The phrase traffic costs Amazon MSK usually appears after the platform team has already done the obvious work. The brokers are managed, topics are stable, consumer groups run on Amazon EKS, and the bill still contains network charges that no single application team wants to own. The question changes from "what does MSK cost?" to "which paths around MSK are we paying for, and which teams control them?"
EKS makes this question sharper because Kubernetes hides placement behind a scheduler while Kafka still cares about topology. A pod can move to another node, a node belongs to a subnet, and a consumer may connect through a broker endpoint, a VPC boundary, or an interface endpoint. Each hop can be correct from an availability or security perspective and still be expensive when multiplied by steady reads, replay jobs, and incident recovery.
Why EKS-Based Consumers Make MSK Traffic Costs Harder To Read
Amazon MSK removes a large amount of broker administration, but it does not erase the network topology around a Kafka workload. AWS documents that in-cluster replication data transfer is included for MSK provisioned clusters, while data transferred in and out of a cluster follows the relevant AWS data transfer rules. That distinction gets lost when application teams call every line item near the workload "Kafka traffic," even if the bill is describing an EC2, VPC, PrivateLink, or cross-zone path.
Kubernetes adds one more layer of indirection. A Deployment that looks zone-neutral in YAML may run most pods in one Availability Zone after a scale event, node replacement, or capacity shortage. Kafka consumers are often treated as stateless application pods and left to the default scheduler, so a healthy group can be physically scattered in ways the cost model never captured.
The runbook therefore has to connect three maps that are often maintained by different teams:
- Kafka map. Topics, partitions, leaders, replicas, consumer groups, and replay jobs decide which bytes a client wants to read.
- Kubernetes map. Pods, nodes, node groups, topology spread rules, and subnet selection decide where the client actually runs.
- AWS network map. Broker endpoints, VPC routes, security appliances, PrivateLink endpoints, peering, and downstream sinks decide where the bytes travel.
Only the combined map explains the bill. A Kafka dashboard can show lag without pod locality, a Kubernetes dashboard can show placement without partition leadership, and a network diagram can show connectivity without showing which paths are hot.
Runbook 1: Separate Steady Reads From Recovery Reads
The first mistake is averaging all consumer traffic into one number. Steady reads are the normal tail of a topic: payment services, fraud detectors, feature pipelines, search indexing jobs, and operational consumers reading near the end of the log. Recovery reads are the large backfills and replays that happen after a deployment issue, data correction, downstream outage, or analytics request.
Those two modes behave differently in EKS. Steady consumers usually come from long-running Deployments with predictable labels. Recovery consumers may come from batch Jobs, temporary namespaces, notebooks, CI tasks, or manually scaled replicas. A platform team can tune the steady path and still see a cost spike because the recovery path bypassed the intended rules.
Start by classifying the top consumer groups, not the top topics. For each group, record the normal read rate, expected replay window, pod owner, namespace, node group, subnet, and downstream system. Then mark whether the workload can run during incidents, whether it can be throttled, and whether it has a documented placement policy.
| Traffic mode | Typical EKS origin | Cost question | Runbook owner |
|---|---|---|---|
| Steady tailing | Deployment or StatefulSet | Are pods reading from local-zone paths when possible? | Platform and app team |
| Planned replay | Batch Job or scheduled workflow | Is replay capacity placed and throttled deliberately? | Data platform |
| Incident recovery | Temporary scale-out or manual job | Does the emergency path follow the same network rules? | SRE and platform |
| Cross-boundary export | Connector or sink workload | Which VPC, account, or endpoint boundary is crossed? | Cloud networking |
The table keeps the conversation factual. If a data science replay is the largest driver, tuning the payment service Deployment will not help. If a sink connector uses a centralized inspection VPC, Kafka client settings will not remove that boundary.
Runbook 2: Prove Pod, Broker, And Endpoint Locality
Once the traffic modes are separated, locality becomes the next test. Kafka has topology-aware mechanisms, including broker rack metadata and the consumer client.rack configuration used with replica selection features. EKS has topology labels on nodes and scheduling controls such as node affinity and topology spread constraints. The goal is to prove that Kafka, Kubernetes, and AWS labels describe the same physical reality.
A practical locality check starts from one consumer group and follows it downward. List the pods, nodes, node Availability Zones, broker endpoints, and partition leaders. If client.rack is set, verify that the value comes from the node or zone where the pod is running, not from a hard-coded environment variable copied across zones. If it is not set, document whether the team accepts leader-based reads or plans nearest-replica fetching.
Kubernetes scheduling deserves the same rigor. Topology spread constraints can keep replicas distributed, but they do not guarantee that each pod reads from a same-zone broker path. Node selectors can keep a workload in a known node group, but they can also concentrate traffic in one zone if the node group is not balanced. Repeat this check after node group changes, EKS upgrades, and major deployment template revisions.
