Taming of the Queue | Cisco Tech Blog

Constructing Dynamic Knowledge Pipes Utilizing AWS DocumentDB, MSK and Lambda


There are lots of knowledge pushed functions that require on-line processing of knowledge in addition to storing the uncooked knowledge. Some examples embrace suggestion engines, IoT processors, event-driven companies and extra. In case you’ve ever wanted to construct some type of knowledge processing pipeline or workflow, you’re in all probability aware of the challenges of dealing with a number of knowledge varieties whereas accounting for the potential for new knowledge varieties coming in through the lifetime of your system.

On this article I’ll focus on an answer I got here up with for a current undertaking utilizing AWS DocumentDB, MSK and Lambda features, and can present directions for deploying a easy pipeline together with helpful Go code snippets.

The Design

When constructing a knowledge processing pipeline, one usually wants two parts: knowledge transmission and processing blocks. Processing blocks are manipulations utilized to the incoming knowledge in a given sequence which will change relying on the kind of knowledge, whereas the info transmission is the means by which knowledge is moved between the varied processing blocks. You possibly can consider this as a manufacturing line the place the conveyor belt strikes the merchandise of their varied levels between the varied stations till the ultimate product comes out the top of the road. The conveyor belt is our knowledge transmission, and the stations are the processing blocks.

As a rule, you additionally need a technique of storage for the uncooked knowledge since you by no means know what it’s possible you’ll need to do with it afterward, or if some error would power you to run your knowledge by way of the pipeline once more.

My design necessities have been easy:

  1. Construct a completely managed system
  2. Make a copy of all of the uncooked knowledge
  3. Course of knowledge in close to real-time and in low-latency
  4. Account for the potential for new knowledge varieties coming in over time with out requiring system downtime

After trying into a number of choices, I settled on the next design for my pipeline:


Structure Diagram

Allow us to begin by going over the constructing blocks we are going to use to grasp what they’re and the way we are able to use them:

AWS DocumentDB is Amazon’s managed MongoDB service primarily based on MongoDB 3.6 or 4.0. As such, it may well retailer, question and index JSON and BSON knowledge. MongoDB is a source-available NoSQL JSON database that makes use of JavaScript as the idea for its question language thus permitting you to additionally run JavaScript features server-side. Inside a MongoDB deployment, one can outline a number of DBs with a number of collections in each. One helpful function launched in Mongo 3.6 are Change Streams. Change Streams enable functions to entry real-time knowledge adjustments by registering for occasions on particular collections. The occasion notifications may be configured to incorporate the deltas or full paperwork and seize “insert”, “change” and “delete” occasions.

AWS MSK (Managed Streaming for Apache Kafka) is Amazon’s managed Kafka service. Apache Kafka is a extensively used open-source distributed occasion retailer and stream-processing platform. Kafka is designed for high-throughput low-latency real-time knowledge processing. With Kafka you’ll be able to outline “subjects” to which you’ll publish key/worth messages. A number of publishers can publish to a subject and a number of customers can eat it. Kafka subjects are managed utilizing a ZooKeeper cluster whereas publishing and consuming is completed by way of Kafka brokers.

AWS Lambda is a serverless, event-driven compute service that allows you to run code in response to varied occasions and triggers whereas mechanically managing the underlying compute sources required by your code. Lambda helps many programming languages together with Node.js, Python, Java, Ruby, C# and Go. A really helpful function of Lambda is the flexibility to set off features on Kafka subjects, which makes it ultimate for utilization as a part of a knowledge processing pipeline.

AWS VPC is a strategy to create Digital Personal Networks inside AWS. This lets you include companies in a safer atmosphere and offers you complete management over who and what has entry to the community and the sources inside.

AWS EC2 is Amazon’s Elastic Compute Cloud the place you’ll be able to deploy digital or bodily cases (computer systems) and handle their safety and networking properties.

AWS S3 is a Easy Storage Service. With the S3 object storage you’ll be able to create buckets after which retailer information and folders inside them. S3 offers you full entry management and safety.

AWS IAM is Amazon’s Id and Entry Administration system. IAM permits you to handle customers, roles, and insurance policies so you’ll be able to obtain high-quality grained entry management over your sources and grant entry to different customers and AWS accounts in a safe manner.

AWS CloudWatch is Amazon’s observability platform the place you’ll be able to combination logs from AWS companies and simply filter and search by way of them.

Placing Issues Collectively

The concept is that DocumentDB is used because the entry level into the pipeline whereas MSK acts as the info transmission. Every path between processing blocks is applied utilizing a Kafka matter. One processing block publishes its output to the subject whereas the following block in line consumes the subject to get its enter. The primary processing block will act as a “router” that analyses the brand new knowledge and decides what sort it’s. It the printed the info to a devoted matter for that knowledge sort so the correct processing blocks can be utilized on that knowledge.

I begin by inserting a brand new piece of uncooked knowledge into DocumentDB. Subsequent, I exploit an MSK connector to register to a change stream for my DocumentDB assortment and push the newly inserted paperwork into an preliminary MSK matter, which is the enter to the “router”. Then, I configure a Lambda-based “router” operate to eat the preliminary MSK matter, analyze the messages and publish each to a devoted MSK matter. Lastly, for every data-type devoted matter, I’d have a particular Lambda operate that is aware of the best way to course of that knowledge. I can then proceed constructing extra processing components on the pipeline as required.

As soon as all of the items are in place, all I’ve to do to run new knowledge by way of the pipeline is just insert it into my DocumentDB assortment. From that time on, every thing occurs mechanically. Furthermore, through the use of the mix of Kafka subjects and Lambda features, I can dynamically create subjects for brand new forms of knowledge messages after which outline handlers to course of them. The messages would wait within the matter till I construct a processor that may deal with them, and as quickly as I deploy the brand new processor, it may well begin processing the messages, which suggests messages are by no means misplaced. This design additionally permits me to dynamically change the structure of my processing pipeline over time.

