Updated on 2024-12-02 GMT+08:00

Kafka Network Connection Conditions

A client can connect to a Kafka instance over a public or private network. Notes before using a private network:

  • By default, a client and a Kafka instance are interconnected when they are deployed in a VPC.
  • If they are not, you need to interconnect them because of isolation among VPCs.

Table 1 lists how to access a Kafka instance on a client.

Table 1 Access modes

Mode

How To Do

Reference

Public access

Enable public access on the Kafka console and configure elastic IPs (EIPs). A client can connect to the Kafka instance through the EIPs.

Configuring Kafka Public Access

Configure port mapping using DNAT. The client can connect to the Kafka instance in a public network.

Accessing Kafka in a Public Network Using DNAT

Private access

A client and a Kafka instance are interconnected when they are deployed in a VPC.

-

When a client and a Kafka instance are deployed in different VPCs of the same region, connect the client and the Kafka instance across VPCs using a VPC endpoint.

Accessing Kafka Using a VPC Endpoint Across VPCs

When a client and a Kafka instance are deployed in different VPCs of the same region, interconnect two VPCs using a VPC peering connection.

VPC Peering Connection

Before accessing a Kafka instance on a client, configure the following rules in the security group of the instance.

After a security group is created, its default inbound rule allows communication among ECSs within the security group and its default outbound rule allows all outbound traffic. In this case, you can access a Kafka instance within a VPC, and do not need to add rules according to Table 2.

Table 2 Security group rules

Direction

Protocol

Type

Port

Source

Description

Inbound

TCP

IPv4

9094

IP address or IP address group of the Kafka client

Accessing a Kafka instance over a public network (without SSL)

Inbound

TCP

IPv4

9092

IP address or IP address group of the Kafka client

  • Accessing a Kafka instance over a private network within a VPC (without SSL)
  • Accessing a Kafka instance using a peering connection across VPCs (without SSL)

Inbound

TCP

IPv4

9095

IP address or IP address group of the Kafka client

Accessing a Kafka instance over a public network (with SSL)

Inbound

TCP

IPv4

9093

IP address or IP address group of the Kafka client

  • Accessing a Kafka instance over a private network within a VPC (with SSL)
  • Accessing a Kafka instance using a peering connection across VPCs (with SSL)

Inbound

TCP

IPv4

9011

198.19.128.0/17

Accessing a Kafka instance using a VPC endpoint across VPCs (with or without SSL)

Inbound

TCP

IPv4

9011

IP address or IP address group of the Kafka client

Accessing a Kafka instance using DNAT (with or without SSL)