Note
This feature is not available for any of the following deployments:
Free clusters
Flex clusters
To learn more, see Limits.
Atlas supports network peering connections for dedicated clusters hosted on AWS, Google Cloud, and Azure, and on multi-cloud sharded clusters.
Network peering establishes a private connection between your Atlas VPC and your cloud provider's VPC. The connection isolates traffic from public networks for added security. Atlas Stream Processing supports two types of network peering connection:
Outbound: A VPC connection in which your stream processing workspace sends the peering request to your cloud provider VPC. This connection type is suitable for scenarios in which you have full administrative access to the external VPC and can approve connection requests on it.
Inbound: A VPC connection in which your cloud provider VPC sends the peering request to your stream processing workspace. This connection type is suitable for scenarios in which you don't have full administrative access to your cloud provider VPC, as it requires approval only within your Atlas VPC.
Warning
Atlas does not support Network Peering between clusters deployed in a single region on different cloud providers. For example, you cannot set up Network Peering between an Atlas cluster hosted in a single region on AWS and an application hosted in a single region on GCP.
The procedures on this page walk you through creating an outbound VPC connection, as well as creating, accepting, rejecting, and deleting an inbound VPC peering connection to your stream processing workspaces.
Prerequisites
To create and configure connections, you must have the following:
An Atlas project
An Atlas user with the
Project Owneror theProject Stream Processing Ownerrole to manage a connection registryNote
The
Project Ownerrole allows you to create database deployments, manage project access and project settings, manage IP Access List entries, and more.The
Project Stream Processing Ownerrole enables Atlas Stream Processing actions such as viewing, creating, deleting, and editing stream processing workspaces, and creating, updating, and deleting VPC Peering connections in the connection registry.See Project Roles to learn more about the differences between the two roles.
An Atlas cluster
Considerations
Atlas Stream Processing supports only RFC 1918 private IP ranges for VPC peering. You must use one of the following IP ranges:
10.0.0.0/8172.16.0.0/12192.168.0.0/16
Create Outbound VPC Peering Connections
To create outbound VPC peering connections to your stream processing workspace:
To create outbound VPC peering connections from your stream processing workspace to your cloud provider VPC using the Atlas UI, see Add an Atlas Stream Processing Connection and select Apache Kafka as your connection type, and Atlas UI as your interface.
You must select SASL_SSL as your security protocol for VPC
peering connections.
To create outbound VPC peering connections to your stream processing workspace using the API, see Return All Network Peering Connections in One Project
You must select SASL_SSL as your security protocol for VPC
peering connections.
Generate an Incoming VPC Peering Connection Request from Confluent
To set up and configure an AWS VPC peering connection initiated from a Confluent account:
Create a service account to authenticate with the Atlas Administration API.
Create a service account and generate an access token to authenticate your API requests. To learn more, see Get Started with the Atlas Administration API.
Retrieve the Atlas Cloud AWS Account ID, the VPC ID, and the CIDR block.
A sample API request resembles the following:
curl \ -s --header "Authorization: Bearer {ACCESS-TOKEN}" \ --header 'Accept: application/vnd.atlas.2024-11-13+json' \ --header 'Content-Type: application/json' \ --request GET \ "https://cloud.mongodb.com/api/atlas/v2/groups/671a86f4cfc9da7d7c31b14f/streams/accountDetails?cloudProvider=aws®ionName=US_EAST_1"
Note the following example parameter values:
Parameter values | Description |
|---|---|
671a86f4cfc9da7d7c31b14f | The Atlas project Id |
AWS | The Cloud provider |
US_EAST_1 | The AWS region name |
A sample output resembles the following:
{ "awsAccountId": "974404375205", "cidrBlock": "192.168.248.0/21", "vpcId": "vpc-0ef7efa5ceca36e2f" }
Configure a network configuration.
A Confluent Network Configuration that supports VPC peering is required before you create a VPC peering connection. If a network configuration doesn't yet exist in your account, then select AWS as your cloud provider and select a region from the Add Network Configuration field in Confluent Cloud.
Note
If a Confluent VPC Peering Network Configuration already exists in your account, then proceed to Step 7.
The VPC peering connection request displays in Atlas after a potential delay.
