Setting up CDC with AWS MSK in Dgraph Cloud

Ashish_Gupta · July 14, 2021, 5:28pm

This document covers the steps to set up AWS MSK in your own AWS account to receive change data capture (CDC) events from your dedicated Dgraph Cloud backend.

This document is a tailored and abridged version of the AWS blog post How Goldman Sachs builds cross-account connectivity to their Amazon MSK clusters with AWS PrivateLink | AWS Big Data Blog.

MSK setup in your AWS account

With MSK set up in your AWS account, the steps in this section are done by you.

High-level steps

These steps set up MSK and Endpoints in your AWS account:

Setup MSK
Setup NLB with VPC Endpoint Service
Share details with Dgraph
Accept PrivateLink connection request from Dgraph Cloud

Setup MSK

AWS PrivateLink requires that Service Consumer and Service Provider VPCs should be in the same region.
Set up MSK in the same AWS region where you Dgraph set up with SASL/SCRAM authentication enabled via AWS secrets. To work with MSK, AWS documents require that the secret name must start with ‘AmazonMSK_’.
For this document we will assume username and password are:
```
{
  "username": "kafkauser",
  "password": "kafka-secret-password"
}
```
Create a topic named dgraph-cdc. Dgraph CDC will push to this topic.
In MSK security group allow traffic from the entire VPC CIDR range. This will allow any NLB IP to access MSK.

Setup NLB with VPC Endpoint Service

Create NLB listening on 9096 with the IP address of the brokers as target nodes. Note: Adding a listener at least on port 9096 is very important. We have seen issues when NLB doesn’t have the 9096 listener port opened.
In NLB go to the Integrated Services tab and click create on VPC Endpoint Services (AWS PrivateLink). Select Acceptance required as Yes.
Using kafka-console-consumer.sh and kafka-console-producer.sh, verify that we can produce and consume from NLB. To set up kafka env refer Set up Kafka env.
In EC2, go to Endpoint Services and select the endpoint service we just created. Go to Allow-listed principals and click Add principal to allow list. Add the following principal for Dgraph Cloud:

arn:aws:iam::636790907320:root

Share details with Dgraph

Please share the following details with Dgraph:

Service Endpoint name
Kafka username and password SASL credentials
AWS region where MSK is set up
Broker DNS names. You can fetch this from View client information from the MSK service in AWS Console.

Once these are shared Dgraph Cloud can proceed with the next steps.

Initial Setup for VPC Endpoint

Dgraph will set up VPC Endpoint and initiate a connection. Once we confirm, go to VPC Service Endpoint which is integrated NLB. Go to Endpoint Connections and click on Accept endpoint connection request for the pending connection.

Once this is done, CDC can be configured on your Dgraph Cloud backend.

Topic		Replies	Views
Change data capture with Kafka: Setting SASL Mechanism Dgraph enterprise , dgraph , kind:enhancement , status:accepted , ticket:created	0	553	April 22, 2021
Dgraph on EKS Connectivity Dgraph	1	418	August 4, 2021
Support logical replication / change data capture (CDC) with Kafka Dgraph dgraph , priority:p2 , status:accepted , area:integrations , kind:feature	7	1701	February 1, 2021
Deploy Dgraph cluster on AWS, non-containerized Dgraph	2	2227	January 20, 2019
Can Dgraph helm chart support AWS Network Load Balancer? Dgraph area:kubernetes	11	973	March 5, 2024