Seamlessly connect on-premise and cross-cloud Apache Kafka® clients to your MSK cluster without exposing it directly to the the public internet. Deploy partner access, hybrid IT and other data streaming integration initiatives — securely and with ease.
By default, MSK clusters are not designed to be reached over the public internet. As a result, accessing MSK in a secure and flexible manner from a local, on-premise or external cloud environment is difficult. This holds back deploying MSK in a hybrid or multi-cloud setup and complicates partner integration initiatives. Overcome these limits with Zilla Plus.
Enable external partners to subscribe to your MSK topics over a custom DNS domain. Enterprise-grade security is guaranteed through integrations with AWS Secrets Manager for public server certificates, and AWS Certificate Manager for private client ones. TLS client identity propagation is also supported.
Deploy a custom DNS name for MSK in a primary and a secondary AWS region,
then seamlessly reroute Kafka clients in the case of a DR scenario by simply making a DNS record update in the secondary region because the bootstrap server names are consistent between the two regions.
When migrating a Kafka deployment running outside of AWS to MSK, Zilla Plus can relieve forklift efforts. With it, your existing Kafka clients can reach MSK from their native environment, allowing them to continue running as-is. Once ready, they can be incrementally carried over into the AWS cloud.
Leverage your favorite Kafka tools directly from your local environment to streamline MSK development and testing efforts.
By combining the Public Proxy with Kafka MirrorMaker you can replicate MSK clusters to on-premise or external cloud environments. The reverse also applies, combine the Public Proxy with MirrorMaker to replicate clusters running inside your datacenter or Azure/GCP/etc. to MSK. Cluster replication can help aggregate data from multiple streaming pipelines, isolate production workloads, support disaster recovery efforts, and align with legal and compliance security requirements.
The Public Proxy enables external partners to subscribe to your MSK topics over a custom DNS domain. Security is guaranteed through integrations with AWS Secrets Manager for public server certificates, and ACM PCA for private client ones. TLS client identity propagation is also supported. The Proxy is stateless so it is easy to scale out, and is built-on a high performance runtime, which is able to reliably support a large number of connections.
If you are migrating a Kafka deployment running outside of AWS to MSK, the Public Proxy relieves forklift efforts. With the Proxy, your existing Kafka clients will be able to reach MSK from their native environment, allowing you to keep them running as-is. When ready, you can incrementally migrate them into the AWS cloud.
With the Proxy, Kafka clients running on your local machine can easily reach your MSK cluster, in turn simplifying and accelerating your development and testing efforts.
Zilla Plus is a Kafka-native proxy that simplifies secure connectivity to your Amazon MSK cluster. Deployed at the edge of your VPC, it enables publicly accessible Kafka endpoints, allowing external clients to connect, publish, and subscribe—without exposing your MSK brokers. Delivered as an AMI and deployable via CDK or Terraform, Zilla Plus runs as an auto-scaling proxy group behind a single Network Load Balancer. Your MSK cluster stays untouched, protected, and unexposed.
While Public Access is a feature of MSK, it exposes brokers directly to the public internet and lacks support for custom domain names.
Using a custom domain for your public MSK endpoints keeps them aligned with your organization's domain and provides a stable DNS name—even if the underlying MSK cluster changes. It also lets you expose the cluster through a single Elastic IP, simplifying firewall rules and client integrations. With Zilla Plus, you can support multiple custom domains and front multiple MSK clusters—all within a single deployment.4o
Zilla Plus integrates with AWS Secrets Manager and AWS Certificate Manager to retrieve the private keys and certificate chains used to support both wildcard DNS bootstrap server names and trusted client identity for mutual authentication.
AWS Shield and AWS WAF can be activated on the Network Load Balancer that is deployed alongside Zilla Plus proxies, protecting its endpoints against DDoS and network layer (layer 3), transport layer (layer 4), and application layer (layer 7) attacks.
Zilla proxies are stateless and only require a single Network Load Balancer. This reduces both the complexity and costs of scaling out.
“Zilla Plus reduced our lead time for integration development and rollout. We can now dedicate more time to designing our Kafka topics and schema, which would have been otherwise spent building a middleware layer for integrating 3rd party external networks into our AWS VPCs.”
The Aklivity Public MSK Proxy is an AWS Qualified solution.
