docs: update Kafka connection examples for MATCHING broker rules

jubrad · claude · jubrad · commit df4288e0d284 · 2026-04-21T22:55:42.000-05:00
Updates user-facing documentation to show the new MATCHING broker rules
syntax for Kafka PrivateLink connections. Adds a PrivateLink tab to the
Confluent Cloud guide.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/doc/user/content/ingest-data/kafka/confluent-cloud.md b/doc/user/content/ingest-data/kafka/confluent-cloud.md
@@ -76,7 +76,7 @@ of the following steps:
 
     Otherwise, you can find more information about how to do that [here](https://docs.confluent.io/cloud/current/get-started/index.html#step-2-create-a-ak-topic).
 
-4. #### Create a source in Materialize
+4. #### Create a connection in Materialize
 
     a. Open the [Confluent Cloud dashboard](https://confluent.cloud/) and select your cluster.
 
@@ -87,39 +87,114 @@ of the following steps:
     d. Connect to Materialize using the [SQL Shell](/console/),
        or your preferred SQL client.
 
-    e. Run the following command. Replace `<confluent_cloud>` with whatever you
-    want to name your source. The broker URL is what you copied in step c of
-    this subsection. The `<topic-name>` is the name of the topic you created in
-    Step 4. The `<your-api-key>` and `<your-api-secret>` are from the _Create
-    an API Key_ step.
+    e. Create the connection. The exact steps depend on your networking
+    configuration, so start by selecting the relevant option.
+
+    {{< tabs >}}
+    {{< tab "Public cluster">}}
 
     ```mzsql
-      CREATE SECRET confluent_username AS '<your-api-key>';
-      CREATE SECRET confluent_password AS '<your-api-secret>';
+    CREATE SECRET confluent_username AS '<your-api-key>';
+    CREATE SECRET confluent_password AS '<your-api-secret>';
 
-      CREATE CONNECTION <confluent_cloud> TO KAFKA (
+    CREATE CONNECTION confluent_cloud TO KAFKA (
         BROKER '<confluent-broker-url>',
         SASL MECHANISMS = 'PLAIN',
         SASL USERNAME = SECRET confluent_username,
         SASL PASSWORD = SECRET confluent_password
-      );
+    );
+    ```
+
+    {{< /tab >}}
+
+    {{< tab "Use AWS PrivateLink (Cloud-only)" >}}
+
+    [AWS PrivateLink](https://aws.amazon.com/privatelink/) lets you connect
+    Materialize to your Confluent Cloud cluster without exposing traffic to the
+    public internet.
+
+    1. In the [Confluent Cloud console](https://confluent.cloud/), navigate to
+    your cluster's **Networking** settings and set up a PrivateLink endpoint.
+    Record the **VPC Endpoint Service Name** and the **DNS domain**.
+
+    1. In the Materialize [SQL shell](/console/), create a
+    [PrivateLink connection](/ingest-data/network-security/privatelink/) using
+    the service name from the previous step. Be sure to specify **all
+    availability zones** of your Confluent Cloud cluster.
+
+        ```mzsql
+        CREATE CONNECTION confluent_privatelink TO AWS PRIVATELINK (
+            SERVICE NAME 'com.amazonaws.vpce.us-east-1.vpce-svc-0e123abc123198abc',
+            AVAILABILITY ZONES ('use1-az1', 'use1-az4', 'use1-az6')
+        );
+        ```
+
+    1. Retrieve the AWS principal for the PrivateLink connection:
+
+        ```mzsql
+        SELECT principal
+        FROM mz_aws_privatelink_connections plc
+        JOIN mz_connections c ON plc.id = c.id
+        WHERE c.name = 'confluent_privatelink';
+        ```
+
+    1. In the Confluent Cloud console, add the AWS principal to the PrivateLink
+    access list.
 
-      CREATE SOURCE <source-name>
+    1. In Materialize, validate the PrivateLink connection:
+
+        ```mzsql
+        VALIDATE CONNECTION confluent_privatelink;
+        ```
+
+        If no validation error is returned, move to the next step.
+
+    1. Create the Kafka connection. The static broker (used for bootstrapping)
+    does not need an `AVAILABILITY ZONE` — Materialize will find it across
+    availability zones. The `MATCHING` rules should specify `AVAILABILITY ZONE`
+    to route discovered brokers through their specific AZ endpoint.
+
+        ```mzsql
+        CREATE SECRET confluent_username AS '<your-api-key>';
+        CREATE SECRET confluent_password AS '<your-api-secret>';
+
+        CREATE CONNECTION confluent_cloud TO KAFKA (
+            BROKERS (
+                '<confluent-broker-url>' USING AWS PRIVATELINK confluent_privatelink,
+                MATCHING '*.use1-az1.*' USING AWS PRIVATELINK confluent_privatelink (AVAILABILITY ZONE = 'use1-az1'),
+                MATCHING '*.use1-az4.*' USING AWS PRIVATELINK confluent_privatelink (AVAILABILITY ZONE = 'use1-az4'),
+                MATCHING '*.use1-az6.*' USING AWS PRIVATELINK confluent_privatelink (AVAILABILITY ZONE = 'use1-az6')
+            ),
+            SASL MECHANISMS = 'PLAIN',
+            SASL USERNAME = SECRET confluent_username,
+            SASL PASSWORD = SECRET confluent_password
+        );
+        ```
+
+        The `MATCHING` patterns correspond to the AZ-specific DNS subdomains
+        from your Confluent Cloud networking settings. Adjust the patterns and
+        availability zones to match your cluster's configuration.
+
+    {{< /tab >}}
+    {{< /tabs >}}
+
+5. #### Start ingesting data
+
+    Once you have created the connection, create a source and start ingesting
+    data from your topic. By default, the source will be created in the active
+    cluster; to use a different cluster, use the `IN CLUSTER` clause.
+
+    ```mzsql
+    CREATE SOURCE confluent_source
         FROM KAFKA CONNECTION confluent_cloud (TOPIC '<topic-name>')
         FORMAT JSON;
     ```
-    By default, the source will be created in the active cluster; to use a different
-    cluster, use the `IN CLUSTER` clause.
 
