Create Confluent Cloud Network on Google Cloud

Each Confluent Cloud network is a virtual network that is provisioned in your Confluent Cloud Google Cloud account.

You can create multiple Dedicated Kafka clusters within each Confluent Cloud network.

For details on default service quotas, see Network service quotas.

Requirements and considerations

Review the following requirements and considerations when you set up a Confluent Cloud network.

Region and Availability Zones

Dedicated clusters you create in your Confluent Cloud network inherit the selected Region and Availability Zones.

Confluent Cloud network CIDR blocks for VCP peering

When you set up a Confluent Cloud network for peering, the CIDR blocks you specify must meet the follow requirements.

The Confluent Cloud network CIDR block must be a /16 block from one of the following private IP ranges:
- Private IP address range (RFC 1918): 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
- Shared address space (Carrier-grade NAT) (RFC 6598): 100.64.0.0/10
- Benchmark address space (RFC 2544): 198.18.0.0/15
The CIDR block cannot be the following: 172.17.0.0/16
You cannot use the above CIDR for peering due to routing conflicts with Confluent services. For example, managed connectors cannot reach the sources or sinks in those IP ranges.

Create a Confluent Cloud network on Google Cloud

Follow the procedure below to create a Confluent Cloud network on Google Cloud.

Confluent Cloud Console

In the Confluent Cloud Console, select an environment for the Confluent Cloud network.
In the Network management tab in the environment, click For dedicated clusters.
Click Add network configuration.
Select Google Cloud as the Cloud Provider as the cloud service provider and select the geographic region in Region. Click Continue.
Select the connectivity type: VPC Peering or Private Service Connect.
Depending on the option selected, different Zone Placement options and CIDR for Confluent Cloud Network fields will appear.
- VPC Peering: Cluster is accessible using the VPC peering endpoint.
- Private Service Connect: Cluster is accessible using Private Service Connect.
Complete the steps for the connectivity type you selected.
Important
After provisioning your new Confluent Cloud network, you cannot change your selected Availability Zone (AZ) IDs or CIDR block size.
VPC Peering
1. Under Zone Placement, select three availability zones for your network.
2. Click Continue.
Private Service Connect
1. Under Zone Placement, select three zones for your network.
  Depending on the availability of supported zones, you might only have three zones to select.
2. Under DNS configuration, select the DNS resolution method.
  Select Private DNS Resolution to resolve the private DNS name of the Confluent Cloud cluster to the private IP address of the cluster.
  If Private DNS Resolution is not selected, the private DNS name of the Confluent Cloud cluster requires public DNS Resolution to resolve the private IP address of the cluster.
  Before you select a DNS resolution option, review the details about DNS resolution in Google Cloud Private Service Connect in DNS resolution options.
3. Click Continue.
In Network name, specify the name of the connection.
The name you choose is used to identify your network in the Confluent Cloud Console and when using the Confluent CLI. Choose a meaningful name, but consider including the connection type in the name (for example, My-GCP-CCN-1).

Confluent REST API

Here is an example REST API request:

HTTP POST request

POST https://api.confluent.cloud/networking/v1/networks

Authentication

See Authentication.

Request specification

Your REST request specification (spec) should include the following:

display_name (optional) A meaningful name for your Confluent Cloud network.
environment
- id – The identifier (ID) of your Confluent Cloud environment.
cloud – cloud service provider (GCP)
region – The Region where the network is located.
connection_types Use PEERING (for VPC Peering) or PRIVATELINK (for Private Service Connect).
zones – An array listing the three selected Availability Zone IDs in the same Region.
cidr – The CIDR block.
dns_config - Set resolution to PRIVATE or CHASED_PRIVATE. The default value is CHASED_PRIVATE.
- When resolution is CHASED_PRIVATE, clusters in this network require both public and private DNS to resolve cluster endpoints.
- When resolution is PRIVATE, clusters in this network only require private DNS to resolve cluster endpoints.
Before you select a DNS resolution option, review the details about DNS resolution in Google Cloud Private Service Connect in DNS resolution options.

Examples

Private Service Connect

{
   "spec": {
       "display_name": "GCP-PL-CCN-1",
       "cloud": "GCP",
       "region": "us-west1",
       "connection_types": [
           "PRIVATELINK"
       ],
      "zones": [
        "usw2-az1",
        "usw2-az2",
        "usw2-az3"
      ],
      "dns_config": {
          "resolution": "PRIVATE"
      },
      "environment":{
          "id":"env-abc123"
      }
  }
}

Confluent CLI

Use the confluent network create Confluent CLI command to create a Confluent Cloud network:

confluent network create <network-name> <flags>

The following command-specific flags are supported:

--cloud: Required. Set to gcp.
--region: Required. Cloud region ID for this network.
--connection-types: Required. The network access type. Specify one of privatelink, peering, or transitgateway.
--cidr: A /16 IPv4 CIDR block. Required for networks of connection type peering and transitgateway.
--zones: A comma-separated list of availability zones for this network.
--zone-info: A comma-separated list of zone=cidr pairs or CIDR blocks. Each CIDR must be a /27 IPv4 CIDR block.
--dns-resolution: Specify the DNS resolution as private or chased-private. The default value is chased-private.
- When resolution is chased-private, clusters in this network require both public and private DNS to resolve cluster endpoints.
- When resolution is private, clusters in this network only require private DNS to resolve cluster endpoints.
Before you select a DNS resolution option, review the details about DNS resolution in Azure PrivateLink in DNS resolution options.

You can specify additional optional CLI flags described in the Confluent CLI command reference, such as --environment.

The following are example Confluent CLI commands:

VPC Peering

confluent network create my_gcp_peering --cloud gcp \
  --region us-central1 \
  --connection-types peering \
  --zones us-central1-a,us-central1-b,us-central1-c \
  --cidr 10.1.0.0/16

Private Service Connect

confluent network create my_gcp_pl --cloud gcp \
  --region us-central1 \
  --connection-types privatelink \
  --zones us-central1-a,us-central1-b,us-central1-c \
  --dns-resolution private

Terraform

Use the confluent_network Confluent Terraform Provider resource to create a Confluent Cloud network.

An example snippet of Terraform configuration for Confluent Cloud network of the Private Service Connect type:

resource "confluent_environment" "development" {
  display_name = "Development"

  lifecycle {
    prevent_destroy = true
  }
}

resource "confluent_network" "gcp-private-service-connect" {
  display_name     = "GCP Private Service Connect Network"
  cloud            = "GCP"
  region           = "us-central1"
  connection_types = ["PRIVATELINK"]
  zones            = ["us-central1-a", "us-central1-b", "us-central1-c"]
  environment {
    id = confluent_environment.development.id
  }

  dns_config {
    resolution = "PRIVATE"
  }

  lifecycle {
    prevent_destroy = true
  }
}

Typically, it takes up to 15-20 minutes to create a Confluent Cloud network. Note the Confluent Cloud network ID from the response to specify it in the following commands.

Next steps

After successfully provisioning the Confluent Cloud network on Google Cloud, you can add Dedicated Kafka clusters within your Confluent Cloud network by using the following options:

Confluent Cloud Console: Manage Kafka Clusters on Confluent Cloud
Cluster Management API: Create Kafka clusters