Which Networking Option Best Fits Your Requirements?
Justin Lee
Staff Solutions Engineer (Presenter)
What, Where, How?
In the previous modules you learned about various networking architectures for connecting to Confluent Cloud. You should now be better prepared to decide which best matches your specific requirement. As you design a network architecture for Confluent Cloud, you need to keep in mind the data flow, which comes down to three things:
- What services are connecting to Confluent Cloud—what clients are you running, what replication do you have to manage, and where does your data come from and go?
- Where do these services live? Are they running on-premises in a datacenter? Are they running in a cloud provider (in the same region, or a different region, or even in a different cloud provider)? Do you have to access Confluent Cloud from a corporate or home office network?
- How are you connecting to Confluent Cloud? The options are summarized on the next page.
Connectivity Options and Trade-Offs
Each of the cloud networking options have different security behaviors, and varying levels of ease of use and access.
With secure public endpoints, you can access your Confluent Cloud cluster from anywhere. It’s easy to set up, and can be used for clients and services that span from on-premises environments to any private or public cloud.
With VPC or VNet direct peering, your cluster is only accessed over the peering connection. It requires a /16 CIDR range for the Confluent network, and provides bidirectional connectivity from your cloud network to the Confluent Cloud network. This allows managed connectors to access your private network data sources and data sinks.
AWS Transit Gateway builds on a peering network. It only works in AWS, but it removes the requirement for 1:1 peering connections. It also makes connectivity to cloud environments, or even your datacenter, much easier.
Finally, Private Link is a one-way connection that allows your clients to access Confluent Cloud, but not the other way around. It doesn’t require a /16 CIDR range, but it does require a custom zone in your DNS infrastructure. Also, because it uses just a set of endpoints, any client that can access the VPC or VNet where the private endpoints reside can access Confluent Cloud.
What Connects with Confluent Cloud?
To sum it all up, this is what Confluent Cloud looks like from a network architecture perspective.
We have the control plane, which is always accessed over the internet, and is used for provisioning, management, and monitoring.
Most importantly, we have the data plane, which has the Internet-accessible schema registry, as well as your “Confluent Network”, which can be accessed over a secure public endpoint, over a peering connection (either directly, or through a transit gateway), or over a Private Link connection.
Thanks for joining us in this course.
- Previous
- Next
Use the promo code NETWORKING101 to get $25 of free Confluent Cloud usage
Be the first to get updates and new content
We will only share developer content and updates, including notifications when new content is added. We will never send you sales emails. 🙂 By subscribing, you understand we will process your personal information in accordance with our Privacy Statement.
Which Networking Option Best Fits Your Requirements?
Hi, I'm Justin Lee with Confluent. In this module, we'll recap everything we talked about and summarize your networking options in Confluent Cloud. So let's summarize. As we design a network architecture for Confluent Cloud, we like to keep in mind the data flow. This comes down to three things. What services are connecting to Confluent Cloud? What clients are we running? What replication do we have to manage? And where does our data come from, and where does it go? Where do these services live? Are they running on premise, in a data center? Are they running in a cloud provider, in the same region, in a different region, or even in a different cloud provider? Do we have to access Confluent Cloud from a corporate or home office network? How are we connecting to Confluent Cloud? We'll summarize these options next. Each of the different cloud networking options have different security behaviors and provide different levels of ease of use and access. With secure public endpoints, you can access your Confluent Cloud cluster from anywhere. It's easy to set up and can be used for clients and services that span from on-prem environments to any private or public cloud with VPC or VNet direct peering, your cluster is only accessed over the peering connection. It requires a /16 CIDR range for the Confluent network and provides bidirectional connectivity from your cloud network to the Confluent Cloud network. This allows you to run managed connectors to access your private network data sources and data sinks. AWS Transit Gateway builds on a peering network. It only works in AWS, but it removes the requirement for one-to-one peering connections. It also makes connectivity to other cloud environments or even your data center much easier. Finally, Private Link is a one-way connection that allows your clients to access Confluent Cloud, but not the other way around. It doesn't require a /16 CIDR range, but it does require a custom zone in your DNS infrastructure. Also, because it uses just a set of endpoints, any clients that can access the VPC or VNet where the private endpoints reside, can access Confluent Cloud. To sum it all up, this is what Confluent Cloud looks like from a network architecture perspective. We have the Control Plane, which is always accessed over the internet and is used for provisioning, managing and monitoring. Most importantly, we have the Data Plane, which has the internet accessible schema registry as well as your Confluent network, which can be accessed over a secure public endpoint over appearing connection either directly or through a Transit Gateway or over a Private Link connection. Thank you for joining us in this course. Please check out our other courses on Confluent Developer.