Home  /  Ingest-Data

AWS PrivateLink connections

Materialize can connect to a Kafka broker, a Confluent Schema Registry server, a PostgreSQL database, or a MySQL database through an AWS PrivateLink service.

In this guide, we’ll cover how to create AWS PRIVATELINK connections and retrieve the AWS principal needed to configure the AWS PrivateLink service.

    NOTE: Materialize provides a Terraform module that automates the creation and configuration of AWS resources for a PrivateLink connection. For more details, see the Terraform module repositories for Amazon MSK and self-managed Kafka clusters.

    This section covers how to create AWS PrivateLink connections and retrieve the AWS principal needed to configure the AWS PrivateLink service.

    1. Create target groups

      Create a dedicated target group for each broker with the following details:

      a. Target type as IP address.

      b. Protocol as TCP.

      c. Port as 9092, or the port that you are using in case it is not 9092 (e.g. 9094 for TLS or 9096 for SASL).

      d. Make sure that the target group is in the same VPC as the Kafka cluster.

      e. Click next, and register the respective Kafka broker to each target group using its IP address.

    2. Create a Network Load Balancer (NLB)

      Create a Network Load Balancer that is enabled for the same subnets that the Kafka brokers are in.

    3. Create TCP listeners

      Create a TCP listener for every Kafka broker that forwards to the corresponding target group you created (e.g. b-1, b-2, b-3).

      The listener port needs to be unique, and will be used later on in the CREATE CONNECTION statement.

      For example, you can create a listener for:

      a. Port 9001 → broker b-1....

      b. Port 9002 → broker b-2....

      c. Port 9003 → broker b-3....

    4. Verify security groups and health checks

      Once the TCP listeners have been created, make sure that the health checks for each target group are passing and that the targets are reported as healthy.

      If you have set up a security group for your Kafka cluster, you must ensure that it allows traffic on both the listener port and the health check port.

      Remarks:

      a. Network Load Balancers do not have associated security groups. Therefore, the security groups for your targets must use IP addresses to allow traffic.

      b. You can’t use the security groups for the clients as a source in the security groups for the targets. Therefore, the security groups for your targets must use the IP addresses of the clients to allow traffic. For more details, check the AWS documentation.

    5. Create a VPC endpoint service

      Create a VPC endpoint service and associate it with the Network Load Balancer that you’ve just created.

      Note the service name that is generated for the endpoint service.

    6. In Materialize, create an AWS PrivateLink connection that references the endpoint service that you created in the previous step.

      ↕️ In-region connections

      To connect to an AWS PrivateLink endpoint service in the same region as your Materialize environment:

      CREATE CONNECTION privatelink_svc TO AWS PRIVATELINK (
  SERVICE NAME 'com.amazonaws.vpce.<region_id>.vpce-svc-<endpoint_service_id>',
  AVAILABILITY ZONES ('use1-az1', 'use1-az2', 'use1-az4')
);

      • Replace the SERVICE NAME value with the service name you noted earlier.

      • Replace the AVAILABILITY ZONES list with the IDs of the availability zones in your AWS account. For in-region connections the availability zones of the NLB and the consumer VPC must match.

        To find your availability zone IDs, select your database in the RDS Console and click the subnets under Connectivity & security. For each subnet, look for Availability Zone ID (e.g., use1-az6), not Availability Zone (e.g., us-east-1d).

      ↔️ Cross-region connections

      To connect to an AWS PrivateLink endpoint service in a different region to the one where your Materialize environment is deployed:

      CREATE CONNECTION privatelink_svc TO AWS PRIVATELINK (
  SERVICE NAME 'com.amazonaws.vpce.us-west-1.vpce-svc-<endpoint_service_id>',
  -- For now, the AVAILABILITY ZONES clause **is** required, but will be
  -- made optional in a future release.
  AVAILABILITY ZONES ()
);

      • Replace the SERVICE NAME value with the service name you noted earlier.

      • The service name region refers to where the endpoint service was created. You do not need to specify AVAILABILITY ZONES manually — these will be optimally auto-assigned when none are provided.

