Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive

Configuring Kafka Public Access

Updated on 2025-02-14 GMT+08:00

Clients can use IPv4 or IPv6 addresses to access a Kafka instance over a public network.

  • By IPv4: On the Kafka console, enable public access and configure EIPs for the instance.
  • By IPv6: Enable IPv6 in Kafka instance creation and add IPv6 addresses to the shared bandwidth to support both private and public IPv6 access.

On the Kafka console, the procedures for configuring public IPv4 access vary depending on the content displayed in the Connection area on the Basic Information page.

Notes and Constraints

Kafka instances only support IPv4 EIPs. IPv6 EIPs are not supported.

Prerequisites

  • You can change the public access setting only when the Kafka instance is in the Running state.
  • (Optional) To access a Kafka instance using IPv6 addresses, ensure that IPv6 is enabled for the Kafka instance.

Enabling Public IPv4 Access (SASL Cannot Be Changed)

  1. Log in to the console.
  2. Click in the upper left corner to select the region where your instance is located.
  3. Click and choose Middleware > Distributed Message Service (for Kafka) to open the console of DMS for Kafka.
  4. In the navigation pane, choose Kafka Instances.
  5. Click a Kafka instance to go to the Basic Information page.
  6. Click next to Public Access to enable public access. For Elastic IP Address, select an EIP for each broker.

    If the EIPs are insufficient, do as follows to set them.

    1. Click Create Elastic IP to go to the Buy EIP page and purchase EIPs. For details, see Assigning an EIP.
    2. After the purchase is complete, return to the public access enabling page.
    3. Click after Elastic IP Address, select an EIP for each broker and then click .
    4. You can view the operation progress on the Background Tasks page. If the task status is Successful, the modification has succeeded.
    Figure 1 Enabling public access

    After public access is enabled, configure security group rules listed in Table 1 before attempting to access Kafka. For details about accessing Kafka, see Connecting to an Instance.

    Table 1 Kafka instance security group rules (public IPv4 access)

    Direction

    Protocol

    Type

    Port

    Source

    Description

    Inbound

    TCP

    IPv4

    9094

    IP address or IP address group of the Kafka client

    Accessing Kafka over a public network (without SSL)

    Inbound

    TCP

    IPv4

    9095

    IP address or IP address group of the Kafka client

    Accessing Kafka over a public network (with SSL)

Disabling Public IPv4 Access (SASL Cannot Be Changed)

  1. Log in to the console.
  2. Click in the upper left corner to select the region where your instance is located.
  3. Click and choose Middleware > Distributed Message Service (for Kafka) to open the console of DMS for Kafka.
  4. In the navigation pane, choose Kafka Instances.
  5. Click a Kafka instance to go to the Basic Information page.
  6. Click next to Public Access.

    You can view the operation progress on the Background Tasks page. If the task status is Successful, the modification has succeeded.

    After public access is disabled, configure security group rules listed in Table 2 before attempting to access Kafka in a VPC. For details about accessing Kafka, see Connecting to an Instance.

    Table 2 Kafka instance security group rules (private access)

    Direction

    Protocol

    Type

    Port

    Source

    Description

    Inbound

    TCP

    IPv4

    9092

    IP address or IP address group of the Kafka client

    Accessing a Kafka instance over a private network within a VPC (without SSL)

    Inbound

    TCP

    IPv4

    9093

    IP address or IP address group of the Kafka client

    Accessing a Kafka instance over a private network within a VPC (with SSL)

    NOTE:

    After a security group is created, its default inbound rule allows communication among ECSs within the security group and its default outbound rule allows all outbound traffic. In this case, you can access a Kafka instance within a VPC, and do not need to add rules according to Table 2.

Enabling Public IPv4 Access (Plaintext or Ciphertext Access Can Be Changed)

  1. Log in to the console.
  2. Click in the upper left corner to select the region where your instance is located.
  3. Click and choose Middleware > Distributed Message Service for Kafka to open the console of DMS for Kafka.
  4. In the navigation pane, choose Kafka Instances.
  5. Click a Kafka instance to go to the Basic Information page.
  6. Click next to Public Access to enable public access. For Elastic IP Address, select an EIP for each broker.

    If the EIPs are insufficient, do as follows to set them.

