Using DNAT to Access a Kafka Instance

Scenario

You can use destination NAT (DNAT) to access a Kafka instance so that the instance can provide services on the public network through port mapping.

Prerequisites

You have created EIPs. The number of EIPs is the same as the number of brokers in the Kafka instance.

Step 1: Obtain Information About the Kafka Instance

  1. Log in to the management console.

  2. Click image1 in the upper left corner to select a region.

    Note

    Select the region where your Kafka instance is located.

  3. Click Service List and choose Application > Distributed Message Service. The Kafka instance list is displayed.

  4. Click the desired Kafka instance to view the instance details.

  5. In the Connection area on the Basic Information tab page, view and record the private network access addresses of the Kafka instance. In the Network area, view and record the VPC and subnet where the Kafka instance is located.

Step 2: Create a Public NAT Gateway

  1. Click Service List and choose Network > NAT Gateway.

  2. Click Create Public NAT Gateway.

  3. Set the following parameters:

    • Region: Select the region that the Kafka instance is in.

    • Name: Enter a name for the public NAT gateway.

    • VPC: Select the VPC recorded in 5.

    • Subnet: Select the subnet recorded in 5.

    Set other parameters as required. For details, see Creating a NAT Gateway.

  4. Click Create Now.

  5. Confirm the specifications and click Submit.

Step 3: Add a DNAT Rule

  1. On Public NAT Gateways page, locate the row that contains the newly created public NAT gateway and click Add Rule in the Operation column.

  2. On the DNAT Rules tab page, click Add DNAT Rule.

  3. Set the following parameters:

    • Scenario: Select VPC.

    • Port Type: Select Specific port.

    • Protocol: Select TCP.

    • EIP: Select an EIP.

    • Outside Port: Enter 9011.

    • Private IP Address: Enter one of the private network addresses of the Kafka instance recorded in 5.

    • Inside Port: Enter 9011.

    For details about more parameters, see Adding a DNAT Rule.

    **Figure 1** Adding a DNAT rule

    Figure 1 Adding a DNAT rule

  4. Click OK.

    View the DNAT rule status in the DNAT rule list. If Status is Running, the rule has been added successfully.

  5. Repeat 2 to 4 to create DNAT rules for other private network addresses of the Kafka instance recorded in 5. Each private network address corresponds to a separate EIP.

  6. After all DNAT rules are created, click the DNAT Rules tab to view the created DNAT rules and record the EIPs corresponding to the private IP addresses.

Step 4: Bind EIPs on the Kafka Console

  1. Click Service List and choose Application > Distributed Message Service. The Kafka instance list is displayed.

  2. Click the desired Kafka instance to view the instance details.

  3. In the Advanced Settings section on the Basic Information tab page, click Modify next to Cross-VPC Access.

  4. Change the values of advertised.listeners IP Address/Domain Name to the EIPs in the DNAT rules. Ensure that the mapping between the private network addresses and the EIPs is consistent with that recorded in 6. Then click Save.

    **Figure 2** Changing the advertised.listeners IP addresses

    Figure 2 Changing the advertised.listeners IP addresses

Step 5: Verify Connectivity

Check whether messages can be created and retrieved by referring to Accessing a Kafka Instance Without SASL or Accessing a Kafka Instance with SASL.

Notes:

  • The address for connecting to a Kafka instance is in the format of "advertised.listeners IP:9011". For example, the addresses for connecting to the Kafka instance shown in Figure 2 are 100.xxx.xxx.20:9011,100.xxx.xxx.21:9011,100.xxx.xxx.23:9011.

  • Configure security group rules for the Kafka instance to allow inbound access over port 9011.

  • Public access must be enabled on the client connected to the Kafka instance.