This topic compares different Message Queue for Apache Kafka endpoints to help you choose an appropriate access method.

Basic concepts

  • SASL stands for Simple Authentication and Security Layer. SASL mechanisms are used by Message Queue for Apache Kafka for identity authentication. The following two SASL mechanisms are used:
    • PLAIN: a simple username and password verification mechanism. The PLAIN mechanism provided by Message Queue for Apache Kafka allows you to dynamically create SASL users without restarting your instance.
    • SCRAM: a hash-based username and password verification mechanism used on both clients and brokers. Message Queue for Apache Kafka implements the SCRAM-SHA-256 mechanism, which provides better security protection than PLAIN. SCRAM-SHA-256 also allows you to dynamically create SASL users without restarting your instance.
  • SSL stands for Secure Sockets Layer. Message Queue for Apache Kafka implements SSL encryption to protect data security during data transfers. This prevents data interception and eavesdropping when data is being transferred over the network.

Background information

  • Internet: If you use the Internet, messages must be authenticated and encrypted. The PLAIN mechanism of SASL must be used together with SSL to ensure that messages are not transferred in the form of plaintext without being encrypted.
  • VPC: If you use a VPC, which is an isolated network environment, messages can be transferred in a secure channel by using the PLAINTEXT protocol without being encrypted. If you require a higher level of security protection, SASL identity authentication can be performed on messages. Then, the messages are transferred in a secure channel. You can select the PLAIN or SCRAM mechanism for identity authentication based on your business requirements for security protection.
Note The default SASL user of a Message Queue for Apache Kafka instance is used for identity authentication. The default SASL user has the permissions to read data from and write data to all topics and consumer groups created in the instance. If you want to implement fine-grained permission control, you must enable the ACL feature, create an SASL user, and then grant permissions on specific resources to the SASL user as required.Message Queue for Apache Kafka After you enable the ACL feature, the permissions of the default SASL user become invalid. For more information, see Grant permissions to SASL users.

Endpoints for Internet- and VPC-connected instances

Internet- and VPC-connected Message Queue for Apache Kafka instances allow connections over the Internet and VPCs. You can use the SSL endpoint, default endpoint, or SASL endpoint of your instance to connect to Message Queue for Apache Kafka on a client. For more information, see Comparison among endpoints for Internet- and VPC-connected instances.

Table 1. Comparison among endpoints for Internet- and VPC-connected instances
Network typePortEndpointProtocolScenario
Internet9093SSL endpointSASL_SSLEncryption is required during message transfers and identity authentication is required during message production and consumption. The following two mechanisms are supported for identity authentication:
  • PLAIN
  • SCRAM-SHA-256
VPC9092Default endpointPLAINTEXTNo encryption is required during message transfers and no identity authentication is required during message production and consumption.
9094SASL endpointSASL_PLAINTEXTEncryption is not required during message transfers but identity authentication is required during message production and consumption. The following two mechanisms are supported for identity authentication:
  • PLAIN
  • SCRAM-SHA-256

Endpoints for VPC-connected instances

VPC-connected Message Queue for Apache Kafka instances allow connections over VPCs. You can use the default endpoint or SASL endpoint of your instance to connect to Message Queue for Apache Kafka on a client. For more information, see Comparison between endpoints for VPC-connected instances.

Table 2. Comparison between endpoints for VPC-connected instances
Network typePortEndpointProtocolScenario
VPC9092Default endpointPLAINTEXTNo encryption is required during message transfers and no identity authentication is required during message production and consumption.
9094SASL endpointSASL_PLAINTEXTEncryption is not required during message transfers but identity authentication is required during message production and consumption. The following two mechanisms are supported for identity authentication:
  • PLAIN
  • SCRAM-SHA-256