From 5afac4b610fe0fcf8a583890612700cdd8b14c78 Mon Sep 17 00:00:00 2001 From: Katrina Van Meer Date: Tue, 19 May 2026 11:24:26 -0600 Subject: [PATCH] docs: PrivateLink troubleshooting for NLB security group enforcement --- .../layouts/shortcodes/network-security/privatelink-kafka.md | 4 +++- .../layouts/shortcodes/network-security/privatelink-mysql.md | 4 +++- .../shortcodes/network-security/privatelink-postgres.md | 4 +++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/doc/user/layouts/shortcodes/network-security/privatelink-kafka.md b/doc/user/layouts/shortcodes/network-security/privatelink-kafka.md index 0d9bd1f8d2446..a209339b183d0 100644 --- a/doc/user/layouts/shortcodes/network-security/privatelink-kafka.md +++ b/doc/user/layouts/shortcodes/network-security/privatelink-kafka.md @@ -44,10 +44,12 @@ and retrieve the AWS principal needed to configure the AWS PrivateLink service. **Remarks**: - a. Network Load Balancers do not have associated security groups. Therefore, the security groups for your targets must use IP addresses to allow traffic. + a. Network Load Balancers do not have associated security groups by default. Therefore, the security groups for your targets must use IP addresses to allow traffic. b. You can't use the security groups for the clients as a source in the security groups for the targets. Therefore, the security groups for your targets must use the IP addresses of the clients to allow traffic. For more details, check the [AWS documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/target-group-register-targets.html). + c. If you have associated a [security group with your Network Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-security-groups.html) and enabled **Enforce inbound rules on PrivateLink traffic**, the NLB's inbound rules will be applied to traffic arriving from Materialize's VPC endpoint. In that case, the source IPs are private IPs from Materialize's VPC — **not** the IPs of any client (e.g., `kcat` or a Kafka client running from a workstation or bastion host) that you might use to verify connectivity to the brokers directly. Inbound rules that only permit your own test traffic will silently block Materialize, even when your own connectivity tests succeed. To resolve this, either disable **Enforce inbound rules on PrivateLink traffic**, or add inbound rules to the NLB's security group that permit the relevant ports (each broker's listener port and the health check port) from a source that covers Materialize's VPC endpoint traffic. + 1. Create a VPC [endpoint service](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html) and associate it with the **Network Load Balancer** that you’ve just created. Note the **service name** that is generated for the endpoint service. diff --git a/doc/user/layouts/shortcodes/network-security/privatelink-mysql.md b/doc/user/layouts/shortcodes/network-security/privatelink-mysql.md index 65092eb18052e..e5e7cf0b716e3 100644 --- a/doc/user/layouts/shortcodes/network-security/privatelink-mysql.md +++ b/doc/user/layouts/shortcodes/network-security/privatelink-mysql.md @@ -19,10 +19,12 @@ **Remarks**: - a. Network Load Balancers do not have associated security groups. Therefore, the security groups for your targets must use IP addresses to allow traffic. + a. Network Load Balancers do not have associated security groups by default. Therefore, the security groups for your targets must use IP addresses to allow traffic. b. You can't use the security groups for the clients as a source in the security groups for the targets. Therefore, the security groups for your targets must use the IP addresses of the clients to allow traffic. For more details, check the [AWS documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/target-group-register-targets.html). + c. If you have associated a [security group with your Network Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-security-groups.html) and enabled **Enforce inbound rules on PrivateLink traffic**, the NLB's inbound rules will be applied to traffic arriving from Materialize's VPC endpoint. In that case, the source IPs are private IPs from Materialize's VPC — **not** the IPs of any client (e.g., `mysql` running from a workstation or bastion host) that you might use to verify connectivity to the database directly. Inbound rules that only permit your own test traffic will silently block Materialize, even when your own connectivity tests succeed. To resolve this, either disable **Enforce inbound rules on PrivateLink traffic**, or add inbound rules to the NLB's security group that permit the relevant ports (the listener port and the health check port) from a source that covers Materialize's VPC endpoint traffic. + 1. #### Create a Network Load Balancer (NLB) Create a [Network Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-network-load-balancer.html) that is **enabled for the same subnets** that the RDS instance is in. diff --git a/doc/user/layouts/shortcodes/network-security/privatelink-postgres.md b/doc/user/layouts/shortcodes/network-security/privatelink-postgres.md index d8d2afbc769f8..2f0b7a81ad8cd 100644 --- a/doc/user/layouts/shortcodes/network-security/privatelink-postgres.md +++ b/doc/user/layouts/shortcodes/network-security/privatelink-postgres.md @@ -19,10 +19,12 @@ **Remarks**: - a. Network Load Balancers do not have associated security groups. Therefore, the security groups for your targets must use IP addresses to allow traffic. + a. Network Load Balancers do not have associated security groups by default. Therefore, the security groups for your targets must use IP addresses to allow traffic. b. You can't use the security groups for the clients as a source in the security groups for the targets. Therefore, the security groups for your targets must use the IP addresses of the clients to allow traffic. For more details, check the [AWS documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/target-group-register-targets.html). + c. If you have associated a [security group with your Network Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-security-groups.html) and enabled **Enforce inbound rules on PrivateLink traffic**, the NLB's inbound rules will be applied to traffic arriving from Materialize's VPC endpoint. In that case, the source IPs are private IPs from Materialize's VPC — **not** the IPs of any client (e.g., `psql` running from a workstation or bastion host) that you might use to verify connectivity to the database directly. Inbound rules that only permit your own test traffic will silently block Materialize, even when your own connectivity tests succeed. To resolve this, either disable **Enforce inbound rules on PrivateLink traffic**, or add inbound rules to the NLB's security group that permit the relevant ports (the listener port and the health check port) from a source that covers Materialize's VPC endpoint traffic. + 1. #### Create a Network Load Balancer (NLB) Create a [Network Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-network-load-balancer.html) that is **enabled for the same subnets** that the RDS or Aurora instance is in.