Help Center/ Distributed Message Service for Kafka/ FAQs/ Connections/ How Do I Select and Configure a Security Group?
Updated on 2024-11-27 GMT+08:00

How Do I Select and Configure a Security Group?

Kafka instances can be accessed within a VPC, across VPCs, through DNAT, or over public networks. Before accessing a Kafka instance, configure a security group.

Intra-VPC Access

  1. Check whether the client and instance use the same security group.

    • If they use the same security group, check whether the security group has the default inbound rule that allows communication among ECSs within the security group and the default outbound rule that allows all outbound traffic. If these rules are available, you do not need to add more rules. If these rules are not available, add rules according to Table 1.
      Table 1 Security group rules

      Direction

      Protocol

      Type

      Port

      Source

      Description

      Inbound

      TCP

      IPv4

      9092

      IP address or IP address group of the Kafka client

      Accessing a Kafka instance over a private network within a VPC (without SSL)

      Inbound

      TCP

      IPv4

      9093

      IP address or IP address group of the Kafka client

      Accessing a Kafka instance over a private network within a VPC (with SSL)

    • If they use different security groups, go to 2.

  2. Configure security group rules as follows.

    Assume that the security groups of the client and Kafka instance are sg-53d4 and Default_All, respectively. You can specify a security group or IP address as the destination in the following rule. A security group is used as an example.

    To ensure that your client can access the Kafka instance, add the following rule to the security group configured for the client:

    Table 2 Security group rule

    Direction

    Action

    Protocol & Port

    Destination

    Outbound

    Allow

    All

    Default_All

    Figure 1 Configuring a security group for the client

    To ensure that your client can access the Kafka instance, add the following rule to the security group configured for the instance.

    Table 3 Security group rule

    Direction

    Action

    Protocol & Port

    Source

    Inbound

    Allow

    All

    sg-53d4

    Figure 2 Configuring the security group for the Kafka instance

Cross-VPC and DNAT-based Instance Access

Configure security group rules according to Table 4.

Table 4 Security group rules

Direction

Protocol

Port

Source

Description

Inbound

TCP

9011

198.19.128.0/17

Accessing a Kafka instance using a VPC endpoint across VPCs (with or without SSL)

Inbound

TCP

9011

IP address or IP address group of the Kafka client

Accessing a Kafka instance using DNAT (with or without SSL)

Inbound

TCP

9092

IP address or IP address group of the Kafka client

Accessing a Kafka instance using a peering connection across VPCs (without SSL)

Inbound

TCP

9093

IP address or IP address group of the Kafka client

Accessing a Kafka instance using a peering connection across VPCs (with SSL)

Public Access

Configure security group rules according to Table 5.

Table 5 Security group rules

Direction

Protocol

Type

Port

Source

Description

Inbound

TCP

IPv4

9094

IP address or IP address group of the Kafka client

Accessing a Kafka instance over a public network (without SSL)

Inbound

TCP

IPv4

9095

IP address or IP address group of the Kafka client

Accessing a Kafka instance over a public network (with SSL)