Skip to main content

TSB-2025-21 Port changes needed for AWS Private Link enabled clusters.

  • Updated

Summary: 

To allow Redpanda to fully and completely manage your Private Link enabled cluster on AWS you will need to review and potentially make the following changes in the Security Group rules listed in the documentation link or procedure below.  

Severity: 

Med

Redpanda Products Affected:

Private Link enabled clusters on AWS running with

  • Dedicated
  • BYOC
  • BYOVPC

Release Affected:

All Releases

Identification:

Any Redpanda Cluster on AWS that uses the Private Link connectivity feature. You can check each cluster by going to the Cluster Settings Page in Cloud UI, which is only visible on private network clusters, to see if it is enabled.

Impact: 

If these additional port ranges are not open your clients will be unable to connect to your Redpanda cluster after upcoming cluster maintenance events; Tier Migration, Scaling, Kubernetes upgrades, VM refreshes

Action required: 

Target Date:  Please complete the following by April 11th, 2025

Please see updated documentation here: https://docs.redpanda.com/redpanda-cloud/networking/aws-privatelink/#add-security-group-rules

Please ensure you extend the end ports if your cluster is larger than three nodes.

Please ensure you are not using broker ports for any client seeding/bootstrapping. For correct bootstrapping you must use the fixed bootstrap/seed port on 30292 for Private Link.

Performing the actions in this TSB will not cause an outage or downtime.

Determining your cluster size

Use RPK to show how many brokers you have:

> rpk cluster info --tls-enabled --brokers seed.cv7gaef0l8af8uete2ag.byoc.prd.cloud.redpanda.com:30292

CLUSTER

=======

redpanda.rp-cv7gaef0l8af8uete2ag

BROKERS

=======

ID HOST PORT RACK

0* 0-1e5e5611-ebb856c.cv7gaef0l8af8uete2ag.byoc.prd.cloud.redpanda.com 32092 apse2-az1

1 1-1e5e5611-fcc0e34.cv7gaef0l8af8uete2ag.byoc.prd.cloud.redpanda.com 32093 apse2-az1

2 2-1e5e5611-d87f871.cv7gaef0l8af8uete2ag.byoc.prd.cloud.redpanda.com 32094 apse2-az1

The output shows 3 brokers. If you have more than 3 brokers (Tiers: 3, 4, 6, 7, 8, 9) then you must adjust the end port in the ranges below so that the range size is equal or greater than the number of brokers. Failure to do this will result in clients being unable to access partitions on brokers using ports outside of the ranges.

Find your existing Private Link Endpoint Security Group

Get the name of the clusters private link endpoint service:

PL_SERVICE_NAME=`curl -X GET \

  -H "Content-Type: application/json" \

  -H "Authorization: Bearer $AUTH_TOKEN" \

  $PUBLIC_API_ENDPOINT/v1beta2/clusters/$CLUSTER_ID | jq -r .cluster.aws_private_link.status.service_name`

Or navigate to your clusters settings page where it will be displayed under the AWS PrivateLink section.

Use the service name to find the correct private link endpoint to check:

aws ec2 describe-vpc-endpoints --filters Name=service-name,Values=$PL_SERVICE_NAME

There should be only 1 item.

Find the security group that the endpoint uses in the Groups list in the output of describe-vpc-endopints above, the group name should be of the form {cluster id}-sg , e.g., 

        

"Groups": [

             {

                 "GroupId": "sg-0fc66a2687fd13ddd",

                 "GroupName": "xxxxxxxxxxxxxx-sg"

             }

],

Export that GroupId as your SECURITY_GROUP_ID environment variable for use in the commands below.

Updating Redpanda Kafka broker port ranges

There are three broker port ranges that alternate during normal system maintenance, and all three must be open. 

Adjust the end port number if the Redpanda broker count is greater than three.

aws ec2 authorize-security-group-ingress --region $REGION --profile $PROFILE \

--group-id $SECURITY_GROUP_ID \

--protocol "tcp" \

--port 32092-32094 \

--cidr 0.0.0.0/0

aws ec2 authorize-security-group-ingress --region $REGION --profile $PROFILE \

--group-id $SECURITY_GROUP_ID \

--protocol "tcp" \

--port 32192-32194 \

--cidr 0.0.0.0/0

aws ec2 authorize-security-group-ingress --region $REGION --profile $PROFILE \

--group-id $SECURITY_GROUP_ID \

--protocol "tcp" \

--port 32292-32294 \

--cidr 0.0.0.0/0

Updating Redpanda Panda Proxy port ranges

There are three port ranges that alternate during normal system maintenance, and all three must be open. 

Adjust the end port number if the Redpanda broker count is greater than three.

aws ec2 authorize-security-group-ingress --region $REGION --profile $PROFILE \

--group-id $SECURITY_GROUP_ID \

--protocol "tcp" \

--port 35082-35084 \

--cidr 0.0.0.0/0

aws ec2 authorize-security-group-ingress --region $REGION --profile $PROFILE \

--group-id $SECURITY_GROUP_ID \

--protocol "tcp" \

--port 35182-35184 \

--cidr 0.0.0.0/0

aws ec2 authorize-security-group-ingress --region $REGION --profile $PROFILE \

--group-id $SECURITY_GROUP_ID \

--protocol "tcp" \

--port 35282-35284 \

--cidr 0.0.0.0/0

Questions? If you have any questions on this TSB, or need further guidance, please contact support@redpanda.com