Summary:
To allow Redpanda to fully and completely manage your Private Link enabled cluster on AWS you will need to review and potentially make the following changes in the Security Group rules listed in the documentation link or procedure below.
Severity:
Med
Redpanda Products Affected:
Private Link enabled clusters on AWS running with
- Dedicated
- BYOC
- BYOVPC
Release Affected:
All Releases
Identification:
Any Redpanda Cluster on AWS that uses the Private Link connectivity feature. You can check each cluster by going to the Cluster Settings Page in Cloud UI, which is only visible on private network clusters, to see if it is enabled.
Impact:
If these additional port ranges are not open your clients will be unable to connect to your Redpanda cluster after upcoming cluster maintenance events; Tier Migration, Scaling, Kubernetes upgrades, VM refreshes
Action required:
Target Date: Please complete the following by April 11th, 2025. Please see updated documentation here: https://docs.redpanda.com/redpanda-cloud/networking/aws-privatelink/#add-security-group-rules
Standardized Port Ranges: Redpanda now uses broader port pools to ensure connectivity across all brokers.
Bootstrap Port: For correct bootstrapping, you must use the fixed bootstrap/seed port 30292 for Kafka, 30282 for HTTP Proxy, and 30081 for Schema Registry. Do not use individual broker ports for client seeding.
Idle Timeout: Ensure Kafka clients have
connections.max.idle.msset to less than 350 seconds.Performing the actions in this TSB will not cause an outage or downtime.
Find your existing Private Link Endpoint Security Group
- Get the name of the clusters private link endpoint service:
- Set he service name to find the correct endpoint using the command below, OR navigate to your clusters settings page where it will be displayed under the AWS PrivateLink Section.
# curl
PL_SERVICE_NAME=`curl -X GET \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $AUTH_TOKEN" \
$PUBLIC_API_ENDPOINT/v1beta2/clusters/$CLUSTER_ID | jq -r .cluster.aws_private_link.status.service_name`
# Use Service name to find the correct private link endpoint
aws ec2 describe-vpc-endpoints --filters Name=service-name,Values=$PL_SERVICE_NAME 3. Identify the GroupId (e.g., {cluster id}-sg) and export it as your SECURITY_GROUP_ID. There should be only 1 item. The group name should be of the form {cluster id}-sg , e.g.,
Output Example:
"Groups": [
{
"GroupId": "sg-0fc66a2687fd13ddd",
"GroupName": "xxxxxxxxxxxxxx-sg"
}
],
Updating port ranges
These ports allow initial discovery and management of cluster services
aws ec2 authorize-security-group-ingress --region $REGION --group-id $SECURITY_GROUP_ID --protocol tcp --port 30292 --cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress --region $REGION --group-id $SECURITY_GROUP_ID --protocol tcp --port 30282 --cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress --region $REGION --group-id $SECURITY_GROUP_ID --protocol tcp --port 30081 --cidr 0.0.0.0/0Allow Redpanda Cloud Data Plane API / Prometheus (if needed)
aws ec2 authorize-security-group-ingress --region $REGION --group-id $SECURITY_GROUP_ID --protocol tcp --port 443 --cidr 0.0.0.0/0Private Service Connectivity broker port Pools.
aws ec2 authorize-security-group-ingress --region $REGION --group-id $SECURITY_GROUP_ID \
--ip-permissions 'IpProtocol=tcp,FromPort=32000,ToPort=32500,IpRanges=[{CidrIp=0.0.0.0/0}]'HTTP Proxy per-broker ports
aws ec2 authorize-security-group-ingress --region $REGION --group-id $SECURITY_GROUP_ID \
--ip-permissions 'IpProtocol=tcp,FromPort=35000,ToPort=35500,IpRanges=[{CidrIp=0.0.0.0/0}]'
Questions? If you have any questions on this TSB, or need further guidance, please contact support@redpanda.com