As a way to configure DocumentDB and MSK, I make use of a bastion occasion that I deploy on EC2. This occasion permits me to hook up with my VPC utilizing a safe SSH connection in addition to use port forwarding to present my native atmosphere entry to the VPC.

I exploit an S3 bucket to retailer the Kafka connector bundle in addition to my Lambda features’ code bundle. As well as, I exploit IAM to create the required execution roles for the Kafka connector and the Lambda features.

Lastly, I exploit CloudWatch to realize visibility to what the Lambda features are doing by funneling the Lambda logs into CloudWatch log teams.

Allow us to now go over every of the parts and see the best way to provision and/or deploy them.

VPC Gateway

DocumentDB in addition to MSK are each deployed solely in a VPC. Thus, with a view to hook up with them out of your native machine for improvement, testing and debugging, you could create a gateway into your VPC. We’ll use the default VPC, however any VPC can be utilized as a substitute. Please check with the AWS documentation for info on the best way to create a brand new VPC in case the default one isn’t acceptable.

We begin by creating an EC2 occasion that we are going to use as our gateway. Merely launch a brand new EC2 occasion within the default VPC and select Ubuntu 20.04 because the OS picture (there is no such thing as a assist for the mongo CLI in Ubuntu 22.04 on the time of writing this text):


Launch New EC2 Occasion

Subsequent, create an SSH key-pair you’ll use to entry the brand new occasion out of your native machine. Click on on “Create new key pair” to create a brand new key pair and obtain the general public key, or select an current one:


New EC2 Occasion SSH Key Pair

Subsequent, we have a look at the “Community Settings” part. Ensure you choose the VPC you want to use and the safety group:


New EC2 Occasion Community Settings

Lastly, launch your new occasion. As soon as your occasion is up, you’ll be able to SSH into the brand new occasion:


SSH Into the New Occasion


Now that now we have a VPC, we are able to begin trying into deploying DocumentDB

TamingQueue7Structure — DocumentDB

Begin by going into the Amazon DocumentDB dashboard and click on on “Create Cluster”. Give your cluster a reputation, make certain the chosen engine model (MongoDB model) is “4.0.0” and choose the specified occasion class.

The connectors we are going to use to let MSK register to the DocumentDB change stream require that the MongoDB deployment be a part of a replica-set so make certain the variety of cases is larger than 1:


DocumentDB — Launch New Occasion

Subsequent, below the authentication part, fill within the admin username and password you want to use in your cluster.

Now, click on on the “Present superior settings” toggle on the backside to open the community settings and be sure that the chosen VPC is similar because the one during which you deployed your EC2 occasion:


DocumentDB — New Occasion Community Settings

Tweak every other settings after which click on on the “Create cluster” button on the backside to launch the brand new cluster. The method takes a couple of minutes after which you will note the next or related in line with your decisions:


AWS Doc DB Cluster

To check our new cluster, we have to set up the mongo shopper in our EC2 gateway occasion. Comply with these directions to take action: https://www.mongodb.com/docs/mongodb-shell/set up/

Subsequent, go into the cluster particulars within the AWS console and observe the instruction to obtain the CA certificates to your EC2 occasion after which run the newly put in mongo shopper to hook up with your new cluster:


Connecting to DocumentDB utilizing mongo shell

If the connection fails, it’s possible you’ll must handle the DocumentDB cluster’s safety group to permit entry to your EC2 occasion’s safety group. To take action, go into the cluster’s particulars and scroll right down to the “Safety Teams” part:


AWS Safety Teams

Choose the safety group after which go into the “Inbound guidelines” tab:


AWS Safety Group Inbound Guidelines

Click on on the “Edit inbound guidelines” button to edit the inbound guidelines after which add a rule that permits the site visitors sort you want (if you could specify a port, use 27017) from a “Customized” supply. Within the search field, seek for and choose the safety group you used for the EC2 occasion:


Including Inbound Rule to AWS Safety Group

Lastly, save the principles. You must now have entry out of your occasion to DocumentDB.

To make improvement and debugging simpler, it’s possible you’ll need to use a software comparable to Robo 3T,that allows you to entry MongoDB utilizing a pleasant GUI that’s intuitive and straightforward to make use of and that allows you to view and handle knowledge conveniently. You have to to ahead port 27017 out of your native machine to DocumentDB by way of the EC2 occasion utilizing SSH:


SSH to the Gateway with Port Forwarding to DocumentDB

Now you’ll be able to configure your native Robo 3T or mongo shopper to entry port 27017 in your native machine:


Robo 3T — New Connection

For Robo 3T, make certain to permit invalid hostnames as a result of your native hostname is completely different than the one within the CA certificates:


Robo 3T — setting CA Certificates

Now, we are able to create a brand new Database referred to as “pipeline” and in it a set referred to as “consumption”. We additionally create a brand new consumer referred to as “puser” that has learn permissions for the “pipeline” database:


Robo 3T — After Creating A Assortment and A Person

The very last thing we have to do is allow change streams on our new assortment. To try this we have to hook up with DocumentDB as we did above after which run the next command:

db.adminCommand({modifyChangeStreams: 1,
                 database: "pipeline",
                 assortment: "consumption", 
                 allow: true});

In case you are utilizing Robo 3T as I do, proper click on on the “pipeline” database within the tree on the left after which choose “Open Shell”. Now you’ll be able to enter the above command and use CTRL+ENTER to execute it.


Now that now we have DocumentDB arrange, we are able to transfer on to MSK.


