Skip to main content

Connect to a Kafka cluster

You can connect to a Kafka cluster by:

  • via the kcat console client. To avoid potential connection errors, we recommend using the librdkafka library version 2.6.1 or later;
  • program code.

For all methods, you can connect with SSL or without SSL.

When connecting, specify the port and address.

Connection ports

Use the following ports to connect to Kafka:

  • 9092 — port for connections without an SSL certificate;
  • 9093 — port for connections with an SSL certificate.

Connection addresses

You can choose a connection address based on one of the following scenarios:

It is not possible to connect to a cluster in a private subnet from the internet.

You can view the connection address in the Control Panel.

Connecting to a cluster in a public subnet

If the cluster is in a public subnet, you can connect to the nodes using a DNS address or an IP address from the public subnet.

We recommend connecting using a DNS address. A master discovery mechanism is used for DNS addresses in a cluster: the address is bound to a node role, not to the node itself. If the master becomes unavailable, one of the replicas becomes the new master, and the address moves to the new node along with the role.

When connecting using a public subnet IP address, the master discovery mechanism is not used. If one of the replicas becomes the new master, the master's IP address will change, and the connection via the old IP address will stop working.

Connecting from a private subnet to a cluster in a private subnet

If you are connecting from a private subnet to a cluster in a private subnet, you can use the DNS address or the private IP address.

We recommend connecting using a DNS address. A master discovery mechanism is used for DNS addresses in a cluster: the address is bound to a node role, not to the node itself. If the master becomes unavailable, one of the replicas becomes the new master, and the address moves to the new node along with the role.

When connecting using a private IP address, the master discovery mechanism is not used. If one of the replicas becomes the new master, the master's IP address will change, and the connection via the old IP address will stop working.

To connect from another private subnet, first connect both private subnets to the Cloud Router.

View the connection address

  1. In the Control Panel, click Products in the top menu and select Managed Databases.
  2. Open the Active tab.
  3. Open the database cluster page → Connection tab.
  4. In the Connection settings block, view the address.

Connect with SSL

Connecting using TLS(SSL) encryption ensures a secure connection between your server and the database cluster.

For your information

To avoid potential connection errors when using the kcat console client, we recommend using the librdkafka library version 2.6.1 or later.

  1. Download the root certificate and place it in the ~/.kafka/:

    mkdir -p ~/.kafka/
    wget https://storage.dbaas.selcloud.ru/CA.pem -O ~/.kafka/root.crt
    chmod 0600 ~/.kafka/root.crt
  2. Use the following connection example for a consumer:

    kcat -C \
    -b <host>:<port> \
    -t <topic_name> \
    -X sasl.username=<user_name> \
    -X sasl.password=<password> \
    -X security.protocol=SASL_SSL \
    -X sasl.mechanisms=SCRAM-SHA-512 \
    -X ssl.ca.location=$HOME/.kafka/root.crt

    Specify:

    • <host> — node DNS address; ;
    • <port>connection port;;
    • <topic_name> — topic name; ;
    • <user_name> — user name with the consumer role who has access to the topic; ;
    • <password> — user password.
  3. Use the following connection example for a producer:

    kcat -P \
    -b <host>:<port> \
    -t <topic_name> \
    -X sasl.username=<user_name> \
    -X sasl.password=<password> \
    -X security.protocol=SASL_SSL \
    -X sasl.mechanisms=SCRAM-SHA-512 \
    -X ssl.ca.location=$HOME/.kafka/root.crt

    Specify:

    • <host> — node DNS address; ;
    • <port>connection port;;
    • <topic_name> — topic name; ;
    • <user_name> — user name with the producer role who has access to the topic; ;
    • <password> — user password.

Connect without SSL

For your information

To avoid potential connection errors when using the kcat console client, we recommend using the librdkafka library version 2.6.1 or later.

  1. Open the CLI.

  2. Use the following connection example for a consumer:

    kcat -C \
    -b <host>:<port> \
    -t <topic_name> \
    -X sasl.username=<user_name> \
    -X sasl.password=<password> \
    -X security.protocol=SASL_PLAINTEXT \
    -X sasl.mechanisms=SCRAM-SHA-512

    Specify:

    • <host> — node DNS address; ;
    • <port>connection port;;
    • <topic_name> — topic name; ;
    • <user_name> — user name with the consumer role who has access to the topic; ;
    • <password> — user password.
  3. Use the following connection example for a producer:

    kcat -P \
    -b <host>:<port> \
    -t <topic_name> \
    -X sasl.username=<user_name> \
    -X sasl.password=<password> \
    -X security.protocol=SASL_PLAINTEXT \
    -X sasl.mechanisms=SCRAM-SHA-512

    Specify:

    • <host> — node DNS address; ;
    • <port>connection port;;
    • <topic_name> — topic name; ;
    • <user_name> — user name with the producer role who has access to the topic; ;
    • <password> — user password.