Accessing MSK cluster from a service running in EKS

0
votes

If I have to integrate an external service, I have 3 options to make it accessible from Kubernetes cluster.

  1. Use ExternalName in Kubernetes Service object
  2. Use ExternalIP in Kubernetes Service Object
  3. Set up an Endpoint object and map the endpoint to a Service Object

Third one is the recommended as per best practices on Kuberenetes. In case if there are multiple nodes mapped to a service, Endpoint Object provides an option to list multiple IP addresses. But unfortunately Endpoint Object does not accept hostnames.

So in my scenario, I need to access MKS cluster from a service deployed in AWS-EKS cluster. If I consider MKS as an external service, I have only one option(setup an endpoint and a service), since my MKS cluster has multiple nodes. But unfortunately EndPoint schema access only IP addresses. And I am assuming the IP addresses under the hood of MKS cluster are elastic IPs, and I am not supposed to use those for my configuration.

My questions:

  1. Do I need to consider MKS as an external service, when I try to deploy my application in AES-EKS service? If answer is yes, What are the options available for me to resolve this scenario?

  2. In case, MKS is also deployed on top of EKS, by setting up security groups properly in between VPC's along with VPC peering, can I access MSK from services deployed on EKS?

1
amazon-web-serviceskubernetesamazon-eksaws-msk
did solution below help ?Malgorzata

1 Answers

1
votes

You can create a AWS EKS ExternalName Service pointing to the DNS Name of a AWS Network Load Balancer Kafka Broker Port 9094 which points to the DNS Names of the Kafka Brokers provided by MSK on Kafka Broker Port 9094. https://www.reddit.com/r/aws/comments/cge9nx/suggestions_dns_for_msk_endpoints/

So when the Kafka Client running inside the AWS EKS Pod will call the AWS EKS ExternalName Service, it will receive a DNS Record with DNS Name of the AWS Network Load Balancer and it can use that to resolve to IP Address of the AWS Network Load Balancer and send request to Port 9094.

You can also configure the Kafka Client running inside the AWS EKS Pod to use comma separated DNS Names of the Kafka Brokers provided by MSK and Kafka Broker Port 9094. https://docs.spring.io/spring-cloud-stream/docs/Brooklyn.RELEASE/reference/html/_apache_kafka_binder.html

EDIT :

My first option to use ExternalName + NLB is better approach because you dont need to change the client configuration if the AWS DNS Names for the MSK Kafka Brokers Change or if you want to add new Brokers to the MSK or if you need to point the Kafka Clients to a new list of MSK Brokers or new MSK Cluster.

My second option is easier to implement but difficult to manage.

From https://kubernetes.io/docs/concepts/services-networking/service/#externalname you can see that should you later decide to move your MSK inside your EKS you just need to change ExternalName Service to ClusterIP Service.

Also I recommend to go over https://aws.amazon.com/blogs/big-data/how-goldman-sachs-builds-cross-account-connectivity-to-their-amazon-msk-clusters-with-aws-privatelink/ Case Study where they have explained how to use a Single MSK Cluster from multiple AWS Accounts/VPCs using AWS PrivateLink. You dont need it for your MSK Cluster if your AWS EKS is in the same VPC as the AWS MSK. But it allows you to share a single AWS MSK Cluster across different AWS EKS thus saving the cost of having one AWS MSK for each AWS EKS.