Networking in Confluent Cloud for Azure

Follow this procedure to configure Confluent Cloud network peering for a cluster in Azure.

Prerequisite

A Dedicated Kafka cluster in Azure with VPC Peering enabled. The cluster must be provisioned in its own network and provide a CIDR for Confluent Cloud. For more information about how to create a dedicated cluster, see Create a Cluster in Confluent Cloud.

1. Navigate to the Cluster Settings page, click the Networking tab, and click Add Peering.

2. Provide the Azure Tenant ID and Azure Subscription ID, Azure VNet Resource Group Name, and Azure VNet Name for your peering connection and click Save. Your peering connection status will transition from “Pending” to “Error” in the Confluent Cloud web UI. You must grant Confluent Cloud access to your Azure AD Tenant in the next.

   Azure Tenant ID

   Represents an organization in Azure Active Directory. You can find this in the Azure Portal under Azure Active Directory.

   Azure Subscription ID

   Unique identifier for your Azure subscription. You can find this in the Azure Portal on Overview tab of your Azure Virtual Network.

   Azure VNet resource group name

   Identifier for the Azure resource group that the virtual network belongs to. You can find this in the Azure Portal on Overview tab of your Azure Virtual Network.

   Azure VNet Name

   Name of your Azure virtual network. You can find this in the Azure Portal on Overview tab of your Azure Virtual Network.

3. Grant access to your Azure AD Tenant:

   1. Navigate to the following URL using your AD tenant ID (<tenant-id>) and approve:

      https://login.microsoftonline.com/<tenant-id>/oauth2/authorize?client_id=f0955e3a-9013-4cf4-a1ea-21587621c9cc&response_type=code
      

   2. Run the following command with your subscription ID (<subscription-id>) to create a new role.

      Tip

      If you have more than one subscription ID, you must update the AssignableScopes.

      az role definition create --output none --role-definition "{
      \"Name\": \"Confluent Cloud Peering Creator\",
      \"Description\": \"Perform cross-tenant network peering.\",
      \"Actions\": [
          \"Microsoft.Network/virtualNetworks/read\",
          \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read\",
          \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write\",
          \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete\",
          \"Microsoft.Network/virtualNetworks/peer/action\"
      ],
      \"AssignableScopes\": [
          \"/subscriptions/<subscription-id>/\",
      ]
      }"
      

   3. Run this command with your subscription ID (<subscription-id>), VNet resource group name (<resource-group-name>), and VNet Name (<vnet-name>) specified to assign the role to the service principal:

      az role assignment create \
          --role "Confluent Cloud Peering Creator" \
          --assignee "$(az ad sp list --filter "appId eq 'f0955e3a-9013-4cf4-a1ea-21587621c9cc'" --output tsv --query '[0].objectId')"  \
          --scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/virtualNetworks/<vnet-name>"
      

   4. Click the Submit button in the Access instructions.

4. When you are done the VPC peering status should display “Active” in the Confluent Cloud web UI.