"
```
Note

Starting with Azure CLI v. 2.37.0, the objectId property in the output JSON of a Graph object is replaced by id. If you use an earlier version, use objectId in the --output line.
Click Continue. You are prompted to confirm that Confluent Cloud is present in your Azure AD Tenant.
Click Create connection to finish creating the peering connection.

Before you can create the VNet peering connection, you must first grant Confluent Cloud access to your Azure AD Tenant by following these steps:

Go to the following URL using your AD tenant ID (<tenant-id>) and approve:

https://login.microsoftonline.com/<tenant-id>/oauth2/authorize?client_id=f0955e3a-9013-4cf4-a1ea-21587621c9cc&response_type=code

Run the following command with your subscription ID (<subscription-id>) to create a new role.

Tip

If you have more than one subscription ID, you must update the AssignableScopes.

az role definition create --output none --role-definition "{
\"Name\": \"Confluent Cloud Peering Creator\",
\"Description\": \"Perform cross-tenant network peering.\",
\"Actions\": [
    \"Microsoft.Network/virtualNetworks/read\",
    \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read\",
    \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write\",
    \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete\",
    \"Microsoft.Network/virtualNetworks/peer/action\"
],
\"AssignableScopes\": [
    \"/subscriptions/<subscription-id>/\",
]
}"

Run this command with your subscription ID (<subscription-id>), VNet resource group name (<resource-group-name>), and VNet Name (<vnet-name>) specified to assign the role to the service principal:
```
az role assignment create \
  --role "Confluent Cloud Peering Creator" \
  --assignee "$(az ad sp list --filter "appId eq 'f0955e3a-9013-4cf4-a1ea-21587621c9cc'"
  --output tsv --query '[0].id')"  \
  --scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/virtualNetworks/<vnet-name>"
```
Note

Starting with Azure CLI v. 2.37.0, the objectId property in the output JSON of a Graph object is replaced by id. If you use an earlier version, use objectId in the --output line.

Now that you granted access to the Azure AD tenant, you can create the VNet peering connection using an HTTP request that resembles the following REST API example:

HTTP POST request

POST https://api.confluent.cloud/networking/v1/peerings

Authentication

See Authentication.

Request specification

{
   "spec":{
      "cloud":{
         "kind":"AzurePeering",
         "tenant":"00000000-0000-0000-0000-000000000000",
         "vnet":"/subscriptions/6fabf0a4-e5f1-4fc2-b2d3-8bc114dafd32/resourceGroups/MyGroup/providers/Microsoft.Network/virtualNetworks/PeeringTest",
         "customer_region":"centralus"
      },
      "display_name":"MY-Peering-1",
      "environment":{
         "id":"env-00000"
      },
      "network":{
         "id":"n-000000"
      }
   }
}

When you are finished, the VPC peering status should display “Active” in the Confluent Cloud Console.