Help Center/ Distributed Message Service for Kafka/ User Guide/ Connecting to an Instance/ Configuring Kafka Network Connections/ Accessing Kafka in a Public Network Using DNAT
Updated on 2025-08-21 GMT+08:00
View PDF
Share

Accessing Kafka in a Public Network Using DNAT

Enable public access in either of the following ways:

  • On the Kafka console, access Kafka instances using EIPs. For details, see Configuring Kafka Public Access.
  • Configure port mapping from EIPs to specified instance ports using destination NAT (DNAT).

This section describes how to access Kafka over a public network using DNAT.

Prerequisites

You have purchased EIPs of a quantity equal to the number of brokers in the Kafka instance. For details about how to purchase an EIP, see Assigning an EIP.

Step 1: Obtain Information About the Kafka Instance

  1. Log in to the Kafka console.
  2. Click in the upper left corner to select the region where your instance is located.
  3. Click the desired instance to go to the instance details page.
  4. In the Connection area on the Overview page, view and record the private network access addresses of the Kafka instance. In the Network area, view and record the VPC and subnet where the Kafka instance is located.

    Figure 1 Kafka instance information

Step 2: Buy a Public NAT Gateway

  1. Click in the upper left corner of the management console and choose Network > NAT Gateway. The Public NAT Gateways page is displayed.
  2. Click Buy Public NAT Gateway.
  3. Set parameters by referring to Table 1 and other parameters as required. For details, see Buying a Public NAT Gateway.

    Figure 2 Buying a public NAT gateway
    Table 1 Public NAT gateway creation parameters

    Parameter

    Description

    Region

    Region where the public NAT gateway is located. Select the region that the Kafka instance is in.

    Name

    Enter a name for the public NAT gateway. Enter up to 64 characters. Only letters, digits, underscores (_), hyphens (-), and periods (.) are allowed.

    VPC

    VPC where the public NAT gateway resides. Select the VPC recorded in 4.

    Subnet

    Subnet in the VPC where the public NAT gateway resides. Select the subnet recorded in 4.

    Enterprise Project

    Enterprise project that the public NAT gateway belongs to. Select as required.

  4. Click Next.
  5. Confirm the specifications. If you have selected the yearly/monthly billing mode, click Pay Now and make the payment as prompted. If you have selected the pay-per-use mode, click Submit.

Step 3: Add a DNAT Rule

  1. On Public NAT Gateways page, locate the row containing the newly purchased public NAT gateway and click Configure Rules in the Operation column.
  2. On the DNAT Rules tab page, click Add DNAT Rule.

    Figure 3 Public NAT gateway details

  3. Set parameters by referring to Table 2. For details about more parameters, see Adding a DNAT Rule.

    Figure 4 Adding a DNAT rule
    Table 2 Adding a DNAT rule

    Parameter

    Description

    Scenario

    Select VPC. The servers in a VPC will share an EIP to provide services accessible from the Internet through the DNAT rule.

    Port Type

    Select Specific port. The public NAT gateway forwards requests to your servers only from the outside port and to the inside port configured here, and only if they use the right protocol.

    Protocol

    Select TCP.

    Public IP Address Type

    The type of the public IP address used for accessing the Internet

    Select EIP and select the purchased EIP from the drop-down list.

    Outside Port

    Enter 9011.

    Instance Type

    Instance type for providing services over external public networks. Select Custom.

    Private IP Address

    Enter one of the private network addresses of the Kafka instance recorded in 4.

    Inside Port

    Enter 9011.

  4. Click OK.

    View the DNAT rule status in the DNAT rule list. If Status is Running, the rule has been added successfully.

  5. Create DNAT rules for other private network addresses of the Kafka instance recorded in 4. Configure a unique EIP for each DNAT rule.

    For details about how to create a DNAT rule, see 2 to 4.

  6. After all DNAT rules are created, click the DNAT Rules tab to view the created DNAT rules and record the EIPs corresponding to the private IP addresses.

    Figure 5 DNAT rule list

Step 4: Map EIPs to the Port 9011 of Private IP Addresses

  1. Click and choose Middleware > Distributed Message Service (for Kafka) to open the Kafka overview page.
  2. In the navigation pane, choose Kafka Instances.
  3. Click the desired Kafka instance to view its details.
  4. In the Advanced Settings area on the Overview page, click Modify.
  5. Change the values of advertised.listeners IP Address/Domain Name to the EIPs in the DNAT rules. Ensure that the mapping between the private network addresses and the EIPs is consistent with that recorded in 6. Then click Save.

    Figure 6 Changing the advertised.listeners IP address (for DNAT access)

Step 5: Verify Connectivity

Check whether messages can be created and retrieved by referring to Connecting to Kafka Using the Client (Plaintext Access) or Connecting to Kafka Using the Client (Ciphertext Access).

Notes:

  • The address for connecting to a Kafka instance is in the format of "advertised.listeners IP:9011". For example, the addresses for connecting to the Kafka instance shown in Figure 6 are 124.xxx.xxx.167:9011,124.xxx.xxx.174:9011,124.xxx.xxx.57:9011.
  • Configure security group rules for the Kafka instance to allow inbound access over port 9011.
  • Public access must be enabled on the client connected to the Kafka instance.
Parent Topic: Configuring Kafka Network Connections