This topic describes how to configure network access and security settings for an ApsaraMQ for Confluent cluster.
Network access types
You can access ApsaraMQ for Confluent clusters from Alibaba Cloud virtual private clouds (VPCs) and the Internet.
VPC access
ApsaraMQ for Confluent allows you to access an ApsaraMQ for Confluent cluster from the VPC in which the cluster is deployed or other VPCs. In this case, cluster components except for Control Center cannot be accessed from the Internet.
Internet access
ApsaraMQ for Confluent allows you to access an ApsaraMQ for Confluent cluster from the Internet. In this case, the ApsaraMQ for Confluent cluster can still be accessed from VPCs.
Classic Load Balancer (CLB) instances are used for the Internet access feature of ApsaraMQ for Confluent. You are charged Internet fees for the feature on a pay-as-you-go basis.
Configure network access
When you create an ApsaraMQ for Confluent instance, Internet access is automatically enabled only for Control Center. After the instance is created, you can enable Internet access for other cluster components by selecting Access Links and Interfaces in the left-side navigation pane of the Instance Details page.
Endpoints for ApsaraMQ for Confluent clusters
VPC endpoints
VPC endpoints are used to access cluster components from the VPC in which the cluster resides.
The VPC endpoint of a pod is in the
vpc-{{service}}-{{partInstanceId}}.alikafka.aliyuncs.com
format.partInstanceId
specifies part of the instance ID. For example, if the instance ID isalikafka_confluent-cn-abcdef****
, the value of partInstanceId is abcdef****.Component
VPC endpoint
Kafka broker
vpc-kafka-{{partInstanceId}}.alikafka.aliyuncs.com:9095
Confluent MDS
vpc-kafka-{{partInstanceId}}.alikafka.aliyuncs.com:8090
Schema Registry
vpc-schemaregistry-{{partInstanceId}}.alikafka.aliyuncs.com:8081
Kafka Rest Proxy
vpc-kafkarestproxy-{{partInstanceId}}.alikafka.aliyuncs.com:8082
Connect
vpc-connect-{{partInstanceId}}.alikafka.aliyuncs.com:8083
Confluent KSQL
vpc-ksqldb-{{partInstanceId}}.alikafka.aliyuncs.com:8088
Control Center
vpc-controlcenter-{{partInstanceId}}.alikafka.aliyuncs.com:9021
Public endpoints
Public endpoints are used to access cluster components from the VPC in which the cluster resides or across VPCs.
Component | Public endpoint |
Kafka broker | pub-kafka-{{partInstanceId}}.alikafka.aliyuncs.com:9092 |
Confluent MDS | pub-kafka-{{partInstanceId}}.alikafka.aliyuncs.com:443 |
Schema Registry | pub-schemaregistry-{{partInstanceId}}.alikafka.aliyuncs.com:443 |
Kafka Rest Proxy | pub-kafkarestproxy-{{partInstanceId}}.alikafka.aliyuncs.com:443 |
Connect | pub-connect-{{partInstanceId}}.alikafka.aliyuncs.com:443 |
Confluent KSQL | pub-ksqldb-{{partInstanceId}}.alikafka.aliyuncs.com:443 |
Control Center | pub-controlcenter-{{partInstanceId}}.alikafka.aliyuncs.com:443 |
Configure network security settings
If you want to access an ApsaraMQ for Confluent cluster from an external network, you must configure network security settings.
ApsaraMQ for Confluent provides the encrypted data transmission feature and the access control feature. By default, Secure Sockets Layer (SSL) encryption is used for ApsaraMQ for Confluent clusters to prevent data from being listened to or leaked during network transmission. When you connect to an ApsaraMQ for Confluent cluster, the relevant certificate is automatically used. ApsaraMQ for Confluent provides the Alibaba Cloud-signed certificate to meet your encryption requirements in different scenarios.
Certificate | Description |
Alibaba Cloud-signed certificate | This certificate is used when you access Kafka brokers from the Internet or VPCs. |
If you use the certificate to access an ApsaraMQ for Confluent cluster from the Internet, CLB instances are automatically created in your Alibaba Cloud account after you create the ApsaraMQ for Confluent instance. Deletion protection is enabled for the CLB instances. Do not delete them unless otherwise required. By default, if you enable Internet access for an ApsaraMQ for Confluent cluster, all public IP addresses can be used to access the ApsaraMQ for Confluent cluster. You can use Cloud Firewall to specify a policy for public endpoints that are used to access an ApsaraMQ for Confluent cluster.
To ensure that the ApsaraMQ for Confluent cluster can be accessed as expected, make sure that the settings of the access policy is valid.
Configure a NAT gateway
If you want your ApsaraMQ for Confluent cluster to access an external network, you must configure a NAT gateway.
We recommend that you create and manage SNAT entries for the VPC in which the ApsaraMQ for Confluent cluster is deployed. This way, the ApsaraMQ for Confluent cluster can access the Internet.
Internet access is required for an Apsara for Confluent cluster in the following scenarios:
The email alert feature is enabled in Control Center.
The ApsaraMQ for Confluent cluster needs to access external systems, such as MySQL and Elasticsearch.
If an ApsaraMQ for Confluent cluster needs to access an external system, you must add the elastic IP address (EIP) of the NAT gateway to the whitelist of the external system.