🎉MQTT Support is Here! Read the
Announcement
AWS MSK Pubic Access with Zilla Plus+

Secure, flexible access to MSK clusters across the public internet

Establish connectivity between on-premise or cross-cloud Kafka® clients and MSK clusters. Zilla Plus+ can be configured as a Public MSK Proxy that enables secure access to your MSK clusters from the public internet using a custom DNS domain. This one-time setup continues to work even after your cluster scales out with new Kafka® brokers.

Unlock new possibilities

By default, MSK clusters are not designed to be reached over the public internet. As a result, accessing MSK in a secure and flexible manner from a local, on-premise or external cloud environment is difficult. This holds back deploying MSK in a hybrid or multi-cloud setup and complicates partner integration initiatives.

MSK public access use cases
Cross-Cloud Replication

By combining the Public Proxy with Kafka MirrorMaker you can replicate MSK clusters to on-premise or external cloud environments. The reverse also applies, combine the Public Proxy with MirrorMaker to replicate clusters running inside your datacenter or Azure/GCP/etc. to MSK. Cluster replication can help aggregate data from multiple streaming pipelines, isolate production workloads, support disaster recovery efforts, and align with legal and compliance security requirements.

Partner Access

The Public Proxy enables external partners to subscribe to your MSK topics over a custom DNS domain. Security is guaranteed through integrations with AWS Secrets Manager for public server certificates, and ACM PCA for private client ones. TLS client identity propagation is also supported. The Proxy is stateless so it is easy to scale out, and is built-on a high performance runtime, which is able to reliably support a large number of connections.

Incremental Migration

If you are migrating a Kafka deployment running outside of AWS to MSK, the Public Proxy relieves forklift efforts. With the Proxy, your existing Kafka clients will be able to reach MSK from their native environment, allowing you to keep them running as-is. When ready, you can incrementally migrate them into the AWS cloud.

Local Access

With the Proxy, Kafka clients running on your local machine can easily reach your MSK cluster, in turn simplifying and accelerating your development and testing efforts.

Combining the Public Proxy with Kafka MirrorMaker allows you to replicate MSK clusters to on-premise or external cloud environments. The reverse also applies, clusters running inside your datacenter or Azure/GCP/etc. can be replicated to MSK. Cluster replication can help aggregate data from multiple streaming pipelines, isolate production workloads, support disaster recovery efforts, and align with legal/compliance security requirements.

The Public Proxy enables external partners to subscribe to your MSK topics over a custom DNS domain. Enterprise-grade security is guaranteed through integrations with AWS Secrets Manager for public server certificates, and ACM PCA for private client ones. TLS client identity propagation is also supported.

When migrating a Kafka deployment running outside of AWS to MSK, the Public Proxy relieves forklift efforts. With the Proxy, your existing Kafka clients can reach MSK from their native environment, allowing them to continue running as-is. Once ready, they can be incrementally carried over into the AWS cloud.

Leverage your favorite Kafka tools directly from your local environment to streamline MSK development and testing efforts.

A secure, decoupled approach

Aklivity enables connectivity between public Kafka® clients and scaled-out MSK clusters.

The Aklivity Public MSK Proxy enables secure public internet connectivity to Amazon MSK clusters from authorized Kafka® clients. It automates the configuration of an internet-facing network load balancer and auto-scaling group of stateless proxies to access your MSK cluster via the public internet. Kafka® clients can connect, publish messages and subscribe to topics in your Amazon MSK cluster from outside AWS.

The Proxy integrates with AWS Secrets Manager and AWS Certificate Manager to retrieve the private keys and certificate chains used to support both wildcard DNS bootstrap server names and trusted client identity for mutual authentication.

Secure
Scalable
Streamlined

An uncompromised solution

While Public Access is a feature of MSK, it exposes brokers directly to the public internet and lacks support for custom domain names.

Public MSK Proxying with Zilla enables Kafka® clients to connect, publish messages and subscribe to topics in your Amazon MSK cluster from outside AWS. It automates the configuration of an internet-facing Network Load Balancer and an auto-scaling group of stateless proxies. These proxies route traffic to and from MSK brokers, which remain unaltered and unexposed.

Custom domain name support

A custom domain name not only helps align your public MSK endpoints with your own domain, it provides a stable DNS name should it become necessary to recreate the MSK cluster behind the scenes. It also allows you to expose a cluster using only a single Elastic IP address — this simplifies local firewall policies and eases client integrations. A single Proxy with different custom domains can be deployed in front of multiple MSK clusters.

ACM and Secrets Manager integrations

Zilla Plus integrates with AWS Secrets Manager and AWS Certificate Manager to retrieve the private keys and certificate chains used to support both wildcard DNS bootstrap server names and trusted client identity for mutual authentication.

Comparing connectivity patterns

The Aklivity Public MSK Proxy is an AWS Qualified solution.

Features
Native Public Access
Configuration
Cloud
Formation Templates
Manual
Does not expose brokers to the public internet
Yes
No
No broker configuration changes required
Yes
No
Supports custom domain names
Yes
No
Requires only one EIP address (simplified firewall policies and client integrations)
Yes
No
Supports a multi-cluster deployment
Yes
No
Integration with AWS Secrets Manager for public server certificates
Yes
Yes
Integration with ACM PCA for client certificates
Yes
Yes
TLS client identity propagation
Yes
Yes
Support for IAM authentication
No
Yes
Cost
$$
$
Available on
Quickstart Guide
Get up and running in minutes.
Docs ➔
Solution Brief
Seamless cross-internet MSK access.
Download ➔
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.