All Products
Search

This Product

    ApsaraMQ for Kafka:Configure network access and security settings

    Document Center

    ApsaraMQ for Kafka:Configure network access and security settings

    Last Updated:Apr 12, 2024

    This topic describes how to configure network access and security settings for an ApsaraMQ for Confluent cluster.

    Network access types

    You can access ApsaraMQ for Confluent clusters from Alibaba Cloud virtual private clouds (VPCs) and the Internet.

    • VPC access

      ApsaraMQ for Confluent allows you to access an ApsaraMQ for Confluent cluster from the VPC in which the cluster is deployed or other VPCs. In this case, cluster components except for Control Center cannot be accessed from the Internet.

    • Internet access

      ApsaraMQ for Confluent allows you to access an ApsaraMQ for Confluent cluster from the Internet. In this case, the ApsaraMQ for Confluent cluster can still be accessed from VPCs.

    Important

    Classic Load Balancer (CLB) instances are used for the Internet access feature of ApsaraMQ for Confluent. You are charged Internet fees for the feature on a pay-as-you-go basis.

    Configure network access

    When you create an ApsaraMQ for Confluent instance, Internet access is automatically enabled only for Control Center. After the instance is created, you can enable Internet access for other cluster components by selecting Access Links and Interfaces in the left-side navigation pane of the Instance Details page.

    Endpoints for ApsaraMQ for Confluent clusters

    VPC endpoints

    1. VPC endpoints are used to access cluster components from the VPC in which the cluster resides.

    2. The VPC endpoint of a pod is in the vpc-{{service}}-{{partInstanceId}}.alikafka.aliyuncs.com format. partInstanceId specifies part of the instance ID. For example, if the instance ID is alikafka_confluent-cn-abcdef****, the value of partInstanceId is abcdef****.

      Component

      VPC endpoint

      Kafka broker

      vpc-kafka-{{partInstanceId}}.alikafka.aliyuncs.com:9095

      Confluent MDS

      vpc-kafka-{{partInstanceId}}.alikafka.aliyuncs.com:8090

      Schema Registry

      vpc-schemaregistry-{{partInstanceId}}.alikafka.aliyuncs.com:8081

      Kafka Rest Proxy

      vpc-kafkarestproxy-{{partInstanceId}}.alikafka.aliyuncs.com:8082

      Connect

      vpc-connect-{{partInstanceId}}.alikafka.aliyuncs.com:8083

      Confluent KSQL

      vpc-ksqldb-{{partInstanceId}}.alikafka.aliyuncs.com:8088

      Control Center

      vpc-controlcenter-{{partInstanceId}}.alikafka.aliyuncs.com:9021

    Public endpoints

    Public endpoints are used to access cluster components from the VPC in which the cluster resides or across VPCs.

    Component

    Public endpoint

    Kafka broker

    pub-kafka-{{partInstanceId}}.alikafka.aliyuncs.com:9092

    Confluent MDS

    pub-kafka-{{partInstanceId}}.alikafka.aliyuncs.com:443

    Schema Registry

    pub-schemaregistry-{{partInstanceId}}.alikafka.aliyuncs.com:443

    Kafka Rest Proxy

    pub-kafkarestproxy-{{partInstanceId}}.alikafka.aliyuncs.com:443

    Connect

    pub-connect-{{partInstanceId}}.alikafka.aliyuncs.com:443

    Confluent KSQL

    pub-ksqldb-{{partInstanceId}}.alikafka.aliyuncs.com:443

    Control Center

    pub-controlcenter-{{partInstanceId}}.alikafka.aliyuncs.com:443

    Configure network security settings

    Note

    If you want to access an ApsaraMQ for Confluent cluster from an external network, you must configure network security settings.

    ApsaraMQ for Confluent provides the encrypted data transmission feature and the access control feature. By default, Secure Sockets Layer (SSL) encryption is used for ApsaraMQ for Confluent clusters to prevent data from being listened to or leaked during network transmission. When you connect to an ApsaraMQ for Confluent cluster, the relevant certificate is automatically used. ApsaraMQ for Confluent provides the Alibaba Cloud-signed certificate to meet your encryption requirements in different scenarios.

    Certificate

    Description

    Alibaba Cloud-signed certificate

    This certificate is used when you access Kafka brokers from the Internet or VPCs.

    If you use the certificate to access an ApsaraMQ for Confluent cluster from the Internet, CLB instances are automatically created in your Alibaba Cloud account after you create the ApsaraMQ for Confluent instance. Deletion protection is enabled for the CLB instances. Do not delete them unless otherwise required. By default, if you enable Internet access for an ApsaraMQ for Confluent cluster, all public IP addresses can be used to access the ApsaraMQ for Confluent cluster. You can use Cloud Firewall to specify a policy for public endpoints that are used to access an ApsaraMQ for Confluent cluster.

    Important

    To ensure that the ApsaraMQ for Confluent cluster can be accessed as expected, make sure that the settings of the access policy is valid.

    Configure a NAT gateway

    Note

    If you want your ApsaraMQ for Confluent cluster to access an external network, you must configure a NAT gateway.

    We recommend that you create and manage SNAT entries for the VPC in which the ApsaraMQ for Confluent cluster is deployed. This way, the ApsaraMQ for Confluent cluster can access the Internet.

    Internet access is required for an Apsara for Confluent cluster in the following scenarios:

    • The email alert feature is enabled in Control Center.

    • The ApsaraMQ for Confluent cluster needs to access external systems, such as MySQL and Elasticsearch.

    Important

    If an ApsaraMQ for Confluent cluster needs to access an external system, you must add the elastic IP address (EIP) of the NAT gateway to the whitelist of the external system.