Sign In

Cboe Titanium Cboe Global Cloud Setup Guide

Introduction

The information contained in this document can be used as a technical reference guide to facilitate customer connectivity to the Cboe Global Cloud (CGC). This document also provides external links to Amazon Web services (AWS) resources.

The following connectivity services are outlined in this document:

  • AWS PrivateLink
  • VPN
  • Internet Gateway

Cboe Global Cloud services are deployed across multiple availability zones in each of the available geographic regions. For customers requiring geographic redundancy, connectivity can be established in an additional region.

AWS Network Connectivity

The below table outlines items Cboe NOC will provide during the onboarding process. Connectivity Method is selected when submitting a connectivity request via the Customer Web Portal.

Table 1. Cboe Global Cloud Broker Details Matrix
Required Item Provided by CboeConnectivity Method
VPNPrivateLinkInternet Gateway
mTLS Certificate Key Pair
Kafka Broker Topic
Requesting firm's group.id (case sensitive)
Broker FQDN:Port
Broker Bootstrap
Broker Private IP
Broker Public IP
Endpoint Service Name

Refer to the Cboe Titanium Cboe Global Cloud Feed Specification for details on Cboe Data Feed Kafka Topics (by Region) availability.

VPN

Cboe Global Cloud utilizes the AWS Client VPN which is a fully-managed, elastic VPN service that automatically scales up or down based on user demand. Customers utilizing a VPN client will establish a secure connection to the Cboe Global Cloud.

For additional resources, see here: How AWS Site-to-Site VPN works

VPN Provisioning

Upon receiving a Cboe Customer Web Portal request ticket for a Cboe Global Cloud services VPN connection, Cboe NOC will confirm requested feeds and region provided by the requesting firm. Cboe NOC will then provide a VPN request form to be completed by the requesting firm. After all necessary VPN details have been provided by the requesting firm, configuration deployment will be scheduled and Cboe NOC will provide information regarding the next steps within the request ticket’s email communication. Refer to AWS Network Connectivity for Broker information to be provided by Cboe for an AWS VPN connectivity method request.

Cboe Global Cloud VPN connection details to consider:

  • VPN Type: Site-to-Site

Details required by Cboe:

  • Requesting firm’s VPN Endpoint (gateway) IP address
  • Requesting firm's public source IP network (interesting traffic)
  • Phase 1 settings
  • Phase 2 settings
  • Pre-shared Key: (verbal exchange - Cboe can generate)
  • Make/Model/Software version (optional) - to assist Cboe with providing configuration file (if necessary)

Note: Cboe Broker details will be provided by Cboe NOC following VPN configuration deployment.

PrivateLink

Cboe Global Cloud leverages the AWS PrivateLink which is a highly available, scalable technology that enables you to privately connect your VPC to services as if they were in your VPC. You do not need to use an internet gateway, NAT device, public IP address, AWS Direct Connect connection, or AWS Site-to-Site VPN connection to allow communication with the service from your private subnets.

For additional resources, see here: What is AWS PrivateLink?

PrivateLink Provisioning

Upon receiving a Cboe Customer Web Portal request ticket for a Cboe Global Cloud services PrivateLink connection, Cboe NOC will confirm requested feeds, region, and the AWS account number provided by the requesting firm. Following confirmation of necessary details, configuration deployment will be scheduled and Cboe NOC will provide information regarding the next steps within the request ticket’s email communication. Refer to AWS Network Connectivity for Broker information to be provided by Cboe for an AWS PrivateLink connectivity method request.

Details required by Cboe:

  • Requesting firm’s AWS 12-digit account

Note: Cboe Broker details will be provided by Cboe NOC following PrivateLink configuration deployment.

Internet Gateway

Cboe Global Cloud leverages the AWS Internet Gateway which is a service that allows for global internet traffic. Connectivity to the AWS Internet Gateway does not require AWS virtual infrastructure or VPN client services.

Internet Gateway Provisioning

Upon receiving a Cboe customer web portal request ticket for a Cboe Global Cloud services Internet Gateway connection, Cboe NOC will confirm requested feeds, region, and source IP addressing with the requesting firm. Following confirmation of necessary details, configuration deployment will be scheduled and Cboe NOC will provide information regarding the next steps within the request ticket’s email communication. Refer to AWS Network Connectivity for Broker information to be provided by Cboe for an AWS Internet Gateway connectivity method request.

Details required by Cboe:

  • Requesting firm’s source IP network details

Note: Cboe Broker details will be provided by Cboe NOC following Internet Gateway configuration deployment.

Kafka Broker Name Resolution

Any systems consuming data from the Kafka clusters will need to resolve each broker FQDN to a specific IP address which varies based on the connectivity method used. Customer systems (consumers) can, for example, add host file entries or create a DNS zone with records containing the broker FQDNs that point to the respective broker load-balancer IP addresses as outlined in the following sections.