The most useful evidence is concrete and boring:
- Pod name, namespace, node, node Availability Zone, and subnet.
- Consumer group, assigned partitions, broker endpoint used by the client, and
client.rackvalue when configured. - Broker rack or zone metadata, leader distribution, and whether follower fetching is part of the design.
- CloudWatch or VPC flow evidence that shows whether bytes stay local or cross a billed boundary.
Do not skip the endpoint. Private connectivity is often introduced for security, cross-account access, SaaS access, or centralized governance. AWS PrivateLink pricing includes hourly endpoint charges and data processing dimensions for interface endpoints, so a design can be operationally correct and still create a measurable per-byte path. The runbook asks whether the endpoint is necessary for that group, whether it sits in the same zones as the pods, and whether moving the workload would reduce traffic more safely than changing Kafka.
Runbook 3: Put PrivateLink In The Architecture Review, Not The Kafka Tuning Queue
PrivateLink is not a Kafka feature, and treating it like one causes bad troubleshooting. It is an AWS networking construct for private access across service and VPC boundaries. When EKS-based consumers use interface endpoints, model endpoint hourly charges, data processing, subnet placement, and the path to downstream systems before asking whether Kafka is misconfigured.
The important distinction is ownership. A Kafka platform team can usually change consumer configuration, topic policy, quota, and broker-side settings. It may not own the VPC topology, inspection route, endpoint service, or account boundary. PrivateLink-related traffic belongs in a joint review with cloud networking and security teams, not only a Kafka backlog.
That joint review needs a small decision tree:
- Is the endpoint required by account, VPC, or service ownership?
- Are consumers and endpoints deployed in matching Availability Zones?
- Does the traffic path cross a centralized VPC, transit gateway, or inspection layer after the endpoint?
- Are replay and backfill jobs using the same endpoint path as steady consumers?
- Would moving the consumer runtime reduce traffic more safely than changing connectivity?
This decision tree prevents two common mistakes: blaming MSK for every byte near Kafka workloads, and optimizing the steady path while recovery jobs use whatever route is available during an incident. Both produce a cost review that looks complete on paper and fails under real load.
Runbook 4: Convert Cost Findings Into Operating Controls
Cost analysis is not finished when the team identifies a path. It is finished when the path becomes an operating control that survives the next deployment. For EKS-based consumers, that means templates, alerts, and exception rules rather than another spreadsheet.
Start with deployment templates. Zone-aware consumer workloads should inherit node labels, topology spread constraints, environment variables, and observability tags from a platform-maintained base. The template should make the desired path visible: zone, subnet, broker bootstrap method, endpoint class, and owner.
Then add drift checks. A weekly job can compare pod placement with intended zones. A dashboard can show read throughput by namespace and node group. A cost anomaly alert should route to the team that controls the boundary; otherwise it becomes background noise.
Finally, define exceptions. Some workloads deserve a higher network bill because they protect recovery time, security isolation, or regulatory boundaries. A fraud replay job may need fast cross-zone capacity during an incident, while a regulated export may need a centralized inspection path. The runbook should separate accepted cost from accidental cost.
When Architecture Becomes The Bigger Lever
The first answer to MSK traffic costs is usually configuration and placement, and that is appropriate. MSK remains a strong AWS-native managed Kafka option for many teams, especially when workloads fit traditional Kafka operations and the organization values managed broker lifecycle. Rack-aware reads, careful EKS scheduling, and endpoint hygiene can remove a lot of avoidable traffic without changing the platform.
The warning sign is repetition. If every consumer group needs a topology review, every replay requires manual placement, and every networking change reopens the same Kafka cost debate, the team may be operating around a structural constraint. Traditional Kafka ties durable log storage to broker-local disks and uses brokers as part of the replication and recovery model. That design can work well, but storage placement, broker lifecycle, and network paths remain tightly connected.
At that point, the evaluation should widen from tuning to architecture. A useful review asks whether the platform can keep Kafka protocol compatibility while reducing the operational burden caused by local broker storage, cross-zone placement, and recovery traffic. The question is valid once network cost becomes a recurring platform tax rather than a one-time misconfiguration.
How AutoMQ Fits The Evaluation
AutoMQ is a Kafka-compatible cloud-native streaming platform that separates compute from storage and uses object storage for durable stream data. Its architecture changes what brokers are responsible for: brokers can behave more like stateless compute, while durable data lives in shared storage rather than being anchored to broker-local disks. AutoMQ also documents a Zero Cross-AZ Traffic design for applicable deployment patterns, giving MSK teams a concrete architecture to compare against current cross-zone paths.
