Configuring Kafka Public Access¶
To access a Kafka instance over a public network, enable public access and configure EIPs for the instance.
If you no longer need public access to the instance, you can disable it as required.
Prerequisites¶
You can change the public access setting only when the Kafka instance is in the Running state.
Kafka instances only support IPv4 EIPs. IPv6 EIPs are not supported.
Enabling Public Access¶
Log in to the console.
Click
in the upper left corner to select a region.Note
Select the region where your Kafka instance is located.
Click Service List and choose Application > Distributed Message Service. The Kafka instance list is displayed.
Click a Kafka instance to go to the Basic Information page.
Click
next to Public Access to enable public access. For Elastic IP Address, select an EIP for each broker. If the number of EIPs is insufficient, click Create Elastic IP to go to the Create EIP page and create EIPs. For details, see Assigning an EIP. After the creation is complete, return to the page for enabling the public access. Click 
next to Elastic IP Address, select EIPs from the drop-down list. The number of EIPs must be the same as the number of brokers. Then click 
and the Background Tasks page is displayed.If the status of the task turns to Successful, public access is successfully enabled.
Figure 1 Enabling public access¶
After public access is enabled, configure the access mode (plaintext or ciphertext) and security group rules listed in Table 1 before attempting to access Kafka. For details about accessing Kafka, see Connecting to an Instance.
Table 1 Security group rules¶ Direction
Protocol
Port
Source
Description
Inbound
TCP
9094
0.0.0.0/0
Accessing Kafka over a public network (in plaintext)
Inbound
TCP
9095
0.0.0.0/0
Accessing Kafka over a public network (in ciphertext)
Disabling Public Access¶
Log in to the console.
Click
in the upper left corner to select a region.Note
Select the region where your Kafka instance is located.
Click Service List and choose Application > Distributed Message Service. The Kafka instance list is displayed.
Click a Kafka instance to go to the Basic Information page.
Before disabling public access, disable Plaintext Access and Ciphertext Access next to Public Network Access. Then click
next to Public Access.Click OK. The Background Tasks page is displayed. If the status of the task turns to Successful, public access is successfully disabled.
After public access is disabled, configure security group rules listed in Table 2 before attempting to access Kafka in a VPC. For details about accessing Kafka, see Connecting to an Instance.
Table 2 Security group rules (private network access)¶ Direction
Protocol
Port
Source
Description
Inbound
TCP
9092
0.0.0.0/0
Accessing a Kafka instance over a private network within a VPC (in plaintext)
Inbound
TCP
9093
0.0.0.0/0
Accessing a Kafka instance over a private network within a VPC (in ciphertext)
Note
After a security group is created, its default inbound rule allows communication among ECSs within the security group and its default outbound rule allows all outbound traffic. In this case, you can access a Kafka instance within a VPC, and do not need to add rules according to Table 2.