Use VPC Peering Connections with Confluent Cloud on Google Cloud¶
A VPC peering connection enables you to route traffic using private IPv4 addresses between your VPC and Confluent Cloud. VPC peers can communicate with each other as if they are within the same network.
For more information about VPC peering with Google Cloud, see VPC Network Peering.
Important
Managed connectors created in a VPC-peered cluster can access data sources and sinks hosted in all peered VPCs, if the firewall rules allow connector traffic to and from the peered VPCs.
Requirements and considerations¶
A Confluent Cloud network of type PEERING in Google Cloud. If a network does not exist, create a PEERING type network as described in Confluent Cloud Network on Google Cloud.
Your VPC subnets and Confluent Cloud must be in the same same region. Cross-region access to Confluent Cloud is not supported when VPC peering is enabled with Google Cloud.
Transitive VPC peering is not supported. If you peer Network A to Network B, and peer Network B to Confluent Cloud, applications running in Network A will not be able to access Confluent Cloud.
Although they don’t provide transitive routing, shared Google Cloud VPCs can be leveraged to enable Confluent Cloud connectivity. For more information, see Google Cloud Shared VPC overview.
You can colocate multiple Confluent Cloud Dedicated clusters in the same Confluent Cloud network, but this is limited by the expected number and size of these clusters. The applicable limits are specified in Network.
Create a VPC peering connection¶
To establish a VPC peering connection between Confluent Cloud and Google Cloud, you need to create a VPC peering connection in Confluent Cloud and a VPC peering connection in Google Cloud.
Create a VPC peering connection in Confluent Cloud¶
The following information is required:
- The Google Cloud project ID associated with the VPC that you are peering to Confluent Cloud.
- The network name of the VPC that you are peering with Confluent Cloud.
- You might need to increase your route quota when you use VPC peering because the Confluent Cloud and Google Cloud routes are shared.
Follow the steps to create a VPC network peering connection to a Confluent Cloud cluster on Google Cloud using the Confluent Cloud Console or REST APIs.
Confluent also provides a Terraform configuration for creating a VPC peering connection. This configuration automates the manual steps described below.
- In the Confluent Cloud Console, in the environment you want, select your desired Confluent Cloud network resource of the VPC Peering type in the Network management tab.
- Click + VPC Peering in the Connections tab.
- Enter Name, GCP Project ID and GCP Network Name. You can also choose to Import custom routes.
- Click Add to create the peering connection. Peering connection provisioning will take a few minutes to complete. Your peering connection status will transition from “Provisioning” to “Inactive” in the Confluent Cloud Console.
A peering connection has to be created from your VPC to the Confluent Cloud network in order to access Confluent Cloud clusters and services in a Confluent Cloud network.
HTTP POST request
POST https://api.confluent.cloud/networking/v1/peerings
Authentication
See Authentication.
Request specification
{
"spec":{
"cloud":{
"kind":"GcpPeering",
"project":"my-project",
"vpc_network":"gcp-vpc-peering",
"import_custom_routes":false
},
"display_name":"My-GCP-Peering-1",
"environment":{
"id":"env-y0000w"
},
"network":{
"id":"n-000000"
}
}
}
Create a VPC peering connection to Confluent Cloud in Google Cloud¶
In VPC network in the Google Cloud Console, select VPC network peering.
Click CREATE CONNECTION to create a peering connection to Confluent Cloud.
Complete the form to initiate a peering connection to Confluent Cloud and click CREATE.
- Name
Specify a name for your peering connection.
- Your VPC network
Specify the name of your Google Cloud VPC network.
- Peered VPC network
Select In another project.
- Project ID
Specify your Confluent Cloud Project ID. You can find the value in the Confluent Cloud Console under Network overview as the Confluent Cloud GCP Project ID.
- VPC network name
Specify your Confluent Cloud VPC name. You can find the value in the Confluent Cloud Console under Network overview as the Confluent Cloud VPC Network Name.
Verify that the Status under VPC Peering connections is “Active”.
Import custom routes¶
The Import Custom Routes option in Confluent Cloud enables connectivity to a Confluent Cloud cluster from customer premise or other clouds, such as AWS and Azure. This connectivity is enabled by importing static and dynamic custom routes from a customer VPC into a Confluent Cloud VPC over the VPC peering connection.
Review the considerations mentioned by Google Cloud in their VPC Peering documentation before enabling Import Custom Routes option.
The requirements and considerations for the Import Custom Routes option are:
- The customer side VPC peering has to be configured to export custom routes.
- Transitive routing to your VPCs in the same or different regions is not
supported.
- The only exception is when cross-regional VPCs are interconnected using Google Cloud VPN. However, your VPC, which is peered with Confluent Cloud cluster, must be in the same region as Confluent Cloud cluster.
- You cannot use transitive routing to networks in other regions even with the global access option enabled in the Google Cloud Internal LoadBalancer, where internal access to other regions is allowed through the internal load balancer.
- You cannot export Custom Routes from Confluent Cloud.
- Privately used public IP (PUPI) addresses are not supported with the Import Custom Routes option.
The Import Custom Routes option must be enabled when you set up the VPC peering connection.
To enable Import Custom Routes option on an existing VPC peering connection:
Tear down the VPC peering connection and reestablish it with the Import Custom Routes option enabled.
Allow 15 minutes between tearing down the VPC connection and reestablishing it to avoid getting an error message during recreation.
To disable the Import Custom Routes option on an existing VPC peering connection:
Tear down the VPC peering connection and reestablish it with the Import Custom Routes option disabled.
Allow 15 minutes between tearing down the VPC connection and reestablishing it to avoid getting an error message during recreation.
As an alternative, disable the Export Custom Route option in the customer VPC.