Connect SingleStore Helios to AWS MSK using AWS PrivateLink

Overview

You can connect your AWS MSK (Managed Service Apache Kafka) service to SingleStore Helios using AWS PrivateLink. To configure the connection, you can follow either of the following two approaches:

  1. Create a Separate AWS PrivateLink Service per Kafka Broker.

  2. Use a single PrivateLink service with a single Network Load Balancer (NLB) that forwards traffic to each Kafka broker via custom ports.

Refer to Connect to Kafka Pipelines using an Outbound Endpoint for more information on setting up a separate AWS PrivateLink service per Kafka broker.

To configure using a single backend service, perform the following steps:

  1. Set up a Kafka cluster in AWS MSK.

  2. Configure an Endpoint service using a single NLB.

  3. Set up an outbound private connection in SingleStore Helios.

  4. Create a pipeline in SingleStore.

Set Up a Kafka Cluster in AWS MSK

To set up a Kafka cluster in AWS MSK, perform the following steps:

  1. Create a Kafka cluster in AWS MSK with Provisioned cluster type.

  2. When configuring your AWS MSK cluster, select Availability Zones (AZs) that overlap with the AZs used by SingleStore Helios deployment.

  3. Attach a security group that allows traffic from the internal IP range of the NLB that you will create later. You can allow traffic from all internal IP ranges.

  4. During cluster creation, enable SASL/SCRAM authentication for secure authentication.

  5. After the cluster is created:

    1. Add your SASL username and password as a secret in AWS Secrets Manager.

    2. Encrypt the secret using a Customer Managed Key (CMK).

    3. Attach the secret to the AWS MSK cluster to enable authentication for SingleStore.

Configure an Endpoint Service using a Single NLB

To configure an endpoint service using a Single NLB to manage connectivity to the Kafka brokers, perform the following steps:

  1. Create target Groups for each Kafka broker.

    Note

    Create one target group per broker.

    1. Get the SASL/SCRAM endpoints from the Kafka cluster summary in View Client Information.

    2. Retrieve the IP addresses of the Kafka brokers by selecting the gear icon in the AWS MSK console and enabling the Show IP addresses option.

  2. Create a Network Load Balancer.

    1. Create a single NLB to handle traffic for all Kafka brokers using separate listener ports.

      Note

      Only a single NLB is required for this private endpoint service setup, regardless of the number of brokers.

      AWS Console showing internal IPv4 load balancer setup named "mlsk-test" in VPC with private IPs assigned across three subnets, default security group selected, and a TCP listener on port 80 configured to forward to a target group.
    2. Create a separate listener for each target group. Assign a unique port to each listener. For example, use ports 6001, 6002, and 6003 for the three Kafka brokers.

    3. Create an endpoint service pointing to the load balancer as shown in the previous step.

    4. After creating the endpoint service, add the AWS account ID provided by SingleStore to the Allow principals list. This enables SingleStore to find and access the private endpoint service.

    5. Use the endpoint service created above to set up an outbound endpoint to SingleStore, which allows SingleStore to connect to your Kafka service. For more information, refer to Set up an Outbound Connection in SingleStore.

Set Up an Outbound Connection in SingleStore

Refer to Connect to SingleStore Helios using AWS PrivateLink for more information on configuring the outbound private connection in SingleStore Helios.

Create a Pipeline in SingleStore

Using the outbound private connection created earlier, you can create a pipeline in SingleStore. For example,

CREATE OR REPLACE PIPELINE KAFKA_MUNIS_POC_PIPELINE AS LOAD DATA KAFKA 'b-2.testvibhor3.c7wkh8.c10.kafka.us-east-1.amazonaws.com:9096,b-3.testvibhor3.c7wkh8.c10.kafka.us-east-1.amazonaws.com:9096,b-1.testvibhor3.c7wkh8.c10.kafka.us-east-1.amazonaws.com:9096/test'
CONFIG '{
"spoof.dns": {
"b-1.testvibhor3.c7wkh8.c10.kafka.us-east-1.amazonaws.com:9096":"<VPC ENDPOINT>:<NLB LISTENER PORT1>",
"b-2.testvibhor3.c7wkh8.c10.kafka.us-east-1.amazonaws.com:9096":"<VPC ENDPOINT>:<NLB LISTENER PORT2>",
"b-3.testvibhor3.c7wkh8.c10.kafka.us-east-1.amazonaws.com:9096":"<VPC ENDPOINT>:<NLB LISTENER PORT3>"
},
"sasl.username": "<REDACTED>",
"sasl.mechanism": "SCRAM-SHA-512",
"security.protocol": "SASL_SSL",
"ssl.ca.location": "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"}'
CREDENTIALS '{"sasl.password": "<REDACTED>"}'
DISABLE OUT_OF_ORDER OPTIMIZATION
SKIP DUPLICATE KEY ERRORS
INTO TABLE kafkatest;

Ensure the following configuration details are applied:

  1. In the LOAD DATA section, use the appropriate Kafka port for your connection method, e.g., 9096 in this case for SASL/SCRAM.

  2. In the spoof.dns section, define mappings that connect each Kafka broker to the corresponding outbound PrivateLink endpoint.

  3. Each broker’s hostname is mapped to the correct NLB listener port (e.g., 6001, 6002, 6003).

Example

The following example shows how a pipeline securely ingests data from Kafka brokers over AWS PrivateLink into a kafkatest table in SingleStore using SASL/SCRAM authentication, spoof.dns mapping, and SSL encryption.

CREATE OR REPLACE PIPELINE KAFKA_MUNIS_POC_PIPELINE AS LOAD DATA KAFKA 'b-2.testvibhor3.c7wkh8.c10.kafka.us-east-1.amazonaws.com:9096,b-3.testvibhor3.c7wkh8.c10.kafka.us-east-1.amazonaws.com:9096,b-1.testvibhor3.c7wkh8.c10.kafka.us-east-1.amazonaws.com:9096/test'
CONFIG '{
"spoof.dns": {
"b-1.testvibhor3.c7wkh8.c10.kafka.us-east-1.amazonaws.com:9096":"vpce-0af45e49ab211df13-67n9i1aw-us-east-1c.vpce-svc-02e49c31898768e9c.us-east-1.vpce.amazonaws.com:6003",
"b-2.testvibhor3.c7wkh8.c10.kafka.us-east-1.amazonaws.com:9096":"vpce-0af45e49ab211df13-67n9i1aw-us-east-1a.vpce-svc-02e49c31898768e9c.us-east-1.vpce.amazonaws.com:6001",
"b-3.testvibhor3.c7wkh8.c10.kafka.us-east-1.amazonaws.com:9096":"vpce-0af45e49ab211df13-67n9i1aw-us-east-1b.vpce-svc-02e49c31898768e9c.us-east-1.vpce.amazonaws.com:6002"
},
"sasl.username": "<REDACTED>",
"sasl.mechanism": "SCRAM-SHA-512",
"security.protocol": "SASL_SSL",
"ssl.ca.location": "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"}'
CREDENTIALS '{"sasl.password": "<REDACTED>"}'
DISABLE OUT_OF_ORDER OPTIMIZATION
SKIP DUPLICATE KEY ERRORS
INTO TABLE kafkatest;

Note

The broker hostnames and ports used in the Kafka URI must exactly match those specified in the spoof.dns mapping. You can choose any port numbers, but they must be consistent in both places.

Last modified: July 24, 2025

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined
  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined
  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
    cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
    --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
    --bundle undefined \
    --new-bundle-format -
    Verified OK