VPC Peering on GCP

Important

Cross-region access to Confluent Cloud is not supported when VPC peering is enabled with Google Cloud. Your VPC subnets and Confluent Cloud must be in the same same region.

Important considerations before creating VPC peering connections:

  • The project ID associated with the VPC that you are peering to Confluent Cloud.
  • The network name of the VPC that you are peering with Confluent Cloud.
  • The VPC CIDR block for Confluent Cloud to use.
    • Cannot be modified after the cluster is provisioned.
    • Cannot overlap with an existing Confluent Cloud CIDR block.
    • Must not overlap with any ranges your organization is using.
    • The RFC 6598 shared address space is supported on Google Cloud.
    • Must be a /16 CIDR block.
    • For Google Cloud, the CIDR block must be in one of the following supported private networks:
      • 10.0.0.0/8
      • 100.64.0.0/10
      • 172.16.0.0/12
      • 192.168.0.0/16
    • For Google Cloud, the following CIDR block is denied from the larger CIDR blocks listed above:
      • 172.17.0.0/16
    • You might need to increase your route quota when you use VPC peering, because the Confluent Cloud and Google Cloud routes are shared.

For more information about VPC peering with Google Cloud, see VPC Network Peering.

Create a VPC Peering Connection to Confluent Cloud on Google Cloud

Follow this procedure to create a VPC peering connection to a Confluent Cloud cluster on Google Cloud.

Prerequisite
A Dedicated Kafka cluster in Google Cloud with VPC Peering enabled. The cluster must be provisioned in its own network and provide a CIDR for Confluent Cloud. For more information about how to create a dedicated cluster, see Create a Cluster in Confluent Cloud.
  1. In the Confluent Cloud Console, go to the Cluster Settings page, click the Networking tab, and then click Add Peering.

  2. In the Add Peering page, enter the GCP Project ID, GCP Network Name, optionally select Import custom routes for your peering connection, and click Save.

    GCP Project ID

    This is a unique identifier for your Google Cloud project. To find the unique identifier for your project, see the Google Cloud Console dashboard.

    GCP Network Name

    Specify the network name of the VPC that you are peering to Confluent Cloud. To find the network name, go to the VPC Networks listing in VPC network in Google Cloud Console . .

    Import Custom Routes

    This is an optional parameter. Enable this option to import static and dynamic custom routes over the VPC peering connection. The custom routes have to be configured to be exported in the customer VPC.

  3. Go to VPC network in the Google Cloud Console and select VPC network peering. Click CREATE CONNECTION to create a peering connection the Confluent Cloud.

  4. In the Google Cloud Console, complete the form to initiate a peering connection to Confluent Cloud and click CREATE.

    Name

    Specify a name for your peering connection.

    Your VPC network

    Specify the name of your Google Cloud VPC network.

    Peered VPC network

    Select In another project.

    Project ID

    Specify your Confluent Cloud Project ID. You can find this in the Confluent Cloud Networking tab for your cluster.

    VPC network name

    Specify your Confluent Cloud VPC name. You can find this in the Confluent Cloud Console Networking tab for your cluster.

  5. When you are finished, verify that the Status under VPC Peering connections is “Active”.

Import Custom Routes

The Import Custom Routes option enables connectivity to a Confluent Cloud cluster in Google Cloud from customer premise or other clouds, such as AWS and Azure, through a customer VPC that is peered with Confluent Cloud in the same region. This connectivity is enabled by importing static and dynamic custom routes from a customer VPC into a Confluent Cloud VPC over the VPC peering connection. The customer side VPC peering has to be configured to export custom routes.

Review the considerations mentioned by Google Cloud in their VPC Peering documentation before enabling Import Custom Routes option.

Important

Limitations for Import Custom Routes

  1. Enabling or disabling the Import Custom Routes option on an existing VPC Peering connection is not supported.
    1. The Import Custom Routes option must be enabled when you set up the VPC peering connection.
    2. In order to enable Import Custom Routes option on an existing VPC peering connection, tear down the VPC peering connection and reestablish it with the Import Custom Routes option enabled. Allow 15 minutes between tearing down the VPC connection and reestablishing it to avoid getting an error message during recreation.
    3. In order to disable the Import Custom Routes option, tear down the VPC peering connection and reestablish it with the Import Custom Routes option disabled. Allow 15 minutes between tearing down the VPC connection and reestablishing it to avoid getting an error message during recreation. As an alternative, disable the Export Custom Route option in the customer VPC.
  2. Transitive routing to customer VPCs in same or different regions is not supported. The only exception is when cross-regional customer VPCs are interconnected using Cloud VPN. However, the customer VPC, which is peered with Confluent Cloud cluster, must be in the same region as Confluent Cloud cluster.
  3. Transitive routing to external networks connected through customer VPCs that require global access to be turned on for Google Cloud Internal Load Balancing is not supported.
  4. Export Custom Routes support from Confluent Cloud cluster is not supported.
  5. Privately addressable public IP address (PUPI) are not supported with Import Custom Routes