To see your pending request in your Atlas account, execute an API request similar to:
curl \ -s --header "Authorization: Bearer {ACCESS-TOKEN}" \ --header 'Accept: application/vnd.atlas.2023-02-01+json' \ --header 'Content-Type: application/json' \ --request GET \ "https://cloud.mongodb.com/api/atlas/v2/groups/671a86f4cfc9da7d7c31b14f/streams/vpcPeeringConnections?requesterAccountId=417601102659"
Note the following example parameter values:
Parameter values | Description |
|---|---|
671a86f4cfc9da7d7c31b14f | The Atlas project Id |
417601102659 | The Confluent AWS Account ID obtained in Step 7 |
A sample output resembles the following:
{ "links": [ { "href": "https://cloud.mongodb.com/api/atlas/v2/groups/671a86f4cfc9da7d7c31b14f/streams/vpcPeeringConnections?requesterAccountId=417601102659&pageNum=1&itemsPerPage=100", "rel": "self" } ], "results": [ { "_id": "6759e61aa6cf0a5476e233d1", "accepterAccountId": "974404375205", "accepterVpcId": "vpc-0ddfd37072cc5ed61", "cloudStatus": "pending-acceptance", "expirationTime": "2024-12-18T19:20:37Z", "groupId": "671a86f4cfc9da7d7c31b14f", "localStatus": "NONE", "name": "pcx-09277e1e81d0751c1", "requesterAccountId": "417601102659", "requesterCidr": "10.0.0.0/16", "requesterVpcId": "vpc-0d13eb6a2f0377854" } ], "totalCount": 1 }
Accept the incoming VPC Peering connection request.
Note that the cloudStatus value is pending-acceptance.
Execute the following API request:
curl \ -s --header "Authorization: Bearer {ACCESS-TOKEN}" \ --header 'Accept: application/vnd.atlas.2023-02-01+json' \ --header 'Content-Type: application/json' \ -d '{"requesterVpcId": "vpc-0d13eb6a2f0377854", "requesterAccountId":"417601102659"}' \ --request POST \ "https://cloud.mongodb.com/api/atlas/v2/groups/671a86f4cfc9da7d7c31b14f/streams/vpcPeeringConnections/pcx-09277e1e81d0751c1:accept"
Note the following example parameter values:
Parameter values | Description |
|---|---|
{"requesterVpcId": "vpc-0d13eb6a2f0377854", "requesterAccountId":"417601102659"} | This is the POST payload containing the “requester”s VPC ID, and the “requester”s AWS Account ID. In this case, the “requester” is Confluent. |
671a86f4cfc9da7d7c31b14f | The Atlas project Id |
pcx-09277e1e81d0751c1 | The incoming VPC connection name obtained from the previous step |
Get AWS Account ID and VPC ID for a Project
If you want to create inbound VPC peering connections to your stream processing workspace, you first need to retrieve the AWS account ID, the AWS VPC ID, and the CIDR block associated with your Atlas project to initiate a VPC peering request from an external cloud environment.
To retrieve the AWS account ID, the AWS VPC ID, and the CIDR block for an Atlas project using the Atlas Administration API, see Returns the Account ID, and the VPC ID for the group and region specified
List Inbound VPC Peering Connections
To list all inbound VPC peering connections to your stream processing workspace using the Atlas Administration API, see Return All VPC Peering Connections
Accept an Inbound VPC Peering Connection
To accept an inbound VPC peering connection to your stream processing workspace using the Atlas Administration API, see Requests the acceptance of an incoming VPC Peering connection
A sample API request resembles the following:
Note
This curl command uses a service account access token (OAuth 2.0) to authenticate
instead of API keys. To learn more, see Get Started with the Atlas Administration API.
curl \ -s --header "Authorization: Bearer {ACCESS-TOKEN}" \ --header 'Accept: application/vnd.atlas.2023-02-01+json' \ --header 'Content-Type: application/json' \ -d '{"requesterVpcId": "vpc-0d13eb6a2f0377854", "requesterAccountId":"417601102659"}' \ --request POST \ "https://cloud.mongodb.com/api/atlas/v2/groups/671a86f4cfc9da7d7c31b14f/streams/vpcPeeringConnections/pcx-09277e1e81d0751c1:accept"
Note the following example parameter values:
Parameter values | Description |
|---|---|
{"requesterVpcId": "vpc-0d13eb6a2f0377854", "requesterAccountId":"417601102659"} | The POST payload containing the request's VPC ID and AWS Account ID |
671a86f4cfc9da7d7c31b14f | The Atlas project Id |
pcx-09277e1e81d0751c1 | The incoming VPC connection name obtained from listing inbound VPC peering connections |
Reject an Inbound VPC Peering Connection
To reject an inbound VPC peering connection to your stream processing workspace using the Atlas Administration API, see Requests the rejection of an incoming VPC Peering connection
Delete an Inbound VPC Peering Connection
To delete an inbound VPC peering connection to your stream processing workspace using the Atlas Administration API, see Deletes an incoming VPC Peering connection