This does not mean every EKS consumer cost issue requires migration. If the problem is a missing topology label or a misrouted replay job, fix the label or job first. AutoMQ enters the conversation when the organization wants to test whether a Kafka-compatible shared-storage design can reduce the repeated coordination work between Kafka operators, Kubernetes owners, cloud networking teams, and FinOps.
Evaluate it with the same runbook, not a separate vendor checklist:
- Can existing Kafka producers, consumers, connectors, and stream processors run with acceptable compatibility changes?
- Which paths remain inside one Availability Zone, which paths use object storage, and which paths still depend on EKS placement?
- How does the platform behave during broker replacement, scale-out, replay, and downstream outages?
- Can the team keep its current AWS account, IAM, encryption, observability, and governance controls in the deployment model it chooses?
The value of this comparison is discipline. It keeps AutoMQ from being evaluated as a slogan and keeps MSK from being judged by a single bill line. Both platforms should be tested against the actual paths that move bytes in your environment.
A Decision Record Your FinOps Team Can Reuse
The final artifact should be a decision record, not a one-off investigation note. A good record names the workload, traffic mode, current path, owner, accepted cost, avoidable cost, next action, and evidence used: pod placement, broker endpoint, endpoint route, read throughput, replay behavior, and relevant AWS pricing page.
That record gives procurement and FinOps teams a better model than a generic $/GB estimate. Kafka platform cost is a composition of broker capacity, storage retention, client placement, endpoint design, replay policy, operational labor, and migration risk. A single number hides the mechanism. A runbook shows whether the team should tune EKS scheduling, redesign a VPC boundary, throttle replay, or evaluate a different streaming architecture.
Return to the bill that triggered the search. The useful question is no longer whether "MSK traffic" is high. The useful question is which runbook owns the path: locality, PrivateLink, replay control, operating template, or architecture review. If your team wants to compare those paths against a Kafka-compatible shared-storage design, use AutoMQ's documented Zero Cross-AZ Traffic architecture as a technical checklist and trace the same EKS consumer workflows end to end.
References
- Amazon MSK pricing: https://aws.amazon.com/msk/pricing/
- Amazon VPC pricing: https://aws.amazon.com/vpc/pricing/
- AWS PrivateLink pricing: https://aws.amazon.com/privatelink/pricing/
- Amazon EC2 On-Demand Pricing, Data Transfer section: https://aws.amazon.com/ec2/pricing/on-demand/#Data_Transfer
- Amazon EKS documentation, assign pods to nodes: https://docs.aws.amazon.com/eks/latest/userguide/assign-pods.html
- Apache Kafka consumer configuration
client.rack: https://kafka.apache.org/documentation/#consumerconfigs_client.rack - Apache Kafka KIP-392, Allow consumers to fetch from closest replica: https://cwiki.apache.org/confluence/display/KAFKA/KIP-392%3A+Allow+consumers+to+fetch+from+closest+replica
- AutoMQ Zero Cross-AZ Traffic overview: https://docs.automq.com/automq-cloud/eliminate-inter-zone-traffics/overview?utm_source=blog&utm_medium=reference&utm_campaign=gs100-0097
FAQ
Does Amazon MSK charge for broker replication traffic inside an MSK cluster?
AWS states that in-cluster broker replication data transfer is included for MSK provisioned clusters. Consumer reads, cross-VPC paths, PrivateLink endpoints, downstream exports, and cross-region movement can still follow the relevant AWS pricing rules.
Why do EKS consumers make MSK network cost analysis more complicated?
EKS separates application intent from physical placement. A healthy consumer Deployment may still run in zones or subnets that create cross-zone or endpoint-heavy traffic. Cost analysis has to connect Kafka group behavior, pod placement, node topology, broker endpoints, and AWS network boundaries.
Is PrivateLink a good or bad choice for MSK-related workloads?
PrivateLink is useful when teams need private access across VPC, account, or service boundaries. The runbook question is whether the endpoint path is necessary, correctly placed, and included in the cost model for steady reads and replay jobs.
Should we tune MSK before evaluating another architecture?
Yes, when the issue is clearly a placement, configuration, or endpoint hygiene problem. Tune the current deployment first. Evaluate a different architecture when the same network-cost work keeps recurring across consumer groups, replays, broker lifecycle events, and cloud networking changes.
How is AutoMQ relevant to EKS-based MSK consumer costs?
AutoMQ is relevant when the cost pattern points to structural coupling between Kafka storage, broker placement, and network paths. Its Kafka-compatible shared-storage architecture and documented Zero Cross-AZ Traffic design give teams a concrete alternative to test against the same EKS consumer runbooks.
