Updated on 2024-10-25 GMT+08:00

Kafka Network Connection Conditions

A client can connect to a Kafka instance over a public or private network. Notes before using a private network:

  • By default, a client and a Kafka instance are interconnected when they are deployed in a VPC.
  • If they are not, you need to interconnect them because of isolation among VPCs.

Table 1 lists how to access a Kafka instance on a client.

Table 1 Access modes

Mode

How To Do

Reference

Public access

  • To access a Kafka instance on a client using IPv4 addresses: Enable public access on the Kafka console and configure elastic IPs (EIPs). A client can connect to the Kafka instance through the EIPs.
  • To access a Kafka instance on a client using IPv6 addresses: Enable IPv6 on the Kafka console and add the IPv6 addresses into the shared bandwidth. A client can connect to the Kafka instance over a public network.

Configuring Kafka Public Access

Configure port mapping using DNAT. The client can connect to the Kafka instance in a public network.

Accessing Kafka in a Public Network Using DNAT

Private access

A client and a Kafka instance are interconnected when they are deployed in a VPC.

-

When a client and a Kafka instance are deployed in different VPCs of the same region, connect the client and the Kafka instance across VPCs using a VPC endpoint.

Accessing Kafka Using a VPC Endpoint Across VPCs

When a client and a Kafka instance are deployed in different VPCs of the same region, interconnect two VPCs using a VPC peering connection.

VPC Peering Connection

Before accessing a Kafka instance on a client, configure the following rules in the security group of the instance.

After a security group is created, its default inbound rule allows communication among ECSs within the security group and its default outbound rule allows all outbound traffic. In this case, you can access a Kafka instance within a VPC, and do not need to add rules according to Table 2.

Table 2 Security group rules

Direction

Protocol

Type

Port

Source

Description

Inbound

TCP

IPv4

9094

IP address or IP address group of the Kafka client

Accessing a Kafka instance over a public network (in plaintext)

Inbound

TCP

IPv4

9092

IP address or IP address group of the Kafka client

  • Accessing a Kafka instance over a private network within a VPC (in plaintext)
  • Accessing a Kafka instance using a peering connection across VPCs (in plaintext)

Inbound

TCP

IPv6

9192

IP address or IP address group of the Kafka client

Accessing a Kafka instance using IPv6 addresses (without SSL) (private or public network)

Inbound

TCP

IPv4

9095

IP address or IP address group of the Kafka client

Accessing a Kafka instance over a public network (in ciphertext)

Inbound

TCP

IPv4

9093

IP address or IP address group of the Kafka client

  • Accessing a Kafka instance over a private network within a VPC (in ciphertext)
  • Accessing a Kafka instance using a peering connection across VPCs (in ciphertext)

Inbound

TCP

IPv6

9193

IP address or IP address group of the Kafka client

Accessing a Kafka instance using IPv6 addresses (with SSL) (private or public network)

Inbound

TCP

IPv4

9011

198.19.128.0/17

Accessing a Kafka instance using a VPC endpoint across VPCs (in cipher- or plaintext)

Inbound

TCP

IPv4

9011

IP address or IP address group of the Kafka client

Accessing a Kafka instance using DNAT (in cipher- or plaintext)