VPN Connectivity Method

For VPN connections, customers will be provided the broker FQDNs and private IP addresses of the respective broker load balancers. A local DNS zone can be created for the cluster (x.y.z.kafka.<region>.amazonaws.com) and A records created for each of the broker nodes in the zone.

  • x.y.z.kafka.<region>.amazonaws.com - DNS Zone
    • b-2 IN A <IP>
    • b-3 IN A <IP>
    • b-4 IN A <IP>
    • b-5 IN A <IP>
    • b-6 IN A <IP>

PrivateLink Connectivity Method

PrivateLink based customers will be provided the broker FQDNs, which will need to be resolved to the private IP addresses from the customers AWS subnet where each of the PrivateLink Endpoints are created. A local DNS zone can be created for the cluster (x.y.z.kafka.<region>.amazonaws.com) and for each broker either an A record created to each Endpoint IP or a CNAME to each Endpoint DNS name.

  • x.y.z.kafka.<region>.amazonaws.com - DNS Zone
    • b-2 IN A < Endpoint IP>
    • b-3 IN A < Endpoint IP>
    • b-4 IN A < Endpoint IP>
    • b-5 IN A < Endpoint IP>

    • b-6 IN A < Endpoint IP>

      OR

  • x.y.z.kafka.<region>.amazonaws.com - DNS Zone
    • b-1 IN CNAME vpce-<random id>.vpce-svc.<region>.vpce.amazonaws.com
    • b-2 IN CNAME vpce-<random id>.vpce-svc.<region>.vpce.amazonaws.com
    • b-3 IN CNAME vpce-<random id>.vpce-svc.<region>.vpce.amazonaws.com
    • b-4 IN CNAME vpce-<random id>.vpce-svc.<region>.vpce.amazonaws.com
    • b-5 IN CNAME vpce-<random id>.vpce-svc.<region>.vpce.amazonaws.com
    • b-6 IN CNAME vpce-<random id>.vpce-svc.<region>.vpce.amazonaws.com

Internet Connectivity Method

Internet connection customers will be provided the broker FQDNs and public IP addresses of the respective broker load balancers. A local DNS zone can be created for the cluster (x.y.z.kafka.<region>.amazonaws.com) and A records created for each of the broker nodes in the zone.

  • x.y.z.kafka.<region>.amazonaws.com - DNS Zone
    • b-2 IN A <IP>
    • b-3 IN A <IP>
    • b-4 IN A <IP>
    • b-5 IN A <IP>
    • b-6 IN A <IP>

Consumer Connectivity

mTLS

mTLS authentication is required for connectivity to Cboe Global Cloud services regardless of connectivity method. Upon receipt of a CGC connectivity request ticket, Cboe will generate mTLS certificates to be shared within an email conversation sourced from the @cboe.com domain to include a Kiteworks file share. Cboe NOC will work with the requesting firm to identify appropriate email recipients for access to mTLS certificate files. Refer to Mutual TLS Authentication as necessary.

Kafka Consumer Test Example

Example consumer configuration using the Kafka client tools. Update the identified <variables> accordingly.

Prerequisites:

  • valid client cert w/pkey
  • pkey password/passphrase

Example configuration steps:

  1. Create certfile with client cert: cert.pem
  2. Create key file: key.pem
  3. Create PKCS12 from pem files: openssl pkcs12 -export -in cert.pem -inkey key.pem -name <cert DN> -out <filename>.p12
  4. Create keystore using PKCS12 file: keytool -importkeystore -deststorepass <store password> -destkeystore kafka.client.keystore.jks -srckeystore <filename>.p12 -srcstoretype PKCS12
  5. Copy Java truststore file to same dir as keystore: cp /usr/lib/jvm/java-<version>/jre/lib/security/cacerts kafka.client.truststore.jks
  6. Copy and edit Kafka consumer.properties file:
    1. group.id=<consumer group>
    2. security.protocol=SSL
    3. ssl.truststore.location=kafka.client.truststore.jks
    4. ssl.keystore.location=kafka.client.keystore.jks
    5. ssl.keystore.password=<store password>
    6. ssl.key.password=<key password>

  7. Update local hosts file with all broker FQDNS & IP addresses for correct name resolution (if external)

  8. Run Kafka consumer command to confirm connectivity: bin/kafka-console-consumer.sh --bootstrap-server <broker FQDN>:9094 --consumer.config config/consumer.properties --topic <topic> --max-messages 10

Completion of the above steps will enable streaming of the requested data feed from the Cboe Global Cloud.

Support

ClientCboe
Client Application Monitoring
Cboe Feed Monitoring

Please direct questions and comments related to the Cboe Global Cloud to Cboe NOC (+1 913.815.7005).

Core phone support are 7:00 a.m. - 11:00 p.m. ET, Monday - Friday.

Revision History

Document VersionDateDescription
1.0.007/05/22Initial version.
1.0.101/22/25
  • Updated mTLS.
  • Updated with Cboe Titanium branding.
Cboe Titanium Cboe Global Cloud Setup Guide | Cboe