0

I have set up in Aws inside 1 VPC and configured AWS MSK(Kafka) across the AWS VPC I am able to connect the MSK using bootstrap URL. But When I try to connect from Azure VM I am not able to connect.

I have created a site-to-site VPN connection between AWS to AZURE and in azure setup transit gateway also.

Other AWS services like AWS RDS, EC2 machines etc I am able to connect (using site-to-site) from Azure VM but only AWS MSK I am not.

Public access is disabled in AWS MSK and RDS (still can connect RDS).

I have all the AWS services inside 1 VPC only and inside 2 security groups. I have already whitelisted IP range of Azure in site-to-site VPN of AWS.

How can I connect AWS MSK from Azure VM?

Thanks

OneCricketeer
  • 179,855
  • 19
  • 132
  • 245
ankitbeohar90
  • 109
  • 13
  • What about whitelisting the ports? https://docs.aws.amazon.com/msk/latest/developerguide/port-info.html – bradib0y Jan 29 '22 at 01:29
  • Also, I would look into DNS. For example, can you resolve MSK cluster hostnames from outside, or is it only scoped to the VPC. Maybe there is a setting for that. Try use IP instead as a quick test to validate the concept. – bradib0y Jan 29 '22 at 01:34
  • Your advertised listeners are incorrect if the bootstrap ports are able to connect – OneCricketeer Jan 29 '22 at 15:25
  • @bradib0y yes in Network ACL all ports are enabled. – ankitbeohar90 Jan 31 '22 at 06:45
  • @bradib0y there is already VPN peering set up and AWS MSK does not give any setting regarding IP mapping and not give IP there are only hostnames connection strings – ankitbeohar90 Jan 31 '22 at 06:51
  • @OneCricketeer could you please describe more – ankitbeohar90 Jan 31 '22 at 06:51
  • The bootstrap protocol returns a set of addresses to external clients. MSK has a set of these automatically configure for different connection types internal to AWS (e.g using IAM). These addresses would need changed such that clients in other networks can resolve them https://www.confluent.io/blog/kafka-listeners-explained/ – OneCricketeer Jan 31 '22 at 15:48

1 Answers1

0

Investigate the problem

Try using nslookup your.kafka.host from inside your AWS VPC and your Azure VNET. (Copy kafka host from your connection string to run nslookup command)

Then

  1. validate if you can resolve the hostname from the Azure VNET, not only from AWS VPC
  2. validate if your Azure network reaches the IP addresses that those hostnames are resolved into

At this point, you have a lot of information on what is/are your problem(s).

Solution possibilities:

If #1 failed, but then #2 succeeded directly to the IP addresses

If #1 validation failed, try to come up with a distribution scheme for your DNS entries. It might be tricky to update them if they are dynamic and managed by AWS. You can use public DNS to enable name resolution in your remote network, or for better safety, you can use 2 private dns zones in both of your networks. The underlying IP addresses may also be changed dynamically, so if you are going with a DNS based problem resolution, it's best to use an automated solution which adapts to changes made by AWS.

If #2 failed

  • Either try to make MSK IP addresses reachable by configuring your Azure VNET, and VPN gateways on both sides
  • Or build a Kafka proxy. You will have the best adaptability to the AWS platform provided features in this case, but it may introduce an overhead in terms of building and maintaining the solution.
bradib0y
  • 967
  • 5
  • 15
  • Thanks for the detail steps, we did try nslookup and it gets resolved with non-authoritative but when we perform telnet it is not. We already setup site-to-site VPN between aws-azure and add IP range in its route table, ports are obviously opened at kafka Security groups as was services able to connect. As per AWS doc or FAQs it says can connect msk using vpc peering or site-site VPN or proxy. We already have site-site VPN and we can not implement proxy bcoz it will require overhead of code changes. Not enable public DNS for msk bcoz of security concern. – ankitbeohar90 Feb 21 '22 at 04:58