    1. Retrieve the AWS principal for the AWS PrivateLink connection you just created:

      SELECT principal
FROM mz_aws_privatelink_connections plc
JOIN mz_connections c ON plc.id = c.id
WHERE c.name = 'privatelink_svc';

                                       principal
---------------------------------------------------------------------------
 arn:aws:iam::664411391173:role/mz_20273b7c-2bbe-42b8-8c36-8cc179e9bbc3_u1

      Follow the instructions in the AWS PrivateLink documentation to configure your VPC endpoint service to accept connections from the provided AWS principal.

    2. If your AWS PrivateLink service is configured to require acceptance of connection requests, you must manually approve the connection request from Materialize after executing CREATE CONNECTION. For more details, check the AWS PrivateLink documentation.

      Note: It might take some time for the endpoint service connection to show up, so you would need to wait for the endpoint service connection to be ready before you create a source.

    Validate the AWS PrivateLink connection you created using the VALIDATE CONNECTION command:

    VALIDATE CONNECTION privatelink_svc;

    If no validation error is returned, move to the next step.

    Create a source connection

    In Materialize, create a source connection that uses the AWS PrivateLink connection you just configured:

    CREATE CONNECTION kafka_connection TO KAFKA (
    BROKERS (
        -- The port **must exactly match** the port assigned to the broker in
        -- the TCP listerner of the NLB.
        'b-1.hostname-1:9096' USING AWS PRIVATELINK privatelink_svc (PORT 9001, AVAILABILITY ZONE 'use1-az2'),
        'b-2.hostname-2:9096' USING AWS PRIVATELINK privatelink_svc (PORT 9002, AVAILABILITY ZONE 'use1-az1'),
        'b-3.hostname-3:9096' USING AWS PRIVATELINK privatelink_svc (PORT 9003, AVAILABILITY ZONE 'use1-az4')
    ),
    -- Authentication details
    -- Depending on the authentication method the Kafka cluster is using
    SASL MECHANISMS = 'SCRAM-SHA-512',
    SASL USERNAME = 'foo',
    SASL PASSWORD = SECRET kafka_password
);

    Troubleshooting

    If you run into connectivity issues during source creation, make sure that:

    • The (PORT <port_number>) value exactly matches the port assigned to the corresponding broker in the TCP listener of the Network Load Balancer. Misalignment between ports and broker addresses is the most common cause for connectivity issues.

    • For in-region connections, the correct availability zone is specified for each broker.

    NOTE: Materialize provides a Terraform module that automates the creation and configuration of AWS resources for a PrivateLink connection. For more details, see the Terraform module repository.

    1. Create target groups

      Create a dedicated target group for your RDS or Aurora or Aurora instance with the following details:

      a. Target type as IP address.

      b. Protocol as TCP.

      c. Port as 5432, or the port that you are using in case it is not 5432.

      d. Make sure that the target group is in the same VPC as the RDS or Aurora instance.

      e. Click next, and register the respective RDS or Aurora instance to the target group using its IP address.

    2. Verify security groups and health checks

      Once the target groups have been created, make sure that the health checks are passing and that the targets are reported as healthy.

      If you have set up a security group for your RDS or Aurora instance, you must ensure that it allows traffic on the health check port.

      Remarks:

      a. Network Load Balancers do not have associated security groups. Therefore, the security groups for your targets must use IP addresses to allow traffic.

      b. You can’t use the security groups for the clients as a source in the security groups for the targets. Therefore, the security groups for your targets must use the IP addresses of the clients to allow traffic. For more details, check the AWS documentation.

    3. Create a Network Load Balancer (NLB)

      Create a Network Load Balancer that is enabled for the same subnets that the RDS or Aurora instance is in.

    4. Create TCP listeners

      Create a TCP listener for your RDS or Aurora instance that forwards to the corresponding target group you created.

    5. Create a VPC endpoint service

      Create a VPC endpoint service and associate it with the Network Load Balancer that you’ve just created.

      Note the service name that is generated for the endpoint service.

    6. In Materialize, create an AWS PrivateLink connection that references the endpoint service that you created in the previous step.

