Use VPC Peering Connections with Confluent Cloud on GCP

A VPC peering connection enables you to route traffic using private IPv4 addresses between your VPC and Confluent Cloud. VPC peers can communicate with each other as if they are within the same network.

For more information about VPC peering with Google Cloud, see VPC Network Peering.

Important

Managed connectors created in a VPC-peered cluster can access data sources and sinks hosted in all peered VPCs, if the firewall rules allow connector traffic to and from the peered VPCs.

Requirements and considerations

• A Confluent Cloud network of type PEERING in Google Cloud. If a network does not exist, see Confluent Cloud Network on Google Cloud.

• Your VPC subnets and Confluent Cloud must be in the same same region. Cross-region access to Confluent Cloud is not supported when VPC peering is enabled with Google Cloud.

• Transitive VPC peering is not supported. If you peer Network A to Network B, and peer Network B to Confluent Cloud, applications running in Network A will not be able to access Confluent Cloud.

  Although they don’t provide transitive routing, shared Google Cloud VPCs can be leveraged to enable Confluent Cloud connectivity. For more information, see Google Cloud Shared VPC overview.

• You can colocate multiple Confluent Cloud Dedicated clusters in the same Confluent Cloud network, but this is limited by the expected number and size of these clusters. The applicable limits are specified in Network.

Create a VPC peering connection

Follow this procedure to create a VPC network peering connection to a Confluent Cloud cluster on Google Cloud using the Confluent Cloud Console or REST APIs.

The following information is required:

• The Google Cloud project ID associated with the VPC that you are peering to Confluent Cloud.
• The network name of the VPC that you are peering with Confluent Cloud.
• The CIDR block of the VPC you are peering with Confluent Cloud. This is used by Confluent Cloud to route traffic back to your network.
• You might need to increase your route quota when you use VPC peering because the Confluent Cloud and Google Cloud routes are shared.

Confluent also provides a Terraform configuration for creating a VPC peering connection. This configuration automates the manual steps described below.

Confluent Cloud ConsoleREST APIs

1. In the Confluent Cloud Console, go to your desired Confluent Cloud network resource and click + VPC Peering.

2. Enter Name, GCP Project ID and GCP Network Name. You can also choose to Import custom routes.

3. Click Add to create the peering connection. Peering connection provisioning will take a few minutes to complete. Your peering connection status will transition from “Provisioning” to “Inactive” in the Confluent Cloud Console.

4. Go to VPC network in the Google Cloud Console select VPC network peering. Click CREATE CONNECTION to create a peering connection the Confluent Cloud.

5. Complete the form to initiate a peering connection to Confluent Cloud and click CREATE.

   Name

   Specify a name for your peering connection.

   Your VPC network

   Specify the name of your Google Cloud VPC network.

   Peered VPC network

   Select In another project.

   Project ID

   Specify your Confluent Cloud Project ID. You can find the value in the Confluent Cloud Console under Network overview as the Confluent Cloud GCP Project ID.

   VPC network name

   Specify your Confluent Cloud VPC name. You can find the value in the Confluent Cloud Console under Network overview as the Confluent Cloud VPC Network Name.

6. Verify that the Status under VPC Peering connections is “Active”.

Import custom routes

The Import Custom Routes option in Confluent Cloud enables connectivity to a Confluent Cloud cluster from customer premise or other clouds, such as AWS and Azure. This connectivity is enabled by importing static and dynamic custom routes from a customer VPC into a Confluent Cloud VPC over the VPC peering connection.

Review the considerations mentioned by Google Cloud in their VPC Peering documentation before enabling Import Custom Routes option.

The requirements and considerations for the Import Custom Routes option are:

• The customer side VPC peering has to be configured to export custom routes.
• Transitive routing to your VPCs in the same or different regions is not supported.
  • The only exception is when cross-regional VPCs are interconnected using Google Cloud VPN. However, your VPC, which is peered with Confluent Cloud cluster, must be in the same region as Confluent Cloud cluster.
  • You cannot use transitive routing to networks in other regions even with the global access option enabled in the Google Cloud Internal LoadBalancer, where internal access to other regions is allowed through the internal load balancer.
• You cannot export Custom Routes from Confluent Cloud.
• Privately used public IP (PUPI) addresses are not supported with the Import Custom Routes option.

The Import Custom Routes option must be enabled when you set up the VPC peering connection.

• To enable Import Custom Routes option on an existing VPC peering connection:

  Tear down the VPC peering connection and reestablish it with the Import Custom Routes option enabled.

  Allow 15 minutes between tearing down the VPC connection and reestablishing it to avoid getting an error message during recreation.

• To disable the Import Custom Routes option on an existing VPC peering connection:

  tablear down the VPC peering connection and reestablish it with the Import Custom Routes option disabled.

  Allow 15 minutes between tearing down the VPC connection and reestablishing it to avoid getting an error message during recreation.

  As an alternative, disable the Export Custom Route option in the customer VPC.