vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/dms/umn/kafka-faq-180604024.html
Chen, Junjie dd8a3a658b DMS UMN Initial Version 
Reviewed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com>
Co-authored-by: Chen, Junjie <chenjunjie@huawei.com>
Co-committed-by: Chen, Junjie <chenjunjie@huawei.com>
2022-12-08 00:33:11 +00:00

176 lines
15 KiB
HTML
Raw Permalink Blame History

<a name="kafka-faq-180604024"></a><a name="kafka-faq-180604024"></a>
<h1 class="topictitle1">How Do I Select and Configure a Security Group?</h1>
<div id="body1544148145630"><p id="kafka-faq-180604024__p97741462155">Kafka instances can be accessed within a VPC, across VPCs, through DNAT, or over public networks. Before accessing a Kafka instance, configure a security group.</p>
<div class="section" id="kafka-faq-180604024__section5894512196"><h4 class="sectiontitle">Intra-VPC Access</h4><ol id="kafka-faq-180604024__ol3384101972015"><li id="kafka-faq-180604024__li1638421972015"><span>Check whether the client and instance use the same security group.</span><p><ul id="kafka-faq-180604024__ul11159131519211"><li id="kafka-faq-180604024__li1159181518212">If they use the same security group, check whether the security group has the default inbound rule that allows communication among ECSs within the security group and the default outbound rule that allows all outbound traffic. If these rules are available, you do not need to add more rules. If these rules are not available, add rules according to <a href="#kafka-faq-180604024__table1665584042410">Table 1</a>.
<div class="tablenoborder"><a name="kafka-faq-180604024__table1665584042410"></a><a name="table1665584042410"></a><table cellpadding="4" cellspacing="0" summary="" id="kafka-faq-180604024__table1665584042410" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Security group rules</caption><thead align="left"><tr id="kafka-faq-180604024__row1265554020244"><th align="left" class="cellrowborder" valign="top" width="13.211321132113211%" id="mcps1.3.2.2.1.2.1.1.2.2.6.1.1"><p id="kafka-faq-180604024__p186552040152410">Direction</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="15.151515151515152%" id="mcps1.3.2.2.1.2.1.1.2.2.6.1.2"><p id="kafka-faq-180604024__p20655194018240">Protocol</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="15.151515151515152%" id="mcps1.3.2.2.1.2.1.1.2.2.6.1.3"><p id="kafka-faq-180604024__p11371386014">Port</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="18.02180218021802%" id="mcps1.3.2.2.1.2.1.1.2.2.6.1.4"><p id="kafka-faq-180604024__p1065511403241">Source</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="38.46384638463846%" id="mcps1.3.2.2.1.2.1.1.2.2.6.1.5"><p id="kafka-faq-180604024__p3655174062413">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="kafka-faq-180604024__row1913814381509"><td class="cellrowborder" valign="top" width="13.211321132113211%" headers="mcps1.3.2.2.1.2.1.1.2.2.6.1.1 "><p id="kafka-faq-180604024__p151381638708">Inbound</p>
</td>
<td class="cellrowborder" valign="top" width="15.151515151515152%" headers="mcps1.3.2.2.1.2.1.1.2.2.6.1.2 "><p id="kafka-faq-180604024__p181380381504">TCP</p>
</td>
<td class="cellrowborder" valign="top" width="15.151515151515152%" headers="mcps1.3.2.2.1.2.1.1.2.2.6.1.3 "><p id="kafka-faq-180604024__p1613812384012">9092</p>
</td>
<td class="cellrowborder" valign="top" width="18.02180218021802%" headers="mcps1.3.2.2.1.2.1.1.2.2.6.1.4 "><p id="kafka-faq-180604024__p1313813810020">0.0.0.0/0</p>
</td>
<td class="cellrowborder" valign="top" width="38.46384638463846%" headers="mcps1.3.2.2.1.2.1.1.2.2.6.1.5 "><p id="kafka-faq-180604024__p14138113816018">Accessing an instance within a VPC (with SSL encryption disabled)</p>
</td>
</tr>
