Merge pull request #3672 from ClickHouse/kk/rpe-msk-kb

Knowledge base for MSK multi-VPC setup for RPE

Author: Blargian

docs/integrations/data-ingestion/clickpipes/aws-privatelink.md

@@ -63,6 +63,8 @@ Update your MSK cluster policy and add `072088201116` to the allowed principals
 See AWS guide for [attaching a cluster policy](https://docs.aws.amazon.com/msk/latest/developerguide/mvpc-cluster-owner-action-policy.html) for more details.
 :::
 
+Follow our [MSK setup guide for ClickPipes](/knowledgebase/aws-privatelink-setup-for-msk-clickpipes) to learn how to set up the connection.
+
 ### VPC endpoint service {#vpc-endpoint-service}
 
 VPC service is another approach to share your data source with ClickPipes.

knowledgebase/aws-privatelink-setup-for-msk-clickpipes.mdx

@@ -0,0 +1,57 @@
+---
+title: AWS PrivateLink setup to expose MSK for ClickPipes
+description: Setup steps to expose a private MSK via MSK multi-VPC connectivity to ClickPipes.
+date: 2025-4-15
+tags: ['Security and Authentication', 'Managing Cloud']
+keywords: ['AWS PrivateLink', 'MSK', 'ClickPipes']
+---
+
+{frontMatter.description}
+{/* truncate */}
+
+## Overview {#overview}
+
+This guide will get you started with setting up a **MSK multi-VPC** to be used with [ClickPipes reverse private endpoint](/integrations/clickpipes/aws-privatelink#msk-multi-vpc).
+
+## Requirements {#requirements}
+
+Your MSK cluster VPC must be located in one of our ClickPipes regions. See [ClickPipes regions](/integrations/clickpipes/aws-privatelink#aws-privatelink-regions) for the list of supported regions.
+
+## Enabling multi-VPC connectivity {#enabling-multi-vpc-connectivity}
+
+1. Navigate to the MSK cluster.
+    - Choose "Clusters" from the left navigation pane in the Amazon MSK console.
+    - Select the specific MSK cluster you want to configure for multi-VPC connectivity.
+2. Enable MSK multi-VPC connectivity
+    - In the **Connectivity** tab, find the **Multi-VPC connectivity** section.
+    - Click on **Edit**.
+    - Enable the **Turn-on MSK multi-VPC connectivity** option.
+    - Follow the instructions
+3. Add ClickPipes account principal into a cluster’s policy
+    - Navigate to the **Configuration** tab.
+    - Click on **Edit** in the **Cluster policy** section.
+    - Include `arn:aws:iam::072088201116:root` in the **IAM policy**. Example:
+        ```json
+        {
+            "Version": "2012-10-17",
+            "Statement": [
+                {
+                    "Effect": "Allow",
+                    "Principal": {
+                        "AWS": [
+                            "arn:aws:iam::072088201116:root"
+                        ]
+                    },
+                    "Action": [
+                        "kafka-cluster:Connect",
+                        "kafka-cluster:DescribeCluster",
+                        "kafka-cluster:ListClusters"
+                    ]
+                }
+            ]
+        }
+        ```
+
+## Creating reverse private endpoint {#creating-reverse-private-endpoint}
+
+Follow reverse private endpoint creation steps in the [ClickPipes documentation](/integrations/clickpipes/aws-privatelink#creating-clickpipe).

static/knowledgebase_toc.json

@@ -1133,6 +1133,20 @@
             "ClickPipes"
         ]
     },
+    {
+        "title": "AWS PrivateLink setup to expose MSK for ClickPipes",
+        "description": "Setup steps to expose a private MSK via MSK multi-VPC connectivity to ClickPipes.",
+        "date": "2025-4-15",
+        "tags": [
+            "Security and Authentication",
+            "Managing Cloud"
+        ],
+        "keywords": [
+            "AWS PrivateLink",
+            "MSK",
+            "ClickPipes"
+        ]
+    },
     {
         "title": "How to use the exchange command to switch tables",
         "description": "How to use the exchange command to switch tables",
@@ -1262,4 +1276,4 @@
             "system.custom_metrics"
         ]
     }
-]
+]