      ↕️ In-region connections

      To connect to an AWS PrivateLink endpoint service in the same region as your Materialize environment:

      CREATE CONNECTION privatelink_svc TO AWS PRIVATELINK (
  SERVICE NAME 'com.amazonaws.vpce.<region_id>.vpce-svc-<endpoint_service_id>',
  AVAILABILITY ZONES ('use1-az1', 'use1-az2', 'use1-az4')
);

      • Replace the SERVICE NAME value with the service name you noted earlier.

      • Replace the AVAILABILITY ZONES list with the IDs of the availability zones in your AWS account. For in-region connections the availability zones of the NLB and the consumer VPC must match.

        To find your availability zone IDs, select your database in the RDS Console and click the subnets under Connectivity & security. For each subnet, look for Availability Zone ID (e.g., use1-az6), not Availability Zone (e.g., us-east-1d).

      ↔️ Cross-region connections

      To connect to an AWS PrivateLink endpoint service in a different region to the one where your Materialize environment is deployed:

      CREATE CONNECTION privatelink_svc TO AWS PRIVATELINK (
  SERVICE NAME 'com.amazonaws.vpce.us-west-1.vpce-svc-<endpoint_service_id>',
  -- For now, the AVAILABILITY ZONES clause **is** required, but will be
  -- made optional in a future release.
  AVAILABILITY ZONES ()
);

      • Replace the SERVICE NAME value with the service name you noted earlier.

      • The service name region refers to where the endpoint service was created. You do not need to specify AVAILABILITY ZONES manually — these will be optimally auto-assigned when none are provided.

    1. Retrieve the AWS principal for the AWS PrivateLink connection you just created:

      SELECT principal
FROM mz_aws_privatelink_connections plc
JOIN mz_connections c ON plc.id = c.id
WHERE c.name = 'privatelink_svc';

                                       principal
---------------------------------------------------------------------------
 arn:aws:iam::664411391173:role/mz_20273b7c-2bbe-42b8-8c36-8cc179e9bbc3_u1

      Follow the instructions in the AWS PrivateLink documentation to configure your VPC endpoint service to accept connections from the provided AWS principal.

    2. If your AWS PrivateLink service is configured to require acceptance of connection requests, you must manually approve the connection request from Materialize after executing CREATE CONNECTION. For more details, check the AWS PrivateLink documentation.

      Note: It might take some time for the endpoint service connection to show up, so you would need to wait for the endpoint service connection to be ready before you create a source.

    Validate the AWS PrivateLink connection you created using the VALIDATE CONNECTION command:

    VALIDATE CONNECTION privatelink_svc;

    If no validation error is returned, move to the next step.

    Create a source connection

    In Materialize, create a source connection that uses the AWS PrivateLink connection you just configured:

    CREATE CONNECTION pg_connection TO POSTGRES (
    HOST 'instance.foo000.us-west-1.rds.amazonaws.com',
    PORT 5432,
    DATABASE postgres,
    USER postgres,
    PASSWORD SECRET pgpass,
    AWS PRIVATELINK privatelink_svc
);

    This PostgreSQL connection can then be reused across multiple CREATE SOURCE statements:

    CREATE SOURCE mz_source
  FROM POSTGRES CONNECTION pg_connection (PUBLICATION 'mz_source')
  FOR ALL TABLES;
    NOTE: Materialize provides a Terraform module that automates the creation and configuration of AWS resources for a PrivateLink connection. For more details, see the Terraform module repository.

    1. Create target groups

      Create a dedicated target group for your RDS instance with the following details:

      a. Target type as IP address.

      b. Protocol as TCP.

      c. Port as 3306, or the port that you are using in case it is not 3306.

      d. Make sure that the target group is in the same VPC as the RDS instance.

      e. Click next, and register the respective RDS instance to the target group using its IP address.

    2. Verify security groups and health checks

      Once the target groups have been created, make sure that the health checks are passing and that the targets are reported as healthy.

      If you have set up a security group for your RDS instance, you must ensure that it allows traffic on the health check port.

