docs: secure private access (aklivity#285)

Author: ankitk-me

src/.vuepress/public/many_to_one.png

@@ -143,6 +143,26 @@ export const enSidebar = sidebar({
         },
       ],
     },
+    {
+      text: "Secure Private Access",
+      icon: "aky-zilla-plus",
+      children: [
+        {
+          text: "Deployment Options",
+          link: "concepts/kafka-proxies/secure-private-access.md",
+          children: [],
+        },
+        {
+          text: "Amazon MSK",
+          children: [
+            {
+              text: "CDK",
+              link: "https://github.com/aklivity/zilla-plus-aws-templates/tree/main/amazon-msk/cdk/secure-private-access",
+            },
+          ],
+        },
+      ],
+    },
     {
       text: "IoT Ingest and Control",
       icon: "aky-zilla-plus",
@@ -401,6 +421,12 @@ export const enSidebar = sidebar({
           link: "solutions/concepts/kafka-proxies/secure-public-access.md",
           children: [],
         },
+        {
+          text: "Secure Private Access on AWS",
+          icon: "aky-zilla-plus",
+          link: "solutions/concepts/kafka-proxies/secure-private-access.md",
+          children: [],
+        },
         {
           text: "IoT Ingest and Control on AWS",
           icon: "aky-zilla-plus",

src/.vuepress/public/one_to_many.png

@@ -0,0 +1,48 @@
+---
+icon: aky-zilla-plus
+description: Securely access your Kafka cluster via the intranet.
+---
+
+# Secure Private Access
+
+[Available in <ZillaPlus/>](https://www.aklivity.io/products/zilla-plus)
+{.zilla-plus-badge .hint-container .info}
+
+The [<ZillaPlus/> Secure Private Access for Amazon MSK](https://aws.amazon.com/marketplace/pp/prodview-jshnzslazfm44) enables authorized Kafka clients deployed across **cross-account VPCs** to securely connect, publish messages, and subscribe to topics in your Amazon MSK Serverless cluster.
+
+This setup establishes a fully private, secure, and scalable communication channel between Kafka clients and the Amazon MSK cluster by leveraging **<ZillaPlus/>** proxy.
+
+**<ZillaPlus/>:** An auto-scaling, stateless proxy layer deployed in a private VPC that handles authentication and routing of Kafka requests.
+
+![Secure Private Access Overview](/secure_private_access.png)
+
+## Key Features
+
+- Seamless MSK Serverless Connectivity across **Cross-Account VPCs**.
+- **Custom Wildcard DNS** & Route 53 Hosted Zone Integration.
+- **Unified Domain Name** for Kafka clients, streamlining configuration.
+- **Eliminates** the need to **manually whitelist** each bootstrap endpoint to enable access.
+- Seamless end-to-end **TLS** handshake.
+- **Auto-Scaling** <ZillaPlus/> Instances.
+- Deployed behind a **Network Load Balancer** for high availability and efficient request routing.
+- Integrates with **AWS Nitro Enclaves**, enabling automated certificate renewal.
+
+### Many-to-One Private Access
+
+Multiple Kafka clients from different cross-account VPCs securely connect to a single Amazon MSK Serverless cluster. This approach simplifies multi-tenant access and ensures a unified, private connectivity model.
+
+![Many to One Private Access Overview](/many_to_one.png)
+
+### One-to-Many Private Access
+
+Enables Kafka clients to securely access multiple Amazon MSK Serverless clusters deployed across different VPCs.
+
+![One to Many Private Access Overview](/one_to_many.png)
+
+You will need to choose a wildcard DNS pattern to use for intranet access to the brokers in your Kafka cluster. These wildcard DNS names must resolve to the IP address of the VPC Endpoint in the client VPC, which then routes traffic via the VPC Endpoint Service to the ZillaPlus Network Load Balancer (NLB).
+
+Additionally, the <ZillaPlus/> proxy must also be configured with a TLS server certificate representing the same wildcard DNS pattern.
+
+## Deploy with CDK
+
+Follow the [Secure Private Access with CDK](https://github.com/aklivity/zilla-plus-aws-templates/tree/main/amazon-msk/cdk/secure-private-access) guide to generate or deploy a custom AWS CDK stack.