Creating a Private Link from DeltaStream to Amazon MSK
PreviousEnabling Private Link Connectivity to Confluent Enterprise Cluster and Schema RegistryNextCreating a Private Link for RDS Databases
Last updated
Last updated
Below is the procedure for creating private links for the data you’re streaming via DeltaStream. It includes the configuration needed within AWS MSK.
Review .
You must have signed up with DeltaStream and created at least one organization. Private links function within the context of an organization; from a logical perspective, you enable your private links within a specific DeltaStream organization.
if you don’t already use it. Currently you cannot create private links via the DeltaStream UI.
Request DeltaStream Ops to enable private link connectivity feature for your account.
Optionally, work with DeltaStream Operations if you wish to run all your queries (that is, stream processing) within a dedicated AWS dataplane. By default all DeltaStream customer queries run in a shared multi-tenant dataplane; network policies isolate all traffic among multiple customers. This dedicated data plane completely isolates your workload from other DeltaStream customers by using fully-isolated compute and VPC networking resources.
This procedure involves building a SQL statement. When you run the statement, DeltaStream processes the link request automatically. Note that the private link is not established until it is accepted or approved by administrators from your organization who are responsible for maintaining Kafka stores.
The entire statement resembles the below; we’ll go through it segment by segment, showing how and where to find the information you need to complete the statement.
The private link created using the above SQL command is an inbound private link connection to your dedicated Kafka cluster within your Confluent cloud account.
Follow the below guide to enable multi-VPC for your AWS cluster.
When you have enabled the private link for the MSK cluster, follow the below procedure to capture the details you need to configure the private link to MSK in the DeltaStream CLI.
Go to your Amazon MSK console page and navigate to Clusters > $$yourclustername to open the cluster details page.
In the Cluster summary section, locate and copy the MSK Cluster ARN.
Save the Cluster ARN to a Notepad or other text-based application. You will need to refer back to it again.
Note down the cluster ARN as $$yourclusterarn
Indicate the MSK auth type you must use for the connection. This varies, depending on your AWS MSK cluster setup and configuration; it could be SASL/SCRAM authentication or IAM role-based authentication. For the below example we use IAM-based authentication.
Capture the broker host URIs. To do this, return to the Amazon MSK Cluster details page, and toward the top right of the page click View client information.
In the Private endpoint (multi-VPC) column, multiple broker IAM endpoints display. Capture the bootstrap URIs next to the private endpoint column.
You must copy each of these endpoints into the SQL command you’re building in the DeltaStream UI.
Capture the availability zone associated with each broker in the MSK cluster. To do this, return to your Cluster details page. Below the Cluster summary section click Properties and then scroll down to the Broker details section.
Although there is an Availability Zone tab in this section, that is the virtual zone name, and it is not what you need. Instead, you must locate and copy the physical zone ID. To get the physical zone ID, click the corresponding link in the Client subnets column. (Each broker endpoint has an associated subnet.)
When the Client subnet details page displays, locate and copy the Availability Zone ID value for each broker subnet.
Launch the DeltaStream CLI. The prompt opens to your default organization.
If you’re uncertain which organization this is, type list ORGANIZATIONS, and in the list that displays, scan down the is Current column and find the organization with a value of true.
Return to the prompt and specify the organization:
Use ORGANIZATION [$$yourorganization]
The private link connection you’re creating will be in this specific DeltaStream organization. No other DeltaStream organization has access to this private link.
Create the private link. To do this, update the SQL with the variables captured in Section 1 above.
Your SQL statement in the DeltaStream CLI is now ready. When you run the statement, DeltaStream displays a confirmation and begins creating the private link.
To complete the private link connection you must edit your MSK cluster policy to add the Discovery IAM Role ARN that the DeltaStream platform uses. To do this:
In the DeltaStream CLI, list your available private links by typing
LIST AWS PRIVATE LINKS;
Locate your newly-created msktest private link entry, and copy the Discovery IAM role ARN.
Navigate back to your MSK Cluster details page and under the Properties tab scroll down to the Security settings section and click Edit cluster policy. The Edit cluster policy page displays.
Replace the code following “AWS”: with the ARN you just copied.
Click Save changes.
Return to the DeltaStream CLI and again list the status of the private link by typing list AWS private links. In a few moments you should see the private link transition from in progress to ready.
The cluster is ready to use as a Kafka store from within the DeltaStream platform.
To verify connectivity you can use the DeltaStream console UI to add a Kafka topic.
To do this you must set the number of partitions to 1 and the number of replicas to 3.
From DeltaStream you should get an alert that the operation was successful. You should also be able to see the newly-created topic in DeltaStream.
Note There are separate but related instructions for creating private links for , , and .
.
Launch the DeltaStream UI and create a new data store. , if you need. Within about a minute, topics begin to populate your data store. This indicates the private connection is successful and working.
