Use PrivateLink / VPC endpoints to connect to serverless MSK?

Question

I'm looking to connect a service that will send messages to a Kafka, MSK serverless cluster. The service itself is in another account and in a different region from the MSK cluster.

I followed this guide to set up Route 53 private zone for route resolving: https://aws.amazon.com/blogs/big-data/secure-connectivity-patterns-for-amazon-msk-serverless-cross-account-access/, but I'm a bit stumped on how to set up PrivateLink.

It's mentioned as an option, but not described anywhere specifically for MSK (I see a lot of documentation for API Gateway though). First of all, is it possible to set up PrivateLink for serverless MSK, or use the auto-generated VPCE to connect our producer service? If so, could I get some pointers?

And if not, what other options do I have? I know of VPC peering and Transit Gateway, but I'm looking for options that will make it less difficult for the producer service team.

Thank you.

Answer

To achieve what you want, you'll need to utilize **Multi-VPC private connectivity**.

> ℹ️ Multi-VPC private connectivity offers a managed solution that streamlines networking infrastructure for multi-VPC and cross-account connectivity. It allows clients to securely connect to **Amazon MSK clusters** via **PrivateLink**, ensuring that all traffic remains within the AWS network. This feature is available in all AWS Regions where Amazon MSK is offered.

> 💡 For further details, refer to the [Amazon MSK multi-VPC private connectivity documentation](https://docs.aws.amazon.com/msk/latest/developerguide/aws-access-mult-vpc.html).

Use PrivateLink / VPC endpoints to connect to serverless MSK?

相关内容