Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Custom DNS for MSK

0

Hi, how can I "mask" an MSK endpoint with a custom domain? I'm trying to find a solution that won't cause SSL issues. Thanks!

Topics
AnalyticsNetworking & Content Delivery
Tags
Amazon Route 53Amazon Managed Streaming for Apache Kafka (Amazon MSK)
Language
English
asked 3 years ago2.6K views
3 Answers
1

[Updated as this answer was incorrect]

AWS
answered 3 years ago
  • Ed Berezitsky
    3 years ago

    Can you elaborate, at which point this provides connectivity with MSK/Kafka?

0
Accepted Answer

======== 2026 UPDATE ----> see below ============

Custom domain names are not supported at this point. The only work around possible would involves non-data PLAINTEXT access for bootstrapping (fetch metadata request) and regular SSL for data-in-transfer encryption.

  1. Update advertised listeners to have port 9094 for PLAINTEXT protocol
  2. Define R53 A-record with custom domain name resolved to an NLB with targets to all brokers to port 9092 (PLAINTEXT) a. create certificates in ACM and deploy on NLB listeners b. define NLB listeners as TLS to terminate TLS connection at NLB

This will let you use custom domain name with TLS traffic. Limitation of this approach is that it won't work with SASL (SCRAM, IAM), because listeners don't have SASL implementation mechanisms.

** ============== 2026 UPDATE ============= **

Answer above was provided before this solution became available.

Please follow this blog post to implement custom domain names for MSK. Even though the blog is covering only SASL-SCRAM, the solution will work for IAM authentication is a very similar manner.

https://aws.amazon.com/blogs/big-data/configure-a-custom-domain-name-for-your-amazon-msk-cluster/

Spoiler: It still requires R53 and Load Balancers!

AWS
answered 3 years ago
0

Could you describe with an image how the architecture looks like? It is not clear how this will work with the DNS generated for each Kafka broker. Let's say that I can use the domain my-kafka-cluster.com in my Hosted Zone. I create a Kafka cluster, then the brokers DNS will look like ZZZ.kafka-cluster-name.rrrrr.yy.kafka.region.amazonaws.com, for example b1.my-kafka-cluster.rrrrr.yy.kafka.region.amazonaws.com. Then, how can I use my custom DNS my-kafka-cluster.com?

What I understand from your solution, is that route53 (my-kafka-cluster.com) -> NLB -> listener TLS (has the certificate for my DNS my-kafka-cluster.com) -> Kafka brokers, but the response from the brokers TO the client will be ZZZ.kafka-cluster-name.rrrrr.yy.kafka.region.amazonaws.com which does not match my-kafka-cluster.com, then I get certificate name does not match input

Should not advertised.listeners be changed to match my custom DNS?

Thanks

answered 11 days ago
  • Ed Berezitsky
    10 days ago

    let me update my 3 years old comment, as there is a working solution now for custom domain names

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content