Structure — MSK

We might be deploying our MSK cluster utilizing the “Fast create” possibility. For this little demo we are going to use the “kafka.t3.small” taste and allocate solely 1GB of house. If you could change the community settings to decide on a unique VPC, zones and subnets, you’ll have to swap from “Fast create” to “Customized create”.

In any case, be sure that your MSK cluster is in the identical VPC and subnets because the gateway EC2 occasion. In any other case, you would need to begin configuring routing between the VPC or subnets, which we are going to NOT cowl on this article.

When carried out, click on on the “Create cluster” button and wait till your cluster is up:


MSK Cluster

To check our cluster, we have to get the brokers’ addresses. Click on on the cluster, choose the “properties” tab and scroll right down to the “Brokers” part. There, you’ll discover an inventory of the brokers which were deployed as a part of the cluster:


MSK Cluster Brokers

Managing a Kafka cluster is completed utilizing the Kafka CLI instruments. The CLI instruments require the Java runtime as Kafka is written in Scala which runs on a JVM (Java Digital Machine). We’re utilizing openjdk-8-jre. Now, obtain the Kafka bundle from https://kafka.apache.org/downloads to the EC2 occasion and extract it. For this doc, we’re utilizing Kafka 2.13–3.1.0 .

Subsequent, use the “kafka-topics” command to get the listing of current subjects. You should present a bootstrap server, which may be any of the brokers within the cluster (we use the primary one):


Checklist Kafka Subjects

Please be aware that port 9092 does NOT use TLS. In case you want to use a safe TLS connection, it is best to observe these steps:

  1. Create a shopper profile:
  2. Create the preliminary belief retailer:

Notice that the situation of the “cacerts” file will change in line with the JRE you put in in your machine.

  1. Lastly run the command as follows:

Now that now we have our MSK cluster deployed and accessible, we are able to create our preliminary matter:


Allow us to publish a take a look at message to our new matter:


We will see that our new message was, certainly, printed and may be consumed as effectively.

However how can we filter a subject? There is no such thing as a strategy to immediately delete messages from a subject. As a substitute, now we have to alter the retention coverage and look ahead to Kafka to delete all of the expired messages for us earlier than we are able to restore our unique retention coverage.

First, we get the present settings and see that there is no such thing as a coverage set:


Thus, the default coverage applies which is 7 days (https://docs.confluent.io/platform/present/set up/configuration/topic-configs.html). We now change that coverage to at least one second:


It takes a short time for the brand new coverage to take impact, however as soon as it does, we are able to run our client and see that there’s nothing within the matter:


Lastly, we are able to restore the default coverage:



If order to create a Kafka MongoDB connector and to make reusing Lambda code simpler, we have to create an S3 bucket the place the code packages can be saved.

To try this, begin by going to the S3 dashboard and create a brand new bucket by clicking the “Create bucket” button. Fill within the identify in your new bucket, choose the requested area after which scroll down and click on on the “Create bucket” button. We maintain all of the default choices for now, however you’ll be able to play with them later should you want to change something.

IAM Execution Position

Our subsequent problem is tying DocumentDB to Kafka in order that inserting new paperwork into DocumentDB would mechanically put notifications with the total doc knowledge right into a given Kafka matter. For this we’re going to use a Kafka connector that can register for a Mongo change stream for our assortment after which publish the brand new paperwork to the chosen Kafka matter.

We’ll begin by creating an IAM execution function for our new connector. Notice, that when making a connector, AWS offers you the choice to create an execution function. Nevertheless, it seems that because of some adjustments made by AWS to how execution roles work, utilizing this feature ends in a Service Linked function that’s not usable by MSK Join. AWS is conscious of this difficulty however has not fastened it as of the date of writing this text. So, we have to create our personal function manually…

Go to the IAM console, choose the “Roles” part on the left after which click on on “Create function” on the highest proper:


IAM — Create New Position

Subsequent, choose the “AWS account” possibility after which click on on “Subsequent”. At this level you’ll be able to choose a coverage to make use of. None of those insurance policies are good for us so simply click on on “Subsequent” once more. Now give your function a reputation and outline after which scroll to the underside and click on on “Create function”.

Now that now we have a job, we have to configure the correct permissions so discover your function within the listing of roles and click on on it. Underneath the “Permissions” tab click on on the “Add permissions” button to open the drop-down menu and choose “Create inline coverage”:


IAM — Making a New Coverage For MSK Join

We’d now wish to manually enter a coverage so choose the “JSON” tab after which exchange the present empty coverage with the next one:

	"Model": "2012-10-17",
	"Assertion": [{
			"Sid": "VisualEditor0",
			"Effect": "Allow",
			"Action": "ec2:CreateNetworkInterface",
			"Resource": "arn:aws:ec2:*:*:network-interface/*",
			"Condition": {
				"StringEquals": {
					"aws:RequestTag/AmazonMSKConnectManaged": "true"
				"ForAllValues:StringEquals": {
					"aws:TagKeys": "AmazonMSKConnectManaged"
			"Sid": "VisualEditor1",
			"Effect": "Allow",
			"Action": "ec2:CreateTags",
			"Resource": "arn:aws:ec2:*:*:network-interface/*",
			"Condition": {
				"StringEquals": {
					"ec2:CreateAction": "CreateNetworkInterface"
			"Sid": "VisualEditor2",
			"Effect": "Allow",
			"Action": [
			"Useful resource": "arn:aws:ec2:*:*:network-interface/*",
			"Situation": {
				"StringEquals": {
					"ec2:ResourceTag/AmazonMSKConnectManaged": "true"
			"Sid": "VisualEditor3",
			"Impact": "Enable",
			"Motion": "ec2:CreateNetworkInterface",
			"Useful resource": [
			"Sid": "VisualEditor4",
			"Impact": "Enable",
			"Motion": "sts:*",
			"Useful resource": "*"
			"Sid": "VisualEditor5",
			"Impact": "Enable",
			"Motion": "ec2:DescribeNetworkInterfaces",
			"Useful resource": "arn:aws:ec2:*:*:network-interface/*",
			"Situation": {
				"StringEquals": {
					"ec2:ResourceTag/AmazonMSKConnectManaged": "true"

Now click on on “Evaluation coverage” after which give your new coverage a reputation:


IAM — Evaluation Coverage

Notice that this coverage grants many permissions. We do that for simplicity, however it’s possible you’ll need to experiment and restrict the permissions you grant for higher safety.

