ApsaraMQ for Kafka does not support proxy-based access. This is a protocol-level limitation, not a configuration issue.
How Kafka client-broker connections work
A Kafka client connects to brokers in two stages:
The client connects to a broker through the
bootstrap.serverslist and gets the cluster metadata.The client uses the broker IP addresses from that metadata to send and receive messages.
When a proxy sits between the client and the brokers, the first stage succeeds: the client reaches a broker and gets metadata. However, the metadata contains the brokers' IP addresses. The client then tries to connect directly to those IPs for message traffic, bypassing the proxy. Because the client cannot reach those IPs, the connection fails.
In short, a proxy can forward the initial metadata request but cannot maintain end-to-end connectivity for message traffic.
Alternative: use Express Connect for on-premises access
To access an ApsaraMQ for Kafka instance from an on-premises data center, use an Express Connect circuit instead of a proxy. Express Connect provides a dedicated physical connection between your data center and Alibaba Cloud, giving full network connectivity to the brokers' IP addresses.
For setup instructions, see What is a connection over an Express Connect circuit?.