Network Connection Description
Last updated: 2025-09-18 17:31:51
TDMQ CKafka supports two connection methods: intranet access and public network access. The requirements vary for different network types.
Connection Method Description
Connection method | Connection Instructions | Reference Documentation |
private network connection | If the client and CKafka instance are deployed in the same VPC, network interconnectivity is enabled by default with no additional configuration required. | |
| If the client and CKafka instance are deployed in different VPCs, they cannot communicate directly since VPCs are logically isolated. If cross-network communication is needed, you can use CCN to implement VPC Intercommunication between different regions under the same account. | |
Public network connection | A separate public network route needs to be enabled. Clients can access the CKafka instance through public network connection. Since the public network can be accessed in any network environment, configure ACL policy to control user access permission and ensure connection security. | |
Normally, we recommend accessing through private network preferentially to get lower network latency, higher transmission bandwidth and better security isolation, especially for core business in production environment. If the business needs to provide services oriented to public network or for development and debugging, you can enable public network access and configure ACL policy to control user access permission and ensure data security.
Security Protocol Type Description
To ensure security, CKafka provides multiple authentication mechanisms. When adding a network routing policy, choose an appropriate authentication method based on the required security level of message transