MSK PrivateLink - Managed VPC connection shows alternative availability zones

Question

A client is trying to connect to our MSK provisioned cluster that's in a different account, using PrivateLink.
Under managed VPC connections, our client has tried adding our cluster as a connection via IAM, but the only zones that are showing up for them are us-east-1c/d, even though they have up to us-east-1a/b and have subnets in those zones. Our subnets for the cluster are in us-east-1a/b as well.

I'm not an expert in networking and availability zones, especially - does anyone know why this might be happening? There isn't any special with their VPC setup, and the only thing different is that it's in a different account.

Alternatively, does it matter that these subnets match?

Accepted Answer

Yes, AWS randomizes which zone is A, B, or C, etc in each account to help evenly spread usage across all Availability Zones in a region.  To determine which AZ-ID matches your AZ-A please see the following documentation.
https://docs.aws.amazon.com/ram/latest/userguide/working-with-az-ids.html

Answer

In reply to your comment:

> So should the client team be able to connect to our MSK cluster, even if they choose different lettered subnets?

Yes, if they choose the subnets that match the AZ-ID (regardless of letter) it will work.  Ideally, when you are publishing a service over PrivateLink, provide the remote/subscribing account the AZ-IDs in which you have published the service as opposed to the letter-based AZs from the publishing account.

MSK PrivateLink - Managed VPC connection shows alternative availability zones

Relevanter Inhalt