      Remarks:

      a. Network Load Balancers do not have associated security groups. Therefore, the security groups for your targets must use IP addresses to allow traffic.

      b. You can’t use the security groups for the clients as a source in the security groups for the targets. Therefore, the security groups for your targets must use the IP addresses of the clients to allow traffic. For more details, check the AWS documentation.

    3. Create a Network Load Balancer (NLB)

      Create a Network Load Balancer that is enabled for the same subnets that the RDS instance is in.

    4. Create TCP listeners

      Create a TCP listener for your RDS instance that forwards to the corresponding target group you created.

    5. Create a VPC endpoint service

      Create a VPC endpoint service and associate it with the Network Load Balancer that you’ve just created.

      Note the service name that is generated for the endpoint service.

    6. In Materialize, create an AWS PrivateLink connection that references the endpoint service that you created in the previous step.

      ↕️ In-region connections

      To connect to an AWS PrivateLink endpoint service in the same region as your Materialize environment:

      CREATE CONNECTION privatelink_svc TO AWS PRIVATELINK (
  SERVICE NAME 'com.amazonaws.vpce.<region_id>.vpce-svc-<endpoint_service_id>',
  AVAILABILITY ZONES ('use1-az1', 'use1-az2', 'use1-az4')
);

      • Replace the SERVICE NAME value with the service name you noted earlier.

      • Replace the AVAILABILITY ZONES list with the IDs of the availability zones in your AWS account. For in-region connections the availability zones of the NLB and the consumer VPC must match.

        To find your availability zone IDs, select your database in the RDS Console and click the subnets under Connectivity & security. For each subnet, look for Availability Zone ID (e.g., use1-az6), not Availability Zone (e.g., us-east-1d).

      ↔️ Cross-region connections

      To connect to an AWS PrivateLink endpoint service in a different region to the one where your Materialize environment is deployed:

      CREATE CONNECTION privatelink_svc TO AWS PRIVATELINK (
  SERVICE NAME 'com.amazonaws.vpce.us-west-1.vpce-svc-<endpoint_service_id>',
  -- For now, the AVAILABILITY ZONES clause **is** required, but will be
  -- made optional in a future release.
  AVAILABILITY ZONES ()
);

      • Replace the SERVICE NAME value with the service name you noted earlier.

      • The service name region refers to where the endpoint service was created. You do not need to specify AVAILABILITY ZONES manually — these will be optimally auto-assigned when none are provided.

    1. Retrieve the AWS principal for the AWS PrivateLink connection you just created:

      SELECT principal
FROM mz_aws_privatelink_connections plc
JOIN mz_connections c ON plc.id = c.id
WHERE c.name = 'privatelink_svc';

                                       principal
---------------------------------------------------------------------------
 arn:aws:iam::664411391173:role/mz_20273b7c-2bbe-42b8-8c36-8cc179e9bbc3_u1

      Follow the instructions in the AWS PrivateLink documentation to configure your VPC endpoint service to accept connections from the provided AWS principal.

    2. If your AWS PrivateLink service is configured to require acceptance of connection requests, you must manually approve the connection request from Materialize after executing CREATE CONNECTION. For more details, check the AWS PrivateLink documentation.

      Note: It might take some time for the endpoint service connection to show up, so you would need to wait for the endpoint service connection to be ready before you create a source.

    Validate the AWS PrivateLink connection you created using the VALIDATE CONNECTION command:

    VALIDATE CONNECTION privatelink_svc;

    If no validation error is returned, move to the next step.

    Create a source connection

    In Materialize, create a source connection that uses the AWS PrivateLink connection you just configured:

    CREATE CONNECTION mysql_connection TO MYSQL (
      HOST <host>,
      PORT 3306,
      USER 'materialize',
      PASSWORD SECRET mysqlpass,
      SSL MODE REQUIRED,
      AWS PRIVATELINK privatelink_svc
);

    This MySQL connection can then be reused across multiple CREATE SOURCE statements:

    CREATE SOURCE mz_source
  FROM mysql CONNECTION mysql_connection
  FOR ALL TABLES;
    Back to top ↑