Use VPC Peering Connections with Confluent Cloud on Google Cloud¶
A VPC peering connection enables you to route traffic using private IPv4 addresses between your VPC and Confluent Cloud. VPC peers can communicate with each other as if they are within the same network.
For more information about VPC peering with Google Cloud, see VPC Network Peering.
Managed connectors created in a VPC-peered cluster can access data sources and sinks hosted in all peered VPCs, if the firewall rules allow connector traffic to and from the peered VPCs.
Requirements and considerations¶
A Confluent Cloud network of type PEERING in Google Cloud. If a network does not exist, create a PEERING type network as described in Create Confluent Cloud Network on Google Cloud.
Your VPC subnets and Confluent Cloud must be in the same same region. Cross-region access to Confluent Cloud is not supported when VPC peering is enabled with Google Cloud.
Transitive VPC peering is not supported. If you peer Network A to Network B, and peer Network B to Confluent Cloud, applications running in Network A will not be able to access Confluent Cloud.
Although they don’t provide transitive routing, shared Google Cloud VPCs can be leveraged to enable Confluent Cloud connectivity. For more information, see Google Cloud Shared VPC overview.
You can colocate multiple Confluent Cloud Dedicated clusters in the same Confluent Cloud network, but this is limited by the expected number and size of these clusters. The applicable limits are specified in Networks.
If using Google Cloud Organization policy constraints to restrict VPC Peering usage, contact Confluent Support to obtain the Confluent Cloud Organization ID in Google Cloud. Then whitelist the Organization ID in the
constraints/compute.restrictVpcPeering
policy in Google Cloud.
Create a VPC peering connection¶
To establish a VPC peering connection between Confluent Cloud and Google Cloud:
- Create a VPC peering connection in Confluent Cloud.
- Create a VPC peering connection in Google Cloud.
Create a VPC peering connection in Confluent Cloud¶
The following information is required:
- The Google Cloud project ID associated with the VPC that you are peering to Confluent Cloud.
- The network name of the VPC that you are peering with Confluent Cloud.
- You might need to increase your route quota when you use VPC peering because the Confluent Cloud and Google Cloud routes are shared.
Follow the steps to create a VPC network peering connection to a Confluent Cloud cluster on Google Cloud using the Confluent Cloud Console, Confluent REST API, or Confluent CLI.
Confluent also provides a Terraform configuration for creating a VPC peering connection. This configuration automates the manual steps described below.
- In the Confluent Cloud Console, in the environment you want, select your desired Confluent Cloud network resource of the VPC Peering type in the Network management tab.
- Click + VPC Peering in the Connections tab.
- Enter Name, GCP Project ID and GCP Network Name. You can also choose to Import custom routes.
- Click Add to create the peering connection. Peering connection provisioning will take a few minutes to complete. Your peering connection status will transition from “Provisioning” to “Waiting for connection” in the Confluent Cloud Console.
A peering connection has to be created from your VPC to the Confluent Cloud network in order to access Confluent Cloud clusters and services in a Confluent Cloud network.
HTTP POST request
POST https://api.confluent.cloud/networking/v1/peerings
Authentication
See Authentication.
Request specification
{
"spec":{
"cloud":{
"kind":"GcpPeering",
"project":"my-project",
"vpc_network":"gcp-vpc-peering",
"import_custom_routes":false
},
"display_name":"My-GCP-Peering-1",
"environment":{
"id":"env-y0000w"
},
"network":{
"id":"n-000000"
}
}
}
Use the confluent network peering create Confluent CLI command to create a peering connection:
confluent network peering create gcp-peering <flags>
The following command-specific flags are supported:
--network
: Required. Confluent Cloud network ID.--cloud
: Required. The cloud provider. Set togcp
.--cloud-account
: Required. Google Cloud project ID associated with the VPC that you are peering with Confluent Cloud network.--virtual-network
: Required. Name of the Google Cloud VPC that you are peering with Confluent Cloud network.--gcp-routes
: Enable customer route import for Google Cloud VPC Peering.
You can specify additional optional CLI flags described in the Confluent
CLI command reference,
such as --environment
.
The following is an example Confluent CLI command to create a VNet peering:
confluent network peering create gcp-peering \
--network n-123456 \
--cloud gcp \
--cloud-account temp-123456 \
--virtual-network customer-test-vpc-network \
--gcp-routes
Create a VPC peering connection to Confluent Cloud in Google Cloud¶
In VPC network in the Google Cloud Console, select VPC network peering.
Click CREATE CONNECTION to create a peering connection to Confluent Cloud.
Complete the form to initiate a peering connection to Confluent Cloud and click CREATE.
- Name
Specify a name for your peering connection.
- Your VPC network
Specify the name of your Google Cloud VPC network.
- Peered VPC network
Select In another project.
- Project ID
Specify your Confluent Cloud Project ID. You can find the value in the Confluent Cloud Console under Network overview as the Confluent Cloud GCP Project ID.
- VPC network name
Specify your Confluent Cloud VPC name. You can find the value in the Confluent Cloud Console under Network overview as the Confluent Cloud VPC Network Name.
Verify that the Status under VPC Peering connections is “Ready”.
Import custom routes¶
The Import Custom Routes option in Confluent Cloud enables connectivity to a Confluent Cloud cluster from customer premise or other clouds, such as AWS and Azure. This connectivity is enabled by importing static and dynamic custom routes from a customer VPC into a Confluent Cloud VPC over the VPC peering connection.
Review the considerations mentioned by Google Cloud in their VPC Peering documentation before enabling Import Custom Routes option.
The requirements and considerations for the Import Custom Routes option are:
- The customer side VPC peering has to be configured to export custom routes.
- Transitive routing to your VPCs in the same or different regions is not
supported.
- The only exception is when cross-regional VPCs are interconnected using Google Cloud VPN. However, your VPC, which is peered with Confluent Cloud cluster, must be in the same region as Confluent Cloud cluster.
- In Confluent Cloud, the global access option for the Google Cloud Internal LoadBalancer is not supported.
- You cannot export Custom Routes from Confluent Cloud.
- Privately used public IP (PUPI) addresses are not supported with the Import Custom Routes option.
The Import Custom Routes option must be enabled when you set up the VPC peering connection.
To enable Import Custom Routes option on an existing VPC peering connection:
Tear down the VPC peering connection and reestablish it with the Import Custom Routes option enabled.
Allow 15 minutes between tearing down the VPC connection and reestablishing it to avoid getting an error message during recreation.
To disable the Import Custom Routes option on an existing VPC peering connection:
Tear down the VPC peering connection and reestablish it with the Import Custom Routes option disabled.
Allow 15 minutes between tearing down the VPC connection and reestablishing it to avoid getting an error message during recreation.
As an alternative, disable the Export Custom Route option in the customer VPC.