How Do I Select and Configure a Security Group?

Kafka instances can be accessed within a VPC, across VPCs, through DNAT, or over public networks. Before accessing a Kafka instance, configure a security group.

Intra-VPC Access

Check whether the client and instance use the same security group.

If they use the same security group, check whether the security group has the default inbound rule that allows communication among ECSs within the security group and the default outbound rule that allows all outbound traffic. If these rules are available, you do not need to add more rules. If these rules are not available, add rules according to Table 1.

**Table 1** Security group rules
Direction	Protocol	Type	Port	Source	Description
Inbound	TCP	IPv4	9092	0.0.0.0/0	Accessing a Kafka instance over a private network within a VPC (in plaintext)
Inbound	TCP	IPv6	9192	::/0	Accessing a Kafka instance within a VPC (with SSL encryption disabled)
Inbound	TCP	IPv4	9093	0.0.0.0/0	Accessing a Kafka instance over a private network within a VPC (in ciphertext)
Inbound	TCP	IPv6	9193	::/0	Accessing a Kafka instance within a VPC (with SSL encryption enabled)

If they use different security groups, go to 2.

Configure security group rules as follows.

Assume that the security groups of the client and Kafka instance are sg-53d4 and Default_All, respectively. You can specify a security group or IP address as the destination in the following rule. A security group is used as an example.

To ensure that your client can access the Kafka instance, add the following rule to the security group configured for the client:

**Table 2** Security group rule
Direction	Action	Protocol & Port	Destination
Outbound	Allow	All	Default_All

Figure 1 Configuring a security group for the client
Click to enlarge

To ensure that your client can access the Kafka instance, add the following rule to the security group configured for the instance.

**Table 3** Security group rule
Direction	Action	Protocol & Port	Source
Inbound	Allow	All	sg-53d4

Figure 2 Configuring the security group for the Kafka instance
Click to enlarge

Cross-VPC and DNAT-based Instance Access

Configure security group rules according to Table 4.

**Table 4** Security group rules
Direction	Protocol	Port	Source	Description
Inbound	TCP	9011	198.19.128.0/17	Accessing a Kafka instance using a VPC endpoint across VPCs (in cipher- or plaintext)
Inbound	TCP	9011	0.0.0.0/0	Accessing a Kafka instance using DNAT (in cipher- or plaintext)
Inbound	TCP	9092	0.0.0.0/0	Accessing a Kafka instance using a peering connection across VPCs (in plaintext)
Inbound	TCP	9093	0.0.0.0/0	Accessing a Kafka instance using a peering connection across VPCs (in ciphertext)

Public Access

Configure security group rules according to Table 5.

**Table 5** Security group rules
Direction	Protocol	Type	Port	Source	Description
Inbound	TCP	IPv4	9094	0.0.0.0/0	Accessing a Kafka instance over a public network (in plaintext)
Inbound	TCP	IPv4	9095	0.0.0.0/0	Accessing a Kafka instance over a public network (in ciphertext)
Inbound	TCP	IPv6	9192	::/0	Accessing a Kafka instance over a public network (without SSL)
Inbound	TCP	IPv6	9193	::/0	Accessing a Kafka instance over a public network (with SSL)

Parent topic: Connections

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot