Network in Managed Service for Apache Kafka®
When creating a cluster, you can:
- Set the network for cluster hosts.
- Specify the availability zones where the cluster hosts should reside.
- Set subnets in all availability zones.
- Turn on public access to the cluster from outside Yandex.Cloud.
If hosts are present in the ZooKeeper cluster, each of the three ZooKeeper hosts uses its dedicated availability zone and the subnet selected in it. For more information, see ®.
Hostname and FQDN
Managed Service for Apache Kafka® generates the name of each cluster host during creation. This name will be the host's fully qualified domain name (FQDN). The hostname and, consequently, the FQDN cannot be changed.
You can use the FQDN to access the host within a single cloud network. Read more in the Yandex Virtual Private Cloud documentation.
Public access to clusters
All broker hosts in the cluster are available from outside Yandex.Cloud if you request public access when creating a cluster. To connect to such a cluster, use the FQDN of one or more of the cluster's broker hosts.
You can't request public access after creating a cluster.
When you delete a cluster with public access enabled, all public IP addresses assigned to this cluster are revoked.
Security groups follow the principle "All traffic that is not allowed is prohibited". Therefore, security group rules for a cluster's cloud network might prevent connections to the cluster if one or more groups are assigned to it.
Let's say that a VM in Yandex.Cloud is used to access the cluster. In this case, if only the 10.133.0.0/24 subnet is specified in the incoming traffic rules for the security group, but the VM is in the 10.128.0.0/16 subnet, the VM won't be able to connect to the cluster. A VM won't be also able to connect from the 10.133.0.0/24 subnet if it tries to access a port not specified in the security group rules.
When connecting to a cluster from within its cloud network, be sure to configure security groups both for the cluster and the connecting host.
Specifics of working with security groups:
Security group settings only affect the capacity to connect to the cluster. They do not affect cluster operation: replication of topic sections by broker hosts, connections between brokers and ZooKeeper hosts, and other features.
Even if the cluster and the connecting host are in the same security group, the connection won't be possible unless rules that allow traffic between the host and cluster are set up in this group.
However, by default, those rules are contained in the security group that is added automatically when creating a cloud network. Those are the
Selfrules that allow unlimited traffic within a group.
For more information, see the Virtual Private Cloud documentation.