Lastly, click on on the “Create coverage” button on the backside. You’ll now have the ability to see your new coverage listed in your function:


IAM — New Inline Coverage

Subsequent, we have to add the correct belief coverage so click on on the “Belief relationships” tab after which on “Edit belief coverage”. Within the editor that opened, exchange all of the textual content with the next:

	"Model": "2012-10-17",
	"Assertion": [{
		"Effect": "Allow",
		"Principal": {
			"Service": "kafkaconnect.amazonaws.com"
		"Action": "sts:AssumeRole"

Lastly, click on on “Replace coverage” to finalize the brand new function.


As a way to maintain monitor of what’s going on with our connector and Lambda features, we’d like a spot to maintain our logs. We’ll use CloudWatch and so we have to create a log group.

Go to the CloudWatch dashboard, choose “Logs” on the left after which “Log teams”. Click on on “Create log group” on the suitable, give your log group a reputation and a retention setting, after which click on on “Create” on the underside and you’re carried out.

That was easy!

MSK Safety Group

One other factor to sort out earlier than we are able to create a Kafka connector is configuring our safety group to permit inner communications.

Go to your MSK cluster’s configurations, click on on the “Properties” tab, after which click on on the safety group that’s utilized. In case you adopted this text, it is best to solely have a single safety group utilized.

When you get to the EC2 dashboard and to the safety group settings, you could click on on the “Edit inbound guidelines” button so as to add the required rule.

Now, click on on the “Add rule” button on the underside left, choose “All site visitors” for the rule sort after which discover your safety group within the customized “Supply” search field. Be sure to pick out the identical safety group because the one you’re presently modifying. Notice that the identify of the safety group seems within the navigation bar on the highest left of the web page.

Lastly, click on on “Save guidelines” and you ought to be set.

MSK and DocumentDB Safety

Now I need to level out a slight downside with the DocumentDB connection. We used the default DocumentDB configurations that allows TLS. Which means that with a view to hook up with DocumentDB, we would have liked to produce the shopper with the CA file we downloaded from the DocumentDB dashboard. Nevertheless, since MSK is a managed service, now we have no manner of putting in these certificates within the new plugin. Moreover, whereas there’s a strategy to specify the CA file throughout the MongoDB URI, the present MongoDB driver used inside each the Confluent and Debezium connectors merely ignores this feature and/or the CA file if we attempt to embrace it within the JAR file or in a ZIP file that holds each. If any readers are conscious of a manner to do that, please let me know so I can replace this doc. The one different possibility can be to implement our personal connector that will include the certificates and use them with out counting on exterior information or certificates registries, however that is out of scope for this text.

Thus, we first want to show off TLS in our DocumentDB. For this, return to the DocumentDB dashboard, choose “Parameter teams” from the left facet menu after which click on on the “Create” button on the suitable.


DocumentDB — Making a New Parameter Group

Fill in a reputation for the brand new parameter group, add an outline and click on on “Create”.

Subsequent, click on on the brand new group from the listing, then choose “tls” from the brand new listing that opens, click on on the “Edit” button on the highest proper of the display:


DocumentDB — Modify the “tls” Parameter

Set the choice to “disabled” and click on on “Modify cluster parameter”.

Now, click on on “Clusters” from the left facet menu after which click on in your cluster. Go to the “Configuration” tab and click on on the “Modify” button inside that tab:


DocumentDB — Modify Cluster Choices

Underneath the “Cluster choices” part, choose the brand new parameter group that we simply created after which scroll down, click on on the “Proceed” button and at last click on on the “Modify cluster” button. This can modify the settings and take you again to the cluster listing.

Nevertheless, the brand new settings is not going to take impact till you reboot the cluster. In case you click on on the cluster once more, you will note that the abstract part signifies “pending-reboot”:


DocumentDB — Cluster Pending Reboot

Return to the cluster listing, choose the cluster by clicking on the checkbox subsequent to it, then click on on the “Actions” button to open the menu and choose “Reboot”. The cluster will now reboot and in a couple of minutes might be prepared for work.

Kafka MongoDB Connector


Structure — Kafka MongoDB Supply Connector

There are two choices we are able to use, the Confluence connector and the Debezium connector. Each are Java primarily based however the Confluence connector is simpler to make use of so we are going to concentrate on that one and point out the variations within the Debezium connector briefly.

Do NOT go to https://www.confluent.io/hub/mongodb/kafka-connect-mongodb/ to obtain the connector from there. Though we ARE going to make use of this connector, the model you’ll discover there may be designed particularly for the confluence cloud and so lacking some dependencies required by MSK which are offered by the Confluence cloud.

As a substitute, go to the Maven repo at https://search.maven.org/search?q=a:mongo-kafka-connect, click on on the “Obtain” icon on the suitable and choose “all”. This can obtain a JAR file that features all of the required dependencies. Add this JAR file to your S3 bucket.

In MSK, you first must create a plugin, after which a connector which is an occasion of the plugin. In our case, MSK doesn’t have a built-in MongoDB plugin and so we have to create a customized plugin. Thankfully for us, MSK can wrap the method of making each plugin and connector right into a single sequence.

