ApsaraMQ for Kafka provides three endpoint types: default, Simple Authentication and Security Layer (SASL), and Secure Sockets Layer (SSL). Each endpoint maps to a specific port and Kafka security protocol. Choose an endpoint based on your network path (virtual private cloud (VPC) or Internet) and required level of encryption and authentication.
SASL mechanisms
SASL is the standard framework that Kafka uses for client authentication. ApsaraMQ for Kafka supports two SASL mechanisms:
| Mechanism | How it works | Dynamic user creation |
|---|---|---|
| PLAIN | Verifies a username-password pair in plaintext. When paired with SSL, the credentials travel over an encrypted channel. | Yes, without an instance restart |
| SCRAM-SHA-256 | Uses a salted challenge-response exchange so the password is never sent over the wire. Provides stronger security than PLAIN. | Yes, without an instance restart |
SSL encryption
SSL encrypts data in transit between your Kafka client and the broker, preventing interception and eavesdropping on the network.
Endpoint comparison
Each endpoint type maps to a fixed port number and Kafka security protocol. The available endpoints depend on your instance type.
Internet- and VPC-connected instances
These instances accept connections from both the Internet and a VPC.
| Network | Port | Endpoint | Protocol | Encryption | Authentication | SASL mechanisms |
|---|---|---|---|---|---|---|
| Internet | 9093 | SSL endpoint | SASL_SSL | Yes | Yes | PLAIN, SCRAM-SHA-256 |
| VPC | 9092 | Default endpoint | PLAINTEXT | No | No | -- |
| VPC | 9094 | SASL endpoint | SASL_PLAINTEXT | No | Yes | PLAIN, SCRAM-SHA-256 |
| VPC | 9095 | SSL endpoint | SASL_SSL | Yes | Yes | PLAIN, SCRAM-SHA-256 |
Enabling the access control list (ACL) feature during deployment activates the SASL endpoint on port 9094. Enabling VPC transmission encryption activates the SSL endpoint on port 9095. For details, see Deploy an instance.
Enabling ACL on a deployed instance activates both the SASL endpoint (port 9094) and the SSL endpoint (port 9095) at the same time. For details, see Enable ACL.
VPC-connected instances
These instances accept connections only from within a VPC.
| Network | Port | Endpoint | Protocol | Encryption | Authentication | SASL mechanisms |
|---|---|---|---|---|---|---|
| VPC | 9092 | Default endpoint | PLAINTEXT | No | No | -- |
| VPC | 9094 | SASL endpoint | SASL_PLAINTEXT | No | Yes | PLAIN, SCRAM-SHA-256 |
| VPC | 9095 | SSL endpoint | SASL_SSL | Yes | Yes | PLAIN, SCRAM-SHA-256 |
Enabling ACL during deployment activates the SASL endpoint on port 9094. Enabling VPC transmission encryption activates the SSL endpoint on port 9095. For details, see Deploy an instance.
Enabling ACL on a deployed instance activates both the SASL endpoint (port 9094) and the SSL endpoint (port 9095) at the same time. For details, see Enable ACL.
Choose an endpoint
| Scenario | Endpoint | Port | Protocol |
|---|---|---|---|
| Internet access | SSL endpoint | 9093 | SASL_SSL |
| VPC access, no security requirements | Default endpoint | 9092 | PLAINTEXT |
| VPC access, authentication only | SASL endpoint | 9094 | SASL_PLAINTEXT |
| VPC access, encryption and authentication | SSL endpoint | 9095 | SASL_SSL |
Internet access: All Internet traffic must be both encrypted and authenticated. Use the SSL endpoint on port 9093 with the SASL_SSL protocol.
VPC access without security requirements: Use the default endpoint on port 9092 with the PLAINTEXT protocol. No encryption or authentication is applied.
VPC access with authentication only: Use the SASL endpoint on port 9094 with the SASL_PLAINTEXT protocol. Messages are authenticated but not encrypted. Select either the PLAIN or SCRAM-SHA-256 mechanism based on your security requirements.
VPC access with encryption and authentication: Use the SSL endpoint on port 9095 with the SASL_SSL protocol. Both encryption and authentication are applied.
ACL and SASL user permissions
Every ApsaraMQ for Kafka instance has a default SASL user with read and write permissions on all topics and consumer groups. For fine-grained access control, enable ACL, create dedicated SASL users, and grant them specific permissions.
After ACL is enabled, the default SASL user's permissions become invalid. For details, see Grant permissions to SASL users.
Client configuration examples
Each example sets the bootstrap.servers, security.protocol, and SASL properties for a specific endpoint type. Replace <your-endpoint> with the endpoint value from the ApsaraMQ for Kafka console.
Default endpoint (PLAINTEXT, port 9092)
bootstrap.servers=<your-endpoint>:9092
security.protocol=PLAINTEXTSASL endpoint (SASL_PLAINTEXT, port 9094)
With the PLAIN mechanism:
bootstrap.servers=<your-endpoint>:9094
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \
username="<your-username>" \
password="<your-password>";With the SCRAM-SHA-256 mechanism:
bootstrap.servers=<your-endpoint>:9094
security.protocol=SASL_PLAINTEXT
sasl.mechanism=SCRAM-SHA-256
sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required \
username="<your-username>" \
password="<your-password>";SSL endpoint (SASL_SSL, port 9093 or 9095)
With the PLAIN mechanism:
bootstrap.servers=<your-endpoint>:9093
security.protocol=SASL_SSL
sasl.mechanism=PLAIN
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \
username="<your-username>" \
password="<your-password>";
ssl.truststore.location=<path-to-truststore>
ssl.truststore.password=<truststore-password>With the SCRAM-SHA-256 mechanism:
bootstrap.servers=<your-endpoint>:9093
security.protocol=SASL_SSL
sasl.mechanism=SCRAM-SHA-256
sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required \
username="<your-username>" \
password="<your-password>";
ssl.truststore.location=<path-to-truststore>
ssl.truststore.password=<truststore-password>Placeholders
| Placeholder | Description | Example |
|---|---|---|
<your-endpoint> | Bootstrap server address from the ApsaraMQ for Kafka console | alikafka-post-xxx-0-vpc.alikafka.aliyuncs.com |
<your-username> | SASL username | alikafka_post-xxx |
<your-password> | SASL password | -- |
<path-to-truststore> | Path to the SSL truststore file | /home/user/kafka.client.truststore.jks |
<truststore-password> | Truststore file password | -- |