<tr id="kafka-faq-180604024__row1513814387016"><td class="cellrowborder" valign="top" width="13.211321132113211%" headers="mcps1.3.2.2.1.2.1.1.2.2.6.1.1 "><p id="kafka-faq-180604024__p1013814384011">Inbound</p>
</td>
<td class="cellrowborder" valign="top" width="15.151515151515152%" headers="mcps1.3.2.2.1.2.1.1.2.2.6.1.2 "><p id="kafka-faq-180604024__p413883810013">TCP</p>
</td>
<td class="cellrowborder" valign="top" width="15.151515151515152%" headers="mcps1.3.2.2.1.2.1.1.2.2.6.1.3 "><p id="kafka-faq-180604024__p1513818381009">9093</p>
</td>
<td class="cellrowborder" valign="top" width="18.02180218021802%" headers="mcps1.3.2.2.1.2.1.1.2.2.6.1.4 "><p id="kafka-faq-180604024__p161387382010">0.0.0.0/0</p>
</td>
<td class="cellrowborder" valign="top" width="38.46384638463846%" headers="mcps1.3.2.2.1.2.1.1.2.2.6.1.5 "><p id="kafka-faq-180604024__p73451549155214">Accessing an instance within a VPC (with SSL encryption enabled)</p>
</td>
</tr>
</tbody>
</table>
</div>
</li><li id="kafka-faq-180604024__li8813117192110">If they use different security groups, go to <a href="#kafka-faq-180604024__li128055103219">2</a>.</li></ul>
</p></li><li id="kafka-faq-180604024__li128055103219"><a name="kafka-faq-180604024__li128055103219"></a><a name="li128055103219"></a><span>Configure security group rules as follows.</span><p><p id="kafka-faq-180604024__p61151243202719">Assume that the security groups of the client and Kafka instance are <strong id="kafka-faq-180604024__b0361181519413">sg-53d4</strong> and <strong id="kafka-faq-180604024__b1934131784116">Default_All</strong>, respectively. You can specify a security group or IP address as the destination in the following rule. A security group is used as an example.</p>
<p id="kafka-faq-180604024__p18985121912151">To ensure that your client can access the Kafka instance, add the following rule to the security group configured for the client:</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="kafka-faq-180604024__table161395381402" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Security group rule</caption><thead align="left"><tr id="kafka-faq-180604024__row17137538605"><th align="left" class="cellrowborder" valign="top" width="28.48%" id="mcps1.3.2.2.2.2.3.2.4.1.1"><p id="kafka-faq-180604024__p6137163812018">Direction</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="32.66%" id="mcps1.3.2.2.2.2.3.2.4.1.2"><p id="kafka-faq-180604024__p013711381001">Protocol &amp; Port</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="38.86%" id="mcps1.3.2.2.2.2.3.2.4.1.3"><p id="kafka-faq-180604024__p213793815012">Destination</p>
</th>
</tr>
</thead>
<tbody><tr id="kafka-faq-180604024__row1313811381103"><td class="cellrowborder" valign="top" width="28.48%" headers="mcps1.3.2.2.2.2.3.2.4.1.1 "><p id="kafka-faq-180604024__p111381838904">Outbound</p>
</td>
<td class="cellrowborder" valign="top" width="32.66%" headers="mcps1.3.2.2.2.2.3.2.4.1.2 "><p id="kafka-faq-180604024__p17138438408">All</p>
</td>
<td class="cellrowborder" valign="top" width="38.86%" headers="mcps1.3.2.2.2.2.3.2.4.1.3 "><p id="kafka-faq-180604024__p1713814385015">Default_All</p>
</td>
</tr>
</tbody>
</table>
</div>
<p id="kafka-faq-180604024__p898671911157">To ensure that your client can access the Kafka instance, add the following rule to the security group configured for the instance.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="kafka-faq-180604024__table6419122553" frame="border" border="1" rules="all"><caption><b>Table 3 </b>Security group rule</caption><thead align="left"><tr id="kafka-faq-180604024__row142017210513"><th align="left" class="cellrowborder" valign="top" width="28.48%" id="mcps1.3.2.2.2.2.5.2.4.1.1"><p id="kafka-faq-180604024__p12420132258">Direction</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="32.66%" id="mcps1.3.2.2.2.2.5.2.4.1.2"><p id="kafka-faq-180604024__p34201621513">Protocol &amp; Port</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="38.86%" id="mcps1.3.2.2.2.2.5.2.4.1.3"><p id="kafka-faq-180604024__p11420142154">Source</p>
</th>
</tr>
</thead>
<tbody><tr id="kafka-faq-180604024__row1420021514"><td class="cellrowborder" valign="top" width="28.48%" headers="mcps1.3.2.2.2.2.5.2.4.1.1 "><p id="kafka-faq-180604024__p5420224519">Inbound</p>
</td>
<td class="cellrowborder" valign="top" width="32.66%" headers="mcps1.3.2.2.2.2.5.2.4.1.2 "><p id="kafka-faq-180604024__p10420162158">All</p>
</td>
<td class="cellrowborder" valign="top" width="38.86%" headers="mcps1.3.2.2.2.2.5.2.4.1.3 "><p id="kafka-faq-180604024__p194201217511">sg-53d4</p>
</td>
</tr>
</tbody>
</table>
</div>
</p></li></ol>
</div>
<div class="section" id="kafka-faq-180604024__section147170137196"><h4 class="sectiontitle">Cross-VPC and DNAT-based Instance Access</h4><p id="kafka-faq-180604024__p12499458321">Configure security group rules according to <a href="#kafka-faq-180604024__table221215285815">Table 5</a>.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="kafka-faq-180604024__table11349192018326" frame="border" border="1" rules="all"><caption><b>Table 4 </b>Security group rules</caption><thead align="left"><tr id="kafka-faq-180604024__row83491620143213"><th align="left" class="cellrowborder" valign="top" width="13.211321132113211%" id="mcps1.3.3.3.2.6.1.1"><p id="kafka-faq-180604024__p8349162053216">Direction</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="15.151515151515152%" id="mcps1.3.3.3.2.6.1.2"><p id="kafka-faq-180604024__p183491120183216">Protocol</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="15.151515151515152%" id="mcps1.3.3.3.2.6.1.3"><p id="kafka-faq-180604024__p17349420153215">Port</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="18.02180218021802%" id="mcps1.3.3.3.2.6.1.4"><p id="kafka-faq-180604024__p18349122015325">Source</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="38.46384638463846%" id="mcps1.3.3.3.2.6.1.5"><p id="kafka-faq-180604024__p334915202325">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="kafka-faq-180604024__row345165713715"><td class="cellrowborder" valign="top" width="13.211321132113211%" headers="mcps1.3.3.3.2.6.1.1 "><p id="kafka-faq-180604024__p14455573720">Inbound</p>
</td>
<td class="cellrowborder" valign="top" width="15.151515151515152%" headers="mcps1.3.3.3.2.6.1.2 "><p id="kafka-faq-180604024__p64515573712">TCP</p>
</td>
<td class="cellrowborder" valign="top" width="15.151515151515152%" headers="mcps1.3.3.3.2.6.1.3 "><p id="kafka-faq-180604024__p154565712720">9011</p>
</td>
<td class="cellrowborder" valign="top" width="18.02180218021802%" headers="mcps1.3.3.3.2.6.1.4 "><p id="kafka-faq-180604024__p11451857871">198.19.128.0/17</p>
</td>
<td class="cellrowborder" valign="top" width="38.46384638463846%" headers="mcps1.3.3.3.2.6.1.5 "><p id="kafka-faq-180604024__p124511571971">Accessing a Kafka instance using VPC Endpoint (VPCEP)</p>
</td>
</tr>
<tr id="kafka-faq-180604024__row428119416531"><td class="cellrowborder" valign="top" width="13.211321132113211%" headers="mcps1.3.3.3.2.6.1.1 "><p id="kafka-faq-180604024__p16281184175320">Inbound</p>
</td>
<td class="cellrowborder" valign="top" width="15.151515151515152%" headers="mcps1.3.3.3.2.6.1.2 "><p id="kafka-faq-180604024__p11281194115316">TCP</p>
</td>
<td class="cellrowborder" valign="top" width="15.151515151515152%" headers="mcps1.3.3.3.2.6.1.3 "><p id="kafka-faq-180604024__p128124125311">9011</p>
</td>
<td class="cellrowborder" valign="top" width="18.02180218021802%" headers="mcps1.3.3.3.2.6.1.4 "><p id="kafka-faq-180604024__p13281114185318">0.0.0.0/0</p>
</td>
<td class="cellrowborder" valign="top" width="38.46384638463846%" headers="mcps1.3.3.3.2.6.1.5 "><p id="kafka-faq-180604024__p82817475319">Accessing a Kafka instance using DNAT</p>
</td>
</tr>
</tbody>
</table>
</div>
<p id="kafka-faq-180604024__p2533152671915"></p>
</div>
<div class="section" id="kafka-faq-180604024__section8684102819199"><h4 class="sectiontitle">Public Access</h4><p id="kafka-faq-180604024__p1678104418199">Configure security group rules according to <a href="#kafka-faq-180604024__table221215285815">Table 5</a>.</p>
<div class="tablenoborder"><a name="kafka-faq-180604024__table221215285815"></a><a name="table221215285815"></a><table cellpadding="4" cellspacing="0" summary="" id="kafka-faq-180604024__table221215285815" frame="border" border="1" rules="all"><caption><b>Table 5 </b>Security group rules</caption><thead align="left"><tr id="kafka-faq-180604024__row12120281784"><th align="left" class="cellrowborder" valign="top" width="13.211321132113211%" id="mcps1.3.4.3.2.6.1.1"><p id="kafka-faq-180604024__p82125284818">Direction</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="15.151515151515152%" id="mcps1.3.4.3.2.6.1.2"><p id="kafka-faq-180604024__p521314281811">Protocol</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="15.151515151515152%" id="mcps1.3.4.3.2.6.1.3"><p id="kafka-faq-180604024__p1121312289817">Port</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="18.02180218021802%" id="mcps1.3.4.3.2.6.1.4"><p id="kafka-faq-180604024__p1421310286815">Source</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="38.46384638463846%" id="mcps1.3.4.3.2.6.1.5"><p id="kafka-faq-180604024__p81371838802">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="kafka-faq-180604024__row1421316282820"><td class="cellrowborder" valign="top" width="13.211321132113211%" headers="mcps1.3.4.3.2.6.1.1 "><p id="kafka-faq-180604024__p2021319281816">Inbound</p>
</td>
<td class="cellrowborder" valign="top" width="15.151515151515152%" headers="mcps1.3.4.3.2.6.1.2 "><p id="kafka-faq-180604024__p1021352815816">TCP</p>
</td>
<td class="cellrowborder" valign="top" width="15.151515151515152%" headers="mcps1.3.4.3.2.6.1.3 "><p id="kafka-faq-180604024__p1921320288819">9094</p>
</td>
<td class="cellrowborder" valign="top" width="18.02180218021802%" headers="mcps1.3.4.3.2.6.1.4 "><p id="kafka-faq-180604024__p1121316281483">0.0.0.0/0</p>
</td>
<td class="cellrowborder" valign="top" width="38.46384638463846%" headers="mcps1.3.4.3.2.6.1.5 "><p id="kafka-faq-180604024__p151381038801">Access Kafka through the public network (without SSL encryption).</p>
</td>
</tr>
<tr id="kafka-faq-180604024__row131381384015"><td class="cellrowborder" valign="top" width="13.211321132113211%" headers="mcps1.3.4.3.2.6.1.1 "><p id="kafka-faq-180604024__p2138123810010">Inbound</p>
</td>
<td class="cellrowborder" valign="top" width="15.151515151515152%" headers="mcps1.3.4.3.2.6.1.2 "><p id="kafka-faq-180604024__p3138538509">TCP</p>
</td>
<td class="cellrowborder" valign="top" width="15.151515151515152%" headers="mcps1.3.4.3.2.6.1.3 "><p id="kafka-faq-180604024__p21387381002">9095</p>
</td>
<td class="cellrowborder" valign="top" width="18.02180218021802%" headers="mcps1.3.4.3.2.6.1.4 "><p id="kafka-faq-180604024__p151384381409">0.0.0.0/0</p>
</td>
<td class="cellrowborder" valign="top" width="38.46384638463846%" headers="mcps1.3.4.3.2.6.1.5 "><p id="kafka-faq-180604024__p1345124955213">Access Kafka through the public network (with SSL encryption).</p>
</td>
</tr>
</tbody>
</table>
</div>
<p id="kafka-faq-180604024__p13271331193018"></p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="kafka-faq-191030001.html">Connections</a></div>
</div>
</div>
View Git Blame Copy Permalink