Go to the MSK dashboard, choose “Connectors” from the left facet menu after which click on on the “Create connector” button. You possibly can see that MSK takes you to the “Customized plugin” display to first create the brand new customized plugin. Choose the “Create customized plugin” possibility, after which click on on the “Browse S3” button to seek out your S3 bucket and choose the JAR you simply uploaded. Subsequent, give your plugin a reputation and add an outline, after which click on on “Subsequent” to start out creating the connector.


MSK — Create a Customized Plugin

To create a connector, begin by selecting a reputation and add an outline. Then select you MSK cluster from the “Apache Kafka Cluster” listing and the “None” authentication technique as our plugin doesn’t assist the IAM authentication.


MSK — Create a New Connector

Now we have to configure our connector. You could find detailed configuration info within the MongoDB connectors documentation web site and extra details about MongoDB and alter stream settings within the MongoDB documentation.

We need to monitor the “consumption” assortment within the “pipeline” database and publish new paperwork to the pipeline.consumption.inserts matter. We additionally need to ballot the change stream each second (this may be excessive so take into account lowering the polling frequency in line with your software) and get the ends in JSON format. The next configurations specify these decisions:

pipeline=[{"$match": {"operationType": "insert"}}]

Notice that for <YOUR_CONNECTOR_NAME> you need to use the very same identify you selected in your connector. Additionally make certain to make use of your precise password as a substitute of <YOUR_PASSWORD> within the URI.

We depart the remainder of the settings within the web page on the defaults, however you’ll be able to try to change them in line with your wants. We have to give our connector entry permissions utilizing an AWS IAM function, so we select the IAM execution function we created earlier than after which click on on the “Subsequent” button.

The following part offers with safety and the defaults listed here are good for us, so we contact nothing and easily click on on the “Subsequent” button once more.

Now we have to select the place to ship logging info. We beforehand created a CloudWatch log group and now’s the time to make use of it. So, select “Ship to Amazon CloudWatch Logs” after which choose the log group utilizing the “Browse” button.


MSK — Sending Connector Logs to AWS CloudWatch

Click on “Subsequent” yet one more time to get to the “Evaluation and create” display. This display exhibits you a abstract of your decisions and configurations and offers you the flexibility to edit belongings you missed. After ensuring every thing is accurately, click on the “Create connector” button to complete the method. Your new connector will now be created. This course of can take a couple of minutes.

You possibly can go to the CloudWatch console and choose your log group to look at for progress. First you will note a brand new log stream titled “log_stream_created_by_aws_to_validate_log_delivery_subscriptions” showing to point that the connector has permissions to log to CloudWatch. In case you by no means see this, you could return and verify the execution function settings to be sure to bought them proper.

After a few extra minutes, it is best to see a log stream titled one thing like “medium-connector-33190fb9-ae60–471b-8a8f-412186b023ce-3”. In case you click on on this log stream it is possible for you to to see all of the output out of your new connector because it initializes. In case you see any errors throughout initialization, which can be within the type of Java exceptions and stack traces, you in all probability missed a number of the steps above so return and be sure to configured every thing appropriately. Notice that you would be able to NOT modify an current connector so that you would wish to delete it as soon as it reaches a “failed” state and create a brand new one as a substitute.

If every thing works and the connector was in a position to hook up with DocumentDB and initialize the change stream, you will note messages like these showing:


MSK COnnector Logs in CloudWatch

Your plugin is now prepared for work!

We will run the CLI Kafka client as earlier than after which use our MongoDB shopper to insert some paperwork:


Inserting New Paperwork to DocumentDB utilizing Robo 3T

The buyer will then present us that the connector picked up the paperwork and printed them to our chosen matter:


Kafka CLI Client Displaying the New Paperwork within the Matter

The connector is working as anticipated!

As for the Debezium connector, the documentation and obtain hyperlink may be discovered right here. As soon as downloaded, extract the archive, and add the JAR to S3 so it may be utilized in MSK as with the Confluence connector.

The configurations are a bit completely different for the Debezium connector:


In contrast to the Confluence connector, the Debezium one doesn’t allow you to set a suffix for the subject identify however fairly makes use of the “mongodb.identify” logical identify as a prefix. Thus, we can not use a subject like pipeline.consumption.inserts. These configs will truly trigger the connector to try to publish to a subject named inserts.pipeline.consumption so make certain to call your matter appropriately should you want to use this connector. In any other case testing ought to be carried out in the identical manner as earlier than.


That is the place we begin constructing our precise processing pipeline/graph. We have to create a brand new Lambda operate and set an MSK primarily based set off for it.


Begin by going to the Lambda dashboard and click on on the “Create operate” button on the highest proper. Be sure to decide on “Writer from scratch” and fill in a reputation in your operate. We’re going to use Go code so choose “Go 1.x” from the “Runtime” listing.


Lambda — Create a New Perform

Subsequent, broaden the “Change default execution function” part, choose “Create a brand new function from AWS coverage templates” and provides the function a reputation. This can create a brand new “service-role” for use because the execution function for the Lambda operate. As soon as created, we might want to tweak the permissions.

Increase the “Superior settings” part and tick the “Allow VPC” field. We’d like our Lambda operate to have entry to the MSK cluster so the set off can learn from a subject and so we are able to publish to the following matter in line. Select your VPC from the listing, ALL the subnets the place the MSK brokers are deployed and at last the safety group as we outlined beforehand:


Lambda — Perform VPC Settings

Create the operate by clicking on “Create operate”.

