This topic describes how to configure network access and security settings for an ApsaraMQ for Confluent cluster. It covers network access types, endpoint formats, security settings, and outbound access through a NAT gateway.
VPC access vs. Internet access
ApsaraMQ for Confluent supports two network access types. Choose the type that matches your workload.
| VPC access | Internet access | |
|---|---|---|
| Connectivity | Access from the cluster's virtual private cloud (VPC) or other VPCs. Cluster components except Control Center cannot be accessed from the Internet. | Access from the Internet. VPC access remains available. |
| Default scope | All components | Control Center only. Enable other components after instance creation. |
| Security | SSL encryption (enabled by default) | SSL encryption (enabled by default) + Classic Load Balancer (CLB) |
Internet access uses CLB instances, which incur data transfer fees on a pay-as-you-go basis.
Enable Internet access for cluster components
When you create an ApsaraMQ for Confluent instance, Internet access is automatically enabled only for Control Center. To enable Internet access for other components:
Open the Instance Details page of your ApsaraMQ for Confluent instance.
In the left-side navigation pane, select Access Links and Interfaces.
Enable Internet access for the components you need.
Endpoint reference
Each ApsaraMQ for Confluent cluster provides VPC and public endpoints. Hostnames follow this format:
{prefix}-{service}-{partInstanceId}.alikafka.aliyuncs.com:{port}| Segment | Description | Example |
|---|---|---|
{prefix} | vpc for VPC endpoints, pub for public endpoints | vpc, pub |
{service} | Component identifier | kafka, schemaregistry, connect |
{partInstanceId} | Suffix of the instance ID | If the instance ID is alikafka_confluent-cn-abcdef****, the value is abcdef**** |
VPC endpoints
Use VPC endpoints to access cluster components from the VPC in which the cluster resides.
| Component | VPC endpoint |
|---|---|
| Kafka broker | vpc-kafka-{partInstanceId}.alikafka.aliyuncs.com:9095 |
| Confluent MDS | vpc-kafka-{partInstanceId}.alikafka.aliyuncs.com:8090 |
| Schema Registry | vpc-schemaregistry-{partInstanceId}.alikafka.aliyuncs.com:8081 |
| Kafka Rest Proxy | vpc-kafkarestproxy-{partInstanceId}.alikafka.aliyuncs.com:8082 |
| Connect | vpc-connect-{partInstanceId}.alikafka.aliyuncs.com:8083 |
| Confluent KSQL | vpc-ksqldb-{partInstanceId}.alikafka.aliyuncs.com:8088 |
| Control Center | vpc-controlcenter-{partInstanceId}.alikafka.aliyuncs.com:9021 |
Public endpoints
Use public endpoints to access cluster components from the VPC in which the cluster resides or across VPCs.
| Component | Public endpoint |
|---|---|
| Kafka broker | pub-kafka-{partInstanceId}.alikafka.aliyuncs.com:9092 |
| Confluent MDS | pub-kafka-{partInstanceId}.alikafka.aliyuncs.com:443 |
| Schema Registry | pub-schemaregistry-{partInstanceId}.alikafka.aliyuncs.com:443 |
| Kafka Rest Proxy | pub-kafkarestproxy-{partInstanceId}.alikafka.aliyuncs.com:443 |
| Connect | pub-connect-{partInstanceId}.alikafka.aliyuncs.com:443 |
| Confluent KSQL | pub-ksqldb-{partInstanceId}.alikafka.aliyuncs.com:443 |
| Control Center | pub-controlcenter-{partInstanceId}.alikafka.aliyuncs.com:443 |
SSL encryption and access control
If you want to access an ApsaraMQ for Confluent cluster from an external network, you must configure network security settings.
SSL encryption
ApsaraMQ for Confluent provides encrypted data transmission and access control. SSL encryption is enabled by default for all ApsaraMQ for Confluent clusters to prevent data from being listened to or leaked during network transmission. The Alibaba Cloud-signed certificate is applied automatically.
| Certificate | Scope |
|---|---|
| Alibaba Cloud-signed certificate | Kafka broker access from the Internet and VPCs |
Control Internet access with Cloud Firewall
When you enable Internet access, CLB instances are created in your Alibaba Cloud account with deletion protection enabled.
Do not delete the CLB instances unless specifically required.
By default, all public IP addresses can access the cluster. To restrict access, configure a policy for public endpoints through Cloud Firewall.
Make sure that your access policy is valid. An incorrect policy may block expected connections to the cluster.
Set up a NAT gateway for outbound access
If your ApsaraMQ for Confluent cluster needs to reach external services, set up a NAT gateway with SNAT entries for the cluster's VPC.
Common scenarios that require outbound access:
Sending email alerts from Control Center
Connecting to external systems such as MySQL or Elasticsearch
To set up outbound access:
Create and manage SNAT entries for the VPC in which your ApsaraMQ for Confluent cluster is deployed.
Add the NAT gateway's elastic IP address (EIP) to the whitelist of each external system the cluster needs to access.
Without the NAT gateway's EIP in the external system's whitelist, the cluster cannot connect to that system.