    1. Click Create Elastic IP to go to the Buy EIP page and purchase EIPs. For details, see Assigning an EIP.
    2. After the purchase is complete, return to the public access enabling page.
    3. Click after Elastic IP Address, select an EIP for each broker and then click . The Background Tasks page is displayed.
    4. If the status of the task turns to Successful, public access is successfully enabled.
    Figure 2 Enabling public access

    After public access is enabled, configure the access mode (plaintext or ciphertext) and security group rules listed in Table 3 before attempting to access Kafka. For details about accessing Kafka, see Connecting to an Instance.

    Table 3 Kafka instance security group rules (public IPv4 access)

    Direction

    Protocol

    Type

    Port

    Source

    Description

    Inbound

    TCP

    IPv4

    9094

    IP address or IP address group of the Kafka client

    Public plaintext access to Kafka

    Inbound

    TCP

    IPv4

    9095

    IP address or IP address group of the Kafka client

    Public ciphertext access to Kafka

Disabling Public IPv4 Access (Plaintext or Ciphertext Access Can Be Changed)

  1. Log in to the console.
  2. Click in the upper left corner to select the region where your instance is located.
  3. Click and choose Middleware > Distributed Message Service for Kafka to open the console of DMS for Kafka.
  4. In the navigation pane, choose Kafka Instances.
  5. Click a Kafka instance to go to the Basic Information page.
  6. Before disabling public access, disable Plaintext Access and Ciphertext Access next to Public Network Access. Then click next to Public Access.
  7. Click OK. The Background Tasks page is displayed. If the status of the task turns to Successful, public access is successfully disabled.

    After public access is disabled, configure security group rules listed in Table 4 before attempting to access Kafka in a VPC. For details about accessing Kafka, see Connecting to an Instance.
    NOTE:

    After a security group is created, its default inbound rule allows communication among ECSs within the security group and its default outbound rule allows all outbound traffic. In this case, you can access a Kafka instance within a VPC, and do not need to add rules according to Table 4.

    Table 4 Kafka instance security group rules (private access)

    Direction

    Protocol

    Type

    Port

    Source

    Description

    Inbound

    TCP

    IPv4

    9092

    IP address or IP address group of the Kafka client

    Accessing a Kafka instance over a private network within a VPC (in plaintext)

    Inbound

    TCP

    IPv4

    9093

    IP address or IP address group of the Kafka client

    Accessing a Kafka instance over a private network within a VPC (in ciphertext)

Enabling IPv6 Public Network Access

  1. Log in to the console.
  2. Click in the upper left corner to select the region where your instance is located.
  3. Click and choose Middleware > Distributed Message Service for Kafka to open the console of DMS for Kafka.
  4. In the navigation pane, choose Kafka Instances.
  5. Click a Kafka instance to go to the Basic Information page.
  6. In the Connection area, obtain IPv6 Instance Address (Private Network). In the Network area, view and record the VPC and subnet.

    Figure 3 Instance details page

  7. Click in the upper left corner of the management console and choose Network > Elastic IP. The EIPs page is displayed.
  8. Choose Shared Bandwidths in the navigation pane.
  9. Apply for a shared bandwidth. For details, see Assigning a Shared Bandwidth.

    If a shared bandwidth already exists, you do not need to apply for one again.

  10. In the row containing the shared bandwidth, click Add Public IP Address.
  11. Set the parameters as described in Table 5 and click OK.

    Table 5 Adding public IP parameters

    Parameter

    Description

    Public IP Address

    Select IPv6 Address.

    VPC

    Select the VPC in 6 from the drop-down list.

    Subnet

    Select the subnet in 6 from the drop-down list. Select all IPv6 addresses in 6.

    Figure 4 Adding public IPs

  12. After the shared bandwidth is configured, set a Kafka instance security group with the rules described in Table 6.

    Table 6 Kafka instance security group rules (IPv6 access)

    Direction

    Protocol

    Type

    Port

    Source

    Description

    Inbound

    TCP

    IPv6

    9192

    ::/0

    Accessing a Kafka instance using IPv6 addresses (without SSL encryption)

    Inbound

    TCP

    IPv6

    9193

    ::/0

    Accessing a Kafka instance using IPv6 addresses (with SSL encryption)

    When a client is connected to a Kafka instance over an IPv6 public network:

    • The Kafka connection addresses are the IPv6 addresses in Instance Address (Private Network).
    • The client NIC must be added to shard bandwidth. Shared bandwidth is using a connected network. The shared bandwidth of the client NIC and that of the Kafka instance can be different.

Disabling IPv6 Public Access

Remove the IPv6 addresses of a Kafka instance from the shared bandwidth. For details, see Removing EIPs from a Shared Bandwidth.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback