Skip to main content

Public MSK Proxy

Public MSK Proxy

Available in Zilla Plus+open in new window

Estimated time to complete 20-30 minutes.

The Zilla Plus (Public MSK Proxy)open in new window lets authorized Kafka clients connect, publish messages and subscribe to topics in your Amazon MSK cluster via the internet.

By automating the configuration of an internet-facing network load balancer and auto-scaling group of stateless proxies to access your MSK cluster via the public internet, Kafka clients can connect, publish messages and subscribe to topics in your Amazon MSK cluster from outside AWS.

You will need to choose a wildcard DNS pattern to use for public internet access to the brokers in your MSK cluster. These wildcard DNS names must resolve to the public IP address(es) where the Public MSK Proxy is deployed. The Public MSK Proxy must also be configured with a TLS server certificate representing the same wildcard DNS pattern.

Both Development and Production deployment options are available.


Follow the Development guide to setup connectivity to your MSK cluster from your local development environment via the internet using a locally trusted TLS server certificate for the example wildcard DNS pattern *


Follow the Production guide to setup connectivity to your MSK cluster from anywhere on the internet using a globally trusted TLS server certificate for a wildcard DNS pattern under your control. We use * to illustrate the steps.

Follow the Production (Mutual TLS) guide instead if your MSK cluster is configured for TLS client authorization.

Monitoring the Public MSK Proxy

The CloudFormation template used to deploy the Public MSK Proxy includes a Network Load Balancer that can be monitored via CloudWatchopen in new window to verify continuous health.

Network Load Balancers have many available metricsopen in new window, including the following.

TCP_Target_Reset_CountThe total number of reset (RST) packets sent from a target to a client. These resets are generated by the target and forwarded by the load balancer.
UnHealthyHostCountThe number of targets that are considered unhealthy.

You can use CloudWatchopen in new window to create a dashboard to monitor these metrics and set alarms to alert you when specific metric thresholds are reached.

Upgrading the Public MSK Proxy

Navigate to your AWS Marketplaceopen in new window subscriptions and select Zilla Plus (Public MSK Proxy) to show the manage subscription page.

  • From the Agreement section > Actions menu > select Launch CloudFormation stack
  • Select the Public MSK Proxy fulfillment option
  • Make sure you have selected the desired region selected, such as us-east-1
  • Click Continue to Launch
    • Choose the action Launch CloudFormation
  • Click Launch to show the URL of the CloudFormation template
    • Copy the CloudFormation template Amazon S3 URL
  • Select your existing CloudFormation Stack from a previous deployment of Zilla Plus (Public MSK Proxy)
  • Click Update and Replace current template with the copied Amazon S3 URL
  • Complete the wizard to deploy the updated stack.

CloudFormation will incrementally deploy the MSK Proxy instances for the new version behind the same Network Load Balancer, checking for successful deployment before terminating the MSK Proxy instances for the previous version.

Connected clients will see their connections drop, and when they reconnect automatically, the Network Load Balancer will direct them to the new MSK Proxy instances. If the stack update is unsuccessful, then CloudFormation will rollback to use the previous stack deployment.