As soon as the operate is created, click on on it after which go to the “Configuration” tab and choose “Permissions” from the left menu:


Lambda — Execution Position

This exhibits you the execution function created for you, and you’ll browse the listing of permissions it offers your Lambda operate. Click on on the function to open it within the IAM dashboard, take away the present coverage after which create a brand new one which has the next permissions:

    "Model": "2012-10-17",
    "Assertion": [
            "Effect": "Allow",
            "Action": "logs:CreateLogGroup",
            "Resource": "arn:aws:logs:<REGION>:<ACCOUNT_ID>:*"
            "Effect": "Allow",
            "Action": [
            "Useful resource": [
            "Impact": "Enable",
            "Motion": [
            "Useful resource": "*"

Notice to interchange the <REGION> along with your chosen area and <ACCOUNT_ID> along with your AWS account ID.

Return to the Lambda operate’s configurations, click on on the “Monitor” tab after which click on on “View logs in CloudWatch”. This could take you to the log group that was created for you Lambda features. If, for some purpose, this group was not mechanically created, you’re going to get an error message like this one:


CloudWatch — Log Group Lacking Error

You have to to manually create the log group. To do that, be aware the group’s required identify within the error message, which on this case is /aws/lambda/medium-pipline-router. Now click on on “Log teams” from the navigation bar below the error message or by increasing the left sidebar and clicking on “Log teams” there.


CloudWatch — Displaying Log Teams

Now click on on “Create log group”, fill within the required identify after which click on on the “Create” button:


CloudEWatch — Making a New Log Group

VPC Revisited

One other factor we have to maintain at this level is ensuring now we have community connectivity to some required AWS companies for our set off. Relying in your VPC of alternative, it’s possible you’ll not have connectivity to the STS, Lambda and/or Secrets and techniques Supervisor companies. We will repair this by including VPC endpoints for every of those to our VPC. In case you get an error message about this when organising the MSK set off for the Lambda operate, observe these directions:

Go to the VPC dashboard and choose “Endpoints” from the left facet menu. Then click on on “Create Endpoint” on the highest proper. Fill in a descriptive identify in your endpoint after which search and choose the com.amazonaws.<REGION>.sts service from the “Providers” listing. Bear in mind to interchange <REGION> along with your area.

Now choose your VPC from the VPC listing, choose ALL the subnets the place MSK brokers are deployed, and for every, Choose the subnet ID from the combobox. Choose the “IPv4” IP tackle sort after which choose the safety group we arrange for our VPC:


Creating VPC Endpoints

Depart the remaining as is and click on on “Create Endpoint” on the backside. Repeat the method for the lambda and secretsmanager companies as effectively.

Lambda Router

Now that you’ve got a Lambda operate, we are able to write code for it and configure a set off. Right here is an instance Go code that can maintain every thing our Lambda’s will do:

bundle predominant

import (
	b64 "encoding/base64"

	runtime "github.com/aws/aws-lambda-go/lambda"

const (
	// kafkaBrokersEnvVar is the subject to publish to when calling PublishToKafka
	kafkaTopicEnvVar = "KAFKATOPIC"

	// kafkaBrokersEnvVar is a comma-separated listing of TLS supporting Kafka brokers to make use of
	kafkaBrokersEnvVar = "KAFKABROKERS"

	// An atmosphere varilable to point the function of the node in throughout the pipeline
	nodeRoleEnvVar = "NODE_ROLE"

	// The router function
	nodeRoleRouter = "ROUTER"

	// The employee function
	nodeRoleWorker = "WORKER"

	// The tester function
	nodeRoleTester = "TESTER"

// IsTerminator checks is each the subject and brokers are set
func (m *MediumPipeline) IsTerminator() bool 

// PublishToKafka publishes the given knowledge to the subject and brokers set utilizing the atmosphere variables
func (m *MediumPipeline) PublishToKafka(ctx context.Context, knowledge interface{}) error {
	return m.PublishToKafkaTopic(ctx, m.subjects, knowledge)

// PublishToKafkaTopic publishes the given knowledge to the given matter (overriding the KAFKATOPIC atmosphere variable if given)
func (m *MediumPipeline) PublishToKafkaTopic(ctx context.Context, subjects []string, knowledge interface{}) error {

	if subjects == nil || m.brokers == nil {
		return fmt.Errorf("kafka matter or brokers not set")

	// prep the message knowledge
	bytes, err := json.Marshal(knowledge)
	if err != nil {
		log.Println("Error changing knowledge right into a JSON: " + err.Error())
		return err

	dialer := &kafka.Dialer{
		Timeout:   10 * time.Second,
		DualStack: true,
		TLS:       &tls.Config{},

	w := kafka.NewWriter(kafka.WriterConfig{
		Brokers:  m.brokers,
		Matter:    "",
		Balancer: &kafka.Hash{},
		Dialer:   dialer,

	for matter := vary subjects {

		err = w.WriteMessages(ctx, kafka.Message{
			Matter: subjects[topic],
			Key:   nil,
			Worth: bytes,
		if err != nil {
			log.Printf("Error writing message(s) to matter '%s': %s", subjects[topic],

		// log a affirmation as soon as the message is written
		fmt.Println("Printed to kafka matter: " + subjects[topic])


	return nil

// handlerFunc is the kind of an user-supplied occasion handler
sort handlerFunc func(pipeline *MediumPipeline, knowledge interface{}) error

// MediumPipeline is a Medium Pipeline object
sort MediumPipeline struct {
	handler  handlerFunc
	datatype interface{}
	subjects   []string
	brokers  []string

