Help Center/ Distributed Message Service for Kafka/ User Guide/ Connecting to an Instance/ Configuring Kafka Network Connections/ Accessing Kafka in a Public Network Using DNAT
Updated on 2024-10-10 GMT+08:00
View PDF
Share

Accessing Kafka in a Public Network Using DNAT

Enable public access in either of the following ways:

  • On the Kafka console, access Kafka instances using EIPs. For details, see Configuring Kafka Public Access.
  • Configure port mapping from EIPs to specified instance ports using destination NAT (DNAT).

This section describes how to access Kafka over a public network using DNAT.

Prerequisites

You have purchased EIPs of a quantity equal to the number of brokers in the Kafka instance. For details about how to purchase an EIP, see Assigning an EIP.

Step 1: Obtain Information About the Kafka Instance

  1. Log in to the console.
  2. Click in the upper left corner to select a region.

    Select the region where your Kafka instance is located.

  3. Click in the upper left corner and choose Middleware > Distributed Message Service (for Kafka) to open the console of DMS for Kafka.
  4. Click the desired Kafka instance to view its details.
  5. In the Connection area on the Basic Information tab page, view and record the private network access addresses of the Kafka instance. In the Network area, view and record the VPC and subnet where the Kafka instance is located.

    Figure 1 Kafka instance information

Step 2: Buy a Public NAT Gateway

  1. Click in the upper left corner of the management console and choose Network > NAT Gateway. The Public NAT Gateways page is displayed.
  2. Click Buy Public NAT Gateway.
  3. Set the following parameters:

    • Region: Select the region that the Kafka instance is in.
    • Name: Enter a name for the public NAT gateway.
    • VPC: Select the VPC recorded in 5.
    • Subnet: Select the subnet recorded in 5.
    • Enterprise Project: Select an enterprise project as required.

    Set other parameters as required. For details, see Buying a Public NAT Gateway.

    Figure 2 Buying a public NAT gateway

  4. Click Next.
  5. Confirm the specifications and click Submit.

Step 3: Add a DNAT Rule

  1. On Public NAT Gateways page, locate the row containing the newly purchased public NAT gateway and click Configure Rules in the Operation column.
  2. On the DNAT Rules tab page, click Add DNAT Rule.

    Figure 3 Public NAT gateway details

  3. Set the following parameters:

    • Scenario: Select VPC.
    • Port Type: Select Specific port.
    • Protocol: Select TCP.
    • Public IP Address Type: Select EIP and select an EIP.
    • Outside Port: Enter 9011.
    • Instance Type: Select Custom.
    • Private IP Address: Enter one of the private network addresses of the Kafka instance recorded in 5.
    • Inside Port: Enter 9011.

    For details about more parameters, see Adding a DNAT Rule.

    Figure 4 Adding a DNAT rule

  4. Click OK.

    View the DNAT rule status in the DNAT rule list. If Status is Running, the rule has been added successfully.

  5. Create DNAT rules for other private network addresses of the Kafka instance recorded in 5. Configure a unique EIP for each DNAT rule.

    For details about how to create a DNAT rule, see 2 to 4.

  6. After all DNAT rules are created, click the DNAT Rules tab to view the created DNAT rules and record the EIPs corresponding to the private IP addresses.

    Figure 5 DNAT rule list

Step 4: Map EIPs to the Port 9011 of Private IP Addresses

  1. Click in the upper left corner and choose Middleware > Distributed Message Service (for Kafka) to open the console of DMS for Kafka.
  2. Click the desired Kafka instance to view its details.
  3. In the Advanced Settings section on the Basic Information tab page, click Modify next to Cross-VPC Access.
  4. Change the values of advertised.listeners IP Address/Domain Name to the EIPs in the DNAT rules. Ensure that the mapping between the private network addresses and the EIPs is consistent with that recorded in 6. Then click Save.

    Figure 6 Changing the advertised.listeners IP address (for DNAT access)

Step 5: Verify Connectivity

Check whether messages can be created and retrieved by referring to Connecting to Kafka Using the Client (SASL Disabled) or Connecting to Kafka Using the Client (SASL Enabled).

Notes:

  • The address for connecting to a Kafka instance is in the format of "advertised.listeners IP:9011". For example, the addresses for connecting to the Kafka instance shown in Figure 6 are 124.xxx.xxx.167:9011,124.xxx.xxx.174:9011,124.xxx.xxx.57:9011.
  • Configure security group rules for the Kafka instance to allow inbound access over port 9011.
  • Public access must be enabled on the client connected to the Kafka instance.