A client can connect to a Kafka instance in public or private networks. Notes before using a private network:
- By default, a client and a Kafka instance are interconnected when they are deployed in a VPC.
- If they are not, you need to interconnect them because of isolation among VPCs.
Table 1 lists how a client can connect to a Kafka instance.
Mode |
How To Do |
Reference |
|---|---|---|
Public access |
Enable public access on the Kafka console and configure elastic IPs (EIPs). The client can connect to the Kafka instance through EIPs. |
|
Configure port mapping using DNAT. The client can connect to the Kafka instance in a public network. |
||
Private access |
A client and a Kafka instance are interconnected when they are deployed in a VPC. |
- |
When a client and a Kafka instance are deployed in different VPCs of the same region, connect the client and the Kafka instance across VPCs using a VPC endpoint. |
||
When a client and a Kafka instance are deployed in different VPCs of the same region, interconnect two VPCs using a VPC peering connection. |
Before connecting a client to a Kafka instance, allow accesses for the following security groups.
After a security group is created, its default inbound rule allows communication among ECSs within the security group and its default outbound rule allows all outbound traffic. In this case, you can access a Kafka instance within a VPC, and do not need to add rules according to Table 2.
Direction |
Protocol |
Port |
Source |
Description |
|---|---|---|---|---|
Inbound |
TCP |
9094 |
0.0.0.0/0 |
Accessing a Kafka instance over a public network (in plaintext) |
Inbound |
TCP |
9092 |
0.0.0.0/0 |
|
Inbound |
TCP |
9095 |
0.0.0.0/0 |
Accessing a Kafka instance over a public network (in ciphertext) |
Inbound |
TCP |
9093 |
0.0.0.0/0 |
|
Inbound |
TCP |
9011 |
198.19.128.0/17 |
Accessing a Kafka instance using a VPC endpoint across VPCs (in cipher- or plaintext) |
Inbound |
TCP |
9011 |
0.0.0.0/0 |
Accessing a Kafka instance using DNAT (in cipher- or plaintext) |