Kafka migration to VPC networks
Virtual Private Cloud (VPC) peering is a method of connecting separate cloud(AWS, Google Cloud, or Azure) private networks with each other. It allows virtual machines in different private networks to talk to each other directly without going through the public Internet.
Aiven's VPC peering allows only private networks in the same cloud provider to talk to each other without going through the public internet. Which means that our Azure cloud users can only access Kafka services that are migrated to Google VPC network via only public URLs
Kafka platform changes
-
Team Data Platform and Team Platform have created the necessary VPC resources to migrate existing internal Kafka clusters to VPC networks.
-
Kafka clusters serving external Kafka users are NOT migrated and their usage remains same as before
entur-kafka-test-extentur-kafka-prod-ext
-
This migration has no impact on all Entur applications running in GKE clusters in
dev,stagingandproductionenvironments -
Following are the clusters that will be migrated.
entur-kafka-test-intentur-kafka-prod-int
-
Following are the Kafka users affected by this migration. Public URLs are created with a
public-prefix to the existing bootstrap and schema registry server URLs for these users.- Entur applications running in other cloud networks like Azure Cloud etc
- CI/CD applications
- Entur developers
➡️ Switching to public URLs is mandatory after switching to VPC networks for the above users as the old/existing URLs are assigned to the private networks
-
The same Kafka user credentials should work as before
Kafka services URL lookup�
| Cluster ID | Bootstrap Server URL | Schema Registry Server URL | Access | VPC |
|---|---|---|---|---|
entur-kafka-test-ext | entur-kafka-test-ext-entur-test.aivencloud.com:11877 | https://entur-kafka-test-ext-entur-test.aivencloud.com:11867 | public | no |
entur-kafka-prod-ext | entur-kafka-prod-ext-entur-prod.aivencloud.com:14019 | https://entur-kafka-prod-ext-entur-prod.aivencloud.com:14009 | public | no |
entur-kafka-test-int | entur-kafka-test-int-entur-test.aivencloud.com:11877 | https://entur-kafka-test-int-entur-test.aivencloud.com:11867 | private | yes |
entur-kafka-test-int | public-entur-kafka-test-int-entur-test.aivencloud.com:11878 | https://public-entur-kafka-test-int-entur-test.aivencloud.com:11867 | public | yes |
entur-kafka-prod-int | entur-kafka-prod-int-entur-prod.aivencloud.com:14019 | https://entur-kafka-prod-int-entur-prod.aivencloud.com:14009 | private | yes |
entur-kafka-prod-int | public-entur-kafka-prod-int-entur-prod.aivencloud.com:14020 | https://public-entur-kafka-prod-int-entur-prod.aivencloud.com:14009 | public | yes |
Changes in usage with entur-kafka-spring-starter library
There is no change in default configuration as long as your application is accessing
- External Kafka clusters that are not migrated to VPC networks
- Internal Kafka clusters accessing from Entur's GKE clusters
Here is an example configuration change for accessing entur-kafka-test-int cluster where one has to use public URLs
with entur-kafka-spring-starter library.
entur:
kafka:
bootstrapServer: "public-entur-kafka-test-int-entur-test.aivencloud.com:11878"
schemaRegistryUrl: "https://public-entur-kafka-test-int-entur-test.aivencloud.com:11867"
schemaRegistryBasicAuth: "${KAFKA_USER_NAME}:${KAFKA_USER_PASSWORD}"
sasl:
username: "${KAFKA_USER_NAME}"
password: "${KAFKA_USER_PASSWORD}"
Migration strategy
- All Kafka applications accessing from outside Entur's GKE clusters can start using public URLs
- Azure Cloud users
- CI/CD pipeline users
- Entur developers
entur-kafka-test-intcluster will be migrated to VPC networkentur-kafka-prod-intcluster will be migrated to VPC network in the end.