Help Center/ Distributed Message Service for Kafka/ User Guide/ Preparing Required Resources
Updated on 2023-05-31 GMT+08:00
View PDF

Preparing Required Resources

Overview

Before creating a Kafka instance, ensure the availability of resources, including a virtual private cloud (VPC), subnet, security group, and security group rules. Each Kafka instance is deployed in a VPC and bound to a specific subnet and security group. In this way, Kafka provides an isolated virtual network environment and security protection policies that you can easily configure and manage.

To access a Kafka instance over a public network, prepare an elastic IP address (EIP) in advance.

Required Resources

Table 1 lists the resources required by a Kafka instance.

Table 1 Kafka resources

Resource

Requirement

Operations

VPC and subnet

Different Kafka instances can use the same or different VPCs and subnets based on site requirements. Note the following when creating a VPC and a subnet:

  • The VPC must be created in the same region as the Kafka instance.
  • Use the default settings when creating a VPC and subnet.

For details on how to create a VPC and subnet, see Creating a VPC. If you need to create and use a new subnet in an existing VPC, see Creating a Subnet for the VPC.

Security group

Different Kafka instances can use the same or different security groups. Note the following when creating a security group:

  • Set Template to Custom.
  • To use Kafka instances, add the security group rules described in Table 2. Other rules can be added based on site requirements.
    NOTE:

    After a security group is created, its default inbound rule allows communication among ECSs within the security group and its default outbound rule allows all outbound traffic. In this case, you can access a Kafka instance within a VPC, and do not need to add rules according to Table 2.

For details on how to create a security group, see Creating a Security Group. For details on how to add rules to a security group, see Adding a Security Group Rule.

EIP

Note the following when creating EIPs:

  • The EIPs must be created in the same region as the Kafka instance.
  • The number of EIPs must be the same as the number of Kafka instance brokers.

For details about how to create an EIP, see Assigning an EIP.
Table 2 Security group rules

Direction

Protocol

Port

Source

Description

Inbound

TCP

9094

0.0.0.0/0

Access a Kafka instance through the public network (without SSL encryption).

Inbound

TCP

9092

0.0.0.0/0

Access a Kafka instance within a VPC (without SSL encryption).

Inbound

TCP

9095

0.0.0.0/0

Access a Kafka instance through the public network (with SSL encryption).

Inbound

TCP

9093

0.0.0.0/0

Access a Kafka instance within a VPC (with SSL encryption).

Inbound

TCP

9999

0.0.0.0/0

Access Kafka Manager.

Inbound

TCP

9011

198.19.128.0/17

Access a Kafka instance across VPCs using a VPC endpoint (with or without SSL).

Inbound

TCP

9011

0.0.0.0/0

Access a Kafka instance using DNAT (with or without SSL).