How Do I Select and Configure a Security Group?
Kafka instances can be accessed within a VPC, across VPCs, through DNAT, or over public networks. Before accessing a Kafka instance, configure a security group.
Intra-VPC Access
- Check whether the client and instance use the same security group.
- If they use the same security group, check whether the security group has the default inbound rule that allows communication among ECSs within the security group and the default outbound rule that allows all outbound traffic. If these rules are available, you do not need to add more rules. If these rules are not available, add rules according to Table 1.
Table 1 Security group rules Direction
Protocol
Type
Port
Source
Description
Inbound
TCP
IPv4
9092
IP address or IP address group of the Kafka client
Accessing a Kafka instance over a private network within a VPC (without SSL)
Inbound
TCP
IPv4
9093
IP address or IP address group of the Kafka client
Accessing a Kafka instance over a private network within a VPC (with SSL)
- If they use different security groups, go to 2.
- If they use the same security group, check whether the security group has the default inbound rule that allows communication among ECSs within the security group and the default outbound rule that allows all outbound traffic. If these rules are available, you do not need to add more rules. If these rules are not available, add rules according to Table 1.
- Configure security group rules as follows.
Assume that the security groups of the client and Kafka instance are sg-53d4 and Default_All, respectively. You can specify a security group or IP address as the destination in the following rule. A security group is used as an example.
To ensure that your client can access the Kafka instance, add the following rule to the security group configured for the client:
Table 2 Security group rule Direction
Action
Protocol & Port
Destination
Outbound
Allow
All
Default_All
Figure 1 Configuring a security group for the client
To ensure that your client can access the Kafka instance, add the following rule to the security group configured for the instance.
Table 3 Security group rule Direction
Action
Protocol & Port
Source
Inbound
Allow
All
sg-53d4
Figure 2 Configuring the security group for the Kafka instance
Cross-VPC and DNAT-based Instance Access
Configure security group rules according to Table 4.
Direction |
Protocol |
Port |
Source |
Description |
---|---|---|---|---|
Inbound |
TCP |
9011 |
198.19.128.0/17 |
Accessing a Kafka instance using a VPC endpoint across VPCs (with or without SSL) |
Inbound |
TCP |
9011 |
IP address or IP address group of the Kafka client |
Accessing a Kafka instance using DNAT (with or without SSL) |
Inbound |
TCP |
9092 |
IP address or IP address group of the Kafka client |
Accessing a Kafka instance using a peering connection across VPCs (without SSL) |
Inbound |
TCP |
9093 |
IP address or IP address group of the Kafka client |
Accessing a Kafka instance using a peering connection across VPCs (with SSL) |
Public Access
Configure security group rules according to Table 5.
Direction |
Protocol |
Type |
Port |
Source |
Description |
---|---|---|---|---|---|
Inbound |
TCP |
IPv4 |
9094 |
IP address or IP address group of the Kafka client |
Accessing a Kafka instance over a public network (without SSL) |
Inbound |
TCP |
IPv4 |
9095 |
IP address or IP address group of the Kafka client |
Accessing a Kafka instance over a public network (with SSL) |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.