docs: note subnet NACL ephemeral ports for PrivateLink Kafka#37016
Open
materializekatrina wants to merge 1 commit into
Open
docs: note subnet NACL ephemeral ports for PrivateLink Kafka#37016materializekatrina wants to merge 1 commit into
materializekatrina wants to merge 1 commit into
Conversation
kay-kim
requested changes
Jun 12, 2026
|
|
||
| b. You can't use the security groups for the clients as a source in the security groups for the targets. Therefore, the security groups for your targets must use the IP addresses of the clients to allow traffic. For more details, check the [AWS documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/target-group-register-targets.html). | ||
|
|
||
| c. If the broker or NLB subnets have [network ACLs](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html), they must allow inbound traffic on the ephemeral port range (1024–65535) from the VPC CIDR, not just the listener port. NACLs are stateless, so a listener-port-only rule drops the ephemeral return traffic on cross-AZ connections once [cross-zone load balancing](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/network-load-balancers.html) is enabled, causing intermittent per-broker timeouts. |
Contributor
There was a problem hiding this comment.
Just want to flag per slack convo that this isn't limited to kafka.
Some minor:
- would introduce the acronym here [network ACLs (NACLs)] since you reference it in the second sentence.
- the "they" -- ambiguous.
More importantly, from the second sentence ... it's only when you enable cross zone load balancing and not just if using NACLs? If that is the case (?):
- We should probably incorporate that into the If ... condition.
- And, maybe have the second sentence explain the NLB behavior with cross-zone load balancing. and then go into the stateless ...
- Additionally, Claude is saying that even in a single AZ, brokers and NLB can end up in different subnets. So, is it slightly broader?
Let me know which condition is the one we're trying to account for. Depending on the answer to that, have some suggestions.
Contributor
There was a problem hiding this comment.
Oh, also, just a friendly reminder about this other PR: https://github.com/MaterializeInc/materialize/pull/36623/changes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
Follow up to #incident-1060. A listener-port-only NACL on broker/NLB subnets silently drops the ephemeral-port return traffic of cross-AZ connections once cross-zone load balancing is enabled, causing intermittent, self-resolving, all-or-nothing per-broker timeouts. Document the requirement to allow the ephemeral port range (1024-65535) from the VPC CIDR in both the "Verify security groups and health checks" step and the source-creation troubleshooting list of the shared privatelink-kafka shortcode (covers the PrivateLink, Amazon MSK, and self-hosted Kafka pages).
Co-Authored-By: Claude Opus 4.8