Hi Chris, adding to what @dwittekind said, you’ll also want to understand how PrivateLink endpoints work with DNS. You need to know that PrivateLink clusters will need access to some public DNS resolver to work. Let’s start with the he current naming scheme for clusters accessed over PrivateLink:
The bootstrap returns metadata about brokers, which have their own naming scheme:
When resolving these endpoints, you’ll need access to Confluent’s global DNS resolvers, which tell us these are actually CNAMEs and the returned names have glb removed, and converts the dash between the
$nid into a dot for the bootstrap, and converts the dash between the
Bootstrap Example: lkc-n02w6.43860.us-east-1.aws.confluent.cloud:9092
Broker Example: e-0013.az1.43860.us-east-1.aws.confluent.cloud:9092
(notice the removed glb, and now the network id is it’s own subdomain)
You’re then expected to host SOA records for
*.$nid.$region.$cloud.confluent.cloud and each of the zonal endpoints.
Here’s an example of the most common approach:
After the initial DNS request from the client:
- Resolve glb name which is forwarded from our local DNS resolver to the global Confluent Public DNS, which returns the CNAME without glb.
- Resolve the CNAME with the local SOA records in the local DNS server for the PL endpoints.