// NewPipeline creates a brand new Medium Pipeline object with the given handler and datatype
func NewPipeline(handler handlerFunc, datatype interface{}) *MediumPipeline {
	occasion := &MediumPipeline{
		handler:  handler,
		datatype: datatype,

	if env := os.Getenv(kafkaTopicEnvVar); env != "" {
		occasion.subjects = strings.Cut up(env, ",")
	if env := os.Getenv(kafkaBrokersEnvVar); env != "" {
		occasion.brokers = strings.Cut up(env, ",")

	return occasion

// Begin runs the pipeline operate
func (m *MediumPipeline) Begin() {

// getRequest returns the encapsulated request within the consumer given datatype
func (m *MediumPipeline) getRequest(document *occasions.KafkaRecord) (interface{}, error) {

	// decode the worth
	worth, err := b64.StdEncoding.DecodeString(document.Worth)
	if err != nil {
		return nil, err

	// convert to a map
	// Get a mirrored image of the given object so we are able to extract its sort
	val := mirror.ValueOf(m.datatype)

	// create new occasion of given sort
	doc := mirror.New(val.Kind()).Interface()

	err = json.Unmarshal(worth, &doc)
	if err != nil {
		return nil, err

	return doc, nil

// handleRequest is the inner handler that's truly run by the Lambda mechanism
func (m *MediumPipeline) handleRequest(ctx context.Context, occasion occasions.KafkaEvent) error {

	// begin by parsing the incoming occasion
	eventstr, err := json.Marshal(occasion)
	if err != nil {
		log.Printf("Error parsing incoming occasion: %sn", err.Error())
		return err

	log.Printf("EVENT:npercentsn", eventstr)

	// atmosphere variables
	log.Printf("REGION: %s", os.Getenv("AWS_REGION"))
	log.Println("ALL ENV VARS:")
	for _, aspect := vary os.Environ() {
	// request context
	lc, _ := lambdacontext.FromContext(ctx)
	log.Printf("REQUEST ID: %s", lc.AwsRequestID)

	// world variable
	log.Printf("FUNCTION NAME: %s", lambdacontext.FunctionName)

	// context technique
	deadline, _ := ctx.Deadline()

	log.Printf("DEADLINE: %s", deadline)

	for okay, s := vary occasion.Information {
		log.Printf("Processing recordset '%s'", okay)

		for _, v := vary s {
			request, err := m.getRequest(&v)

			if err != nil {
				log.Printf("Acquired error: %s", err.Error())

			if err = m.handler(m, request); err != nil {
				return err


	return nil

sort MyRequest struct {
	Title  string `json:"identify"`
	Age   int    `json:"age"`
	Colour string `json:"coloration"`

func MediumWorkerHandler(pipeline *MediumPipeline, knowledge interface{}) error {
	request := knowledge.(*MyRequest)

	log.Printf("Hi there %s, you're %d years outdated and your coloration is %s!",
		request.Title, request.Age, request.Colour)

	if !pipeline.IsTerminator() {
		return pipeline.PublishToKafka(context.TODO(), knowledge)
	} else {
		return nil

func MediumRouterHandler(pipeline *MediumPipeline, knowledge interface{}) error {
	request := knowledge.(*MyRequest)

	log.Printf("Hi there %s, you're %d years outdated and your coloration is %s!",
		request.Title, request.Age, request.Colour)

	return pipeline.PublishToKafkaTopic(context.TODO(),
		[]string{"pipeline.sort." + request.Colour}, knowledge)

func MediumTestHandler(pipeline *MediumPipeline, knowledge interface{}) error {
	request := MyRequest{
		Title:  "Tester",
		Age:   100,
		Colour: "blue",

	log.Printf("Hi there %s, you're %d years outdated and your coloration is %s!",
		request.Title, request.Age, request.Colour)

	return pipeline.PublishToKafkaTopic(context.TODO(),
		[]string{"pipeline.sort." + request.Colour}, request)

func predominant() {
	var pipeline *MediumPipeline

	swap os.Getenv(nodeRoleEnvVar) {
	case nodeRoleRouter:
		pipeline = NewPipeline(MediumRouterHandler, MyRequest{})
	case nodeRoleWorker:
		pipeline = NewPipeline(MediumWorkerHandler, MyRequest{})
	case nodeRoleTester:
		pipeline = NewPipeline(MediumTestHandler, MyRequest{})
		MediumTestHandler(pipeline, nil)


As may be seen, this code encapsulates the Lambda Go SDK performance required to run the correct handler operate when the Lambda operate is activated. The handlers particularly count on a Kafka knowledge construction (that is being deserialized by the AWS Lambda SDK for us) and we then take the JSON objects contained inside and convert to our personal Go knowledge construction. Lastly, if specified utilizing the KAFKATOPIC and KAFKABROKERS atmosphere variables, we additionally publish to a Kafka matter.

This code accommodates handlers for each a router and a employee, and chooses the right one primarily based on the NODE_ROL Eenvironment variable.

Please be aware that whereas the Confluence MSK connector we used publishes the info to Kafka in JSON format, the Debezium connector makes use of the Rust Serde serialization as a substitute. The ensuing construction seems to be like this:

        "_id": {
            "$oid": "61c39e264f43cf91d9708d23"
        "identify": "Alice",
        "age": 30

This implies we might want to exchange the JSON deserialization code with one thing like serde-go, which we is not going to cowl on this article.

As a way to construct you code for Lambda, you could specify some Go construct parameters like this:

GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go construct -o medium-lambda-node

after which zip the ensuing binary. In case you which to simply reuse your code, it is strongly recommended to add the zip file to S3 at this level.

Now go to your Lambda operate’s settings and choose the “Code” tab. Click on on “Add from”, choose “.zip file”, click on “Add” within the dialog that popped up and choose your zip file. In case you uploaded to S3, choose “Amazon S3 location” as a substitute then paste the S3 hyperlink URL to your zip file.

Subsequent, below the “Runtime settings” part, click on the “Edit” button and enter your compiled binary’s filename within the “Handler” field:


Lambda — Importing Code to the operate

Click on on “Save” and provides your lambda a couple of minutes to load the brand new code.

Lambda MSK Set off

Subsequent, we are going to arrange the MSK set off. This set off will hook up with the MSK cluster, pay attention on our preliminary matter, after which set off the Lambda on new incoming messages.


You possibly can both click on on “+ Add Set off” from the “Perform overview” part, or go to the “Configuration” tab, choose the “Triggers” part on the left after which click on on “Add set off” on the suitable.

Within the new dialog, choose the “MSK” set off sort. This can open the set off’s settings. Choose the MSK cluster, set the specified batch dimension, your “Batch Window” (the max polling time in seconds for the subject) after which fill within the matter identify.

By default, the set off will deal with new incoming messages. If you’d like it to course of ALL the messages within the matter, choose “Trim horizon” from the “Beginning place” field. That is the specified motion for us as one in all our necessities was that we don’t need to lose messages so we are able to dynamically plug in parts into our pipeline to start out dealing with beforehand unknown message varieties.

On this article we’re not caring for Authentication. Nevertheless, there’s a high-quality level to notice right here. We created the MSK cluster with the default Authentication settings, which implies that each “Unauthenticated” and “IAM role-based authentication” are enabled. The set off will default to utilizing “IAM role-based authentication” for which we earlier added the “kafka-cluster” actions to our Lambda execution function’s coverage. If these permissions are lacking, you’re going to get a “SASL authentication failed” error message from the set off. We did NOT allow SASL authentication in our MSK cluster, so why are we getting this error? Effectively, it is because behind the scenes, AWS implements the “IAM role-based authentication” mechanism utilizing SASL.

As we’re not tackling authentication right here, simply go forward and click on the “Add” button to create the brand new set off:


Lambda — Creating an MSK Set off

Deploying the set off can take a couple of minutes, and as soon as deployed we are able to configure and take a look at our router.

Underneath the “Configuration” part, choose “Surroundings variables” on the left after which click on the “Edit” button and add the NODE_ROLE variable with ROUTER as the worth.

If we now add this new doc to our DocumentDB, will probably be printed to the pipeline.consumption.inserts matter by the MSK connector as we noticed earlier than. The set off will then choose it up and set off the Lambda. Our pattern code will output the knowledge learn within the message to CloudWatch so should you go to the log group we created above, you will note a brand new log entry showing and inside one thing like this:


Lambda — Profitable RunCloudWatch Output

As a way to finalize the router’s work, we need to display that it may well truly route messages to completely different subjects primarily based on their sort. The Lambda code will use the colour discipline as a sort for the message and can route the message to a Kafka matter named pipeline.sort.<COLOR>. So, create two new subjects: pipeline.sort.blue and pipeline.sort.inexperienced.

Subsequent, we should always inform our Lambda the place MSK is so it may well truly publish the messages to the varied subjects so return to the atmosphere variables and add a variable referred to as KAFKABROKERS and set its worth to be a comma-separated listing of the brokers in you MSK cluster. For instance


You might be aware that we’re utilizing port 9094 right here as our nodes are connecting to MSK securely utilizing TLS. This can inform our instance code to publish the info to the correct queue in MSK along with printing to the log.

Now, if we add a brand new doc with the identical message as earlier than, we will use the console client as we did earlier than to pay attention on the pipeline.sort.blue matter and we are going to see the message seem below that matter with a number of seconds from creation:


Kafka CLI Client

Our router picked up the brand new doc, decided that the message sort is blue and printed the info to the pipeline.sort.blue queue as desired.

Lambda Processor

The ultimate piece of the puzzle is the processor node, which is simply one other Lambda operate that makes use of the identical code as earlier than. Go forward and replicate the method we used for the router Lambda to create a brand new Lambda with an MSK set off listening on the pipeline.sort.blue matter. This time, set the NODE_ROLE atmosphere variable to WORKER so the employee handler operate is used.

Lastly, we are able to take a look at the total E2E mechanism by including a brand new doc as earlier than, and we are going to see a brand new log entry in CloudWatch for the brand new Lambda operate with the content material of the doc.

If we create one other doc with inexperienced as the colour, we are going to see the brand new message showing below the pipeline.sort.inexperienced matter, however no Lambda operate might be activated as we don’t have a set off listening on this matter. The messages will accumulate on this matter till we create a brand new Lambda operate able to processing “inexperienced” messages and add a set off for it that listens on the pipeline.sort.inexperienced matter.

Our pattern pipeline is now full!


On this article we demonstrated the best way to configure varied AWS parts (VPC, EC2, DocumentDB, S3, IAM, CloudWatch, MSK and Lambda) and tie them collectively to create an E2E processing pipeline that triggers mechanically when new paperwork are inserted into the DB. For this text, we selected the smallest accessible occasion sizes for the varied service so our EC2 occasion and our DocumentDB are operating free of charge whereas our Lambda features are solely billed when operating (i.e., when triggered by a brand new doc printed into the correct matter till they end processing it).

Our pipeline may be dynamically configured to accommodate any processing construction by creating Kafka subjects as edges in our graph and Lambda features as nodes with triggers for the particular Kafka subjects. Restructuring may be carried out whereas the system is operating with out dropping any knowledge.

We additionally lined varied CLI, shell and GUI instruments for working with MongoDB and Kafka in addition to remotely connecting to our sources by way of SSH port forwarding.

Hopefully, this doc supplies a great place to begin for anybody enthusiastic about constructing totally managed cloud-based processing pipelines utilizing AWS companies.


I want to thank Julia Valenti for her wonderful help in reviewing and modifying this text ❤️

Supply hyperlink

By admin

Related Post

Leave a Reply

Your email address will not be published. Required fields are marked *