Public MSK Proxy

Available in Zilla Plus⁺

Estimated time to complete 20-30 minutes.

The Zilla Plus (Public MSK Proxy) lets authorized Kafka clients connect, publish messages and subscribe to topics in your Amazon MSK cluster via the internet.

By automating the configuration of an internet-facing network load balancer and auto-scaling group of stateless proxies to access your MSK cluster via the public internet, Kafka clients can connect, publish messages and subscribe to topics in your Amazon MSK cluster from outside AWS.

You will need to choose a wildcard DNS pattern to use for public internet access to the brokers in your MSK cluster. These wildcard DNS names must resolve to the public IP address(es) where the Public MSK Proxy is deployed. The Public MSK Proxy must also be configured with a TLS server certificate representing the same wildcard DNS pattern.

Both Development and Production deployment options are available.

Development

Follow the Development guide to setup connectivity to your MSK cluster from your local development environment via the internet using a locally trusted TLS server certificate for the example wildcard DNS pattern *.aklivity.example.com.

Production

Follow the Production guide to setup connectivity to your MSK cluster from anywhere on the internet using a globally trusted TLS server certificate for a wildcard DNS pattern under your control. We use *.example.aklivity.io to illustrate the steps.

Follow the Production (Mutual TLS) guide instead if your MSK cluster is configured for TLS client authorization.

Monitoring the Public MSK Proxy

The CloudFormation template used to deploy the Public MSK Proxy includes a Network Load Balancer that can be monitored via CloudWatch to verify continuous health.

Network Load Balancers have many available metrics, including the following.

Metric	Description
TCP_Target_Reset_Count	The total number of reset (RST) packets sent from a target to a client. These resets are generated by the target and forwarded by the load balancer.
UnHealthyHostCount	The number of targets that are considered unhealthy.

You can use CloudWatch to create a dashboard to monitor these metrics and set alarms to alert you when specific metric thresholds are reached.

Upgrading the Public MSK Proxy

Navigate to your AWS Marketplace subscriptions and select Zilla Plus (Public MSK Proxy) to show the manage subscription page.

• From the Agreement section > Actions menu > select Launch CloudFormation stack
• Select the Public MSK Proxy fulfillment option
• Make sure you have selected the desired region selected, such as us-east-1
• Click Continue to Launch
  • Choose the action Launch CloudFormation
• Click Launch to show the URL of the CloudFormation template
  • Copy the CloudFormation template Amazon S3 URL
• Select your existing CloudFormation Stack from a previous deployment of Zilla Plus (Public MSK Proxy)
• Click Update and Replace current template with the copied Amazon S3 URL
• Complete the wizard to deploy the updated stack.

CloudFormation will incrementally deploy the MSK Proxy instances for the new version behind the same Network Load Balancer, checking for successful deployment before terminating the MSK Proxy instances for the previous version.

Connected clients will see their connections drop, and when they reconnect automatically, the Network Load Balancer will direct them to the new MSK Proxy instances. If the stack update is unsuccessful, then CloudFormation will rollback to use the previous stack deployment.