Help Center> Distributed Message Service for Kafka> User Guide> Connecting to an Instance> Configuring Kafka Network Connections> Configuring Kafka Public Access
Updated on 2024-05-24 GMT+08:00
View PDF

Configuring Kafka Public Access

To access a Kafka instance over a public network, enable public access and configure EIPs for the instance.

If you no longer need public access to the instance, you can disable it as required.

On the Kafka console, the procedures for enabling and disabling public access vary depending on the content displayed in the Connection area on the Basic Information page.

If your instance is in the following regions, refer to Disabling Public Access (SASL Cannot Be Changed) and Enabling Public Access (SASL Cannot Be Changed). Otherwise, refer to Enabling Public Access (Plaintext or Ciphertext Access Can Be Changed) and Disabling Public Access (Plain- or Ciphertext Can Be Changed).

  • CN North-Beijing1
  • ME-Riyadh
  • LA-Sao Paulo1
  • LA-Santiago

Prerequisites

  • You can change the public access setting only when the Kafka instance is in the Running state.
  • Kafka instances only support IPv4 EIPs. IPv6 EIPs are not supported.

Enabling Public Access (SASL Cannot Be Changed)

  1. Log in to the console.
  2. Click in the upper left corner to select a region.

    Select the region where your Kafka instance is located.

  3. Click and choose Middleware > Distributed Message Service (for Kafka) to open the console of DMS for Kafka.
  4. Click a Kafka instance to go to the Basic Information page.
  5. Click next to Public Access to enable public access. For Elastic IP Address, select an EIP for each broker and then click .

    You can view the operation progress on the Background Tasks page. If the task status is Successful, the modification has succeeded.

    Figure 1 Enabling public access

    After public access is enabled, configure security group rules listed in Table 1 before attempting to access Kafka. For details about accessing Kafka, see Connecting to an Instance.

    Table 1 Security group rules (public network access)

    Direction

    Protocol

    Port

    Source

    Description

    Inbound

    TCP

    9094

    0.0.0.0/0

    Access Kafka through the public network (without SSL encryption).

    Inbound

    TCP

    9095

    0.0.0.0/0

    Access Kafka through the public network (with SSL encryption).

Disabling Public Access (SASL Cannot Be Changed)

  1. Log in to the console.
  2. Click in the upper left corner to select a region.

    Select the region where your Kafka instance is located.

  3. Click and choose Middleware > Distributed Message Service (for Kafka) to open the console of DMS for Kafka.
  4. Click a Kafka instance to go to the Basic Information page.
  5. Click next to Public Access.

    You can view the operation progress on the Background Tasks page. If the task status is Successful, the modification has succeeded.

    After public access is disabled, configure security group rules listed in Table 2 before attempting to access Kafka in a VPC. For details about accessing Kafka, see Connecting to an Instance.

    Table 2 Security group rules (private network access)

    Direction

    Protocol

    Port

    Source

    Description

    Inbound

    TCP

    9092

    0.0.0.0/0

    Access a Kafka instance within a VPC (without SSL encryption).

    Inbound

    TCP

    9093

    0.0.0.0/0

    Access a Kafka instance within a VPC (with SSL encryption).

    After a security group is created, its default inbound rule allows communication among ECSs within the security group and its default outbound rule allows all outbound traffic. In this case, you can access a Kafka instance within a VPC, and do not need to add rules according to Table 2.

Enabling Public Access (Plaintext or Ciphertext Access Can Be Changed)

  1. Log in to the console.
  2. Click in the upper left corner to select a region.

    Select the region where your Kafka instance is located.

  3. Click and choose Middleware > Distributed Message Service for Kafka to open the console of DMS for Kafka.
  4. Click a Kafka instance to go to the Basic Information page.
  5. Click next to Public Network Access to enable public access. For Elastic IP Address, select an EIP for each broker and then click to go to the Background Tasks page. If the status of the task turns to Successful, public access is successfully enabled.

    Figure 2 Enabling public access

    After public access is enabled, configure the access mode (plaintext or ciphertext) and security group rules listed in Table 3 before attempting to access Kafka. For details about accessing Kafka, see Connecting to an Instance.

    Table 3 Security group rules

    Direction

    Protocol

    Port

    Source

    Description

    Inbound

    TCP

    9094

    0.0.0.0/0

    Access Kafka through the public network (without SSL encryption).

    Inbound

    TCP

    9095

    0.0.0.0/0

    Access Kafka through the public network (with SSL encryption).

Disabling Public Access (Plain- or Ciphertext Can Be Changed)

  1. Log in to the console.
  2. Click in the upper left corner to select a region.

    Select the region where your Kafka instance is located.

  3. Click and choose Middleware > Distributed Message Service for Kafka to open the console of DMS for Kafka.
  4. Click a Kafka instance to go to the Basic Information page.
  5. Before disabling public access, disable Plaintext Access and Ciphertext Access next to Public Network Access. Then click next to Public Network Access. A confirmation dialog box is displayed.
  6. Click OK. The Background Tasks page is displayed. If the status of the task turns to Successful, public access is successfully disabled.

    After public access is disabled, configure security group rules listed in Table 4 before attempting to access Kafka in a VPC. For details about accessing Kafka, see Connecting to an Instance.
    Table 4 Security group rules (private network access)

    Direction

    Protocol

    Port

    Source

    Description

    Inbound

    TCP

    9092

    0.0.0.0/0

    Access a Kafka instance within a VPC (without SSL encryption).

    Inbound

    TCP

    9093

    0.0.0.0/0

    Access a Kafka instance within a VPC (with SSL encryption).

    After a security group is created, its default inbound rule allows communication among ECSs within the security group and its default outbound rule allows all outbound traffic. In this case, you can access a Kafka instance within a VPC, and do not need to add rules according to Table 4.