-    f. If the command executes without an error and outputs _CREATE SOURCE_, it
+    If the command executes without an error and outputs _CREATE SOURCE_, it
     means that you have successfully connected Materialize to your Confluent
     Cloud Kafka cluster.
 
-    **Note:** The example above walked through creating a source, which is a way
-    of connecting Materialize to an external data source. We created a
-    connection to Confluent Cloud Kafka using SASL authentication and credentials
-    securely stored as secrets in Materialize's secret management system. For
-    input formats, we used `JSON`, but you can also ingest Kafka messages
+    **Note:** The example above used `JSON`, but you can also ingest Kafka messages
     formatted in other supported formats; e.g., [Avro and CSV](/sql/create-source/kafka/#syntax).
     You can find more details about the various different supported formats and
     possible configurations in the [reference documentation](/sql/create-source/kafka/).
diff --git a/doc/user/content/sql/create-connection.md b/doc/user/content/sql/create-connection.md
@@ -320,8 +320,42 @@ SSH bastion host.
 {{< include-md file="shared-content/aws-privatelink-cloud-only-note.md" >}}
 
 Depending on the hosted service you are connecting to, you might need to specify
-a PrivateLink connection [per advertised broker](#kafka-privatelink-syntax)
-(e.g. Amazon MSK), or a single [default PrivateLink connection](#kafka-privatelink-default) (e.g. Redpanda Cloud).
+a PrivateLink connection and [per-availability-zone routing rules for brokers](#kafka-privatelinks) (e.g. Confluent Cloud),
+a PrivateLink connection [per advertised broker](#kafka-privatelink-syntax) (e.g. Amazon MSK),
+or a single [default PrivateLink connection](#kafka-privatelink-default) (e.g. Redpanda Cloud).
+
+##### Dynamic broker discovery {#kafka-privatelinks}
+
+Confluent Cloud does not require listing every broker individually.
+Instead, include a static broker address for the initial connection
+alongside wildcard `MATCHING` rules for routing dynamically discovered
+brokers through PrivateLink.
+
+{{% include-syntax file="examples/create_connection" example="syntax-kafka-aws-privatelinks" %}}
+
+When your Confluent cluster is deployed across multiple AZs and your
+PrivateLink connection is configured with matching AZs, you should only
+specify `AWS PRIVATELINK` on the static broker, not `AVAILABILITY ZONE`.
+This will allow Materialize to attempt to find the bootstrap broker
+across availability zones. The `MATCHING` rules should specify
+`AVAILABILITY ZONE` to route discovered brokers through their specific
+AZ endpoint.
+
+```mzsql
+CREATE CONNECTION privatelink_svc TO AWS PRIVATELINK (
+    SERVICE NAME 'com.amazonaws.vpce.us-east-1.vpce-svc-0e123abc123198abc',
+    AVAILABILITY ZONES ('use1-az1', 'use1-az4')
+);
+
+CREATE CONNECTION kafka_connection TO KAFKA (
+    BROKERS (
+        'lkc-xxx.domyyy.us-east-1.aws.confluent.cloud:9092'
+            USING AWS PRIVATELINK privatelink_svc,
+        MATCHING '*.use1-az1.*' USING AWS PRIVATELINK privatelink_svc (AVAILABILITY ZONE = 'use1-az1'),
+        MATCHING '*.use1-az4.*' USING AWS PRIVATELINK privatelink_svc (AVAILABILITY ZONE = 'use1-az4')
+    )
+);
+```
 
 ##### Broker connection syntax {#kafka-privatelink-syntax}
 
@@ -347,7 +381,7 @@ broker that you want to connect to via the tunnel.
 Field                                   | Value            | Required | Description
 ----------------------------------------|------------------|:--------:|-------------------------------
 `AWS PRIVATELINK`                       | object name      | ✓        | The name of an [AWS PrivateLink connection](#aws-privatelink) through which network traffic for this broker should be routed.
-`AVAILABILITY ZONE`                     | `text`           |          | The ID of the availability zone of the AWS PrivateLink service in which the broker is accessible. If unspecified, traffic will be routed to each availability zone declared in the [AWS PrivateLink connection](#aws-privatelink) in sequence until the correct availability zone for the broker is discovered. If specified, Materialize will always route connections via the specified availability zone.
+`AVAILABILITY ZONE`                     | `text`           |          | The ID of the availability zone of the AWS PrivateLink service in which the broker is accessible.
 `PORT`                                  | `integer`        |          | The port of the AWS PrivateLink service to connect to. Defaults to the broker's port.
 
 ##### Example {#kafka-privatelink-example}
@@ -388,13 +422,6 @@ PrivateLink connection and the port of the bootstrap server instead.
 
 {{% include-syntax file="examples/create_connection" example="syntax-kafka-default-aws-privatelink" %}}
 
-##### Default connection options {#kafka-privatelink-default-options}
-
-Field                                   | Value            | Required | Description
-----------------------------------------|------------------|:--------:|-------------------------------
-`AWS PRIVATELINK`                       | object name      | ✓        | The name of an [AWS PrivateLink connection](#aws-privatelink) through which network traffic for this broker should be routed.
-`PORT`                                  | `integer`        |          | The port of the AWS PrivateLink service to connect to. Defaults to the broker's port.
-
 ##### Example {#kafka-privatelink-default-example}
 
 ```mzsql
diff --git a/doc/user/data/examples/create_connection.yml b/doc/user/data/examples/create_connection.yml
@@ -242,11 +242,57 @@
   syntax_elements:
     - name: "`AWS PRIVATELINK <privatelink_connection_name>`"
       description: |
+        *Value:* object name. Required.
+
         The name of an AWS PrivateLink connection through which network traffic
         should be routed.
     - name: "`PORT`"
       description: |
-        The port of the AWS PrivateLink service to connect to.
+        *Value:* `integer`
+
+        The port of the AWS PrivateLink service to connect to. Defaults to the broker's port.
+
+- name: "syntax-kafka-aws-privatelinks"
+  code: |
+    CREATE CONNECTION <connection_name> TO KAFKA (
+        BROKERS (
+            '<broker_address>' USING AWS PRIVATELINK <privatelink_connection>,
+            MATCHING '<pattern1>' USING AWS PRIVATELINK <privatelink_connection1> (
+                PORT <port1>,
+                AVAILABILITY ZONE = '<az_id1>'
+            ),
+            MATCHING '<pattern2>' USING AWS PRIVATELINK <privatelink_connection2>
+        ),
+        ...
+    );
+  syntax_elements:
+    - name: "`'<broker_address>' USING AWS PRIVATELINK ...`"
+      description: |
+        A static broker address used for bootstrapping the initial connection
+        to the Kafka cluster. At least one static broker is required when
+        using `MATCHING` rules. The broker is routed through the specified
+        AWS PrivateLink connection.
+    - name: "`MATCHING '<pattern>' USING AWS PRIVATELINK <connection_name>`"
+      description: |
+        Routes brokers whose advertised `host:port` matches `<pattern>` through
+        the named AWS PrivateLink connection.
+        A pattern may begin with `*` to match any prefix. A pattern may end with `*` to match any suffix.
+        All other characters in the pattern are matched literally.
+        Rules are evaluated in order. The first matching rule wins.
+        If no rule matches, Materialize will attempt to connect to the broker directly, without tunneling.
+    - name: "`AVAILABILITY ZONE`"
+      description: |
+        *Value:* `text`. Optional.
+
+        The ID of the availability zone of the AWS PrivateLink service in which
+        the broker is accessible. If omitted, traffic routes through the default
+        PrivateLink endpoint, which distributes across all configured availability
+        zones. Specify this only when you need to pin brokers to specific AZs.
+    - name: "`PORT`"
+      description: |
+        *Value:* `integer`. Optional.
+
+        The port of the AWS PrivateLink service to connect to. Defaults to the broker's port.
 
 - name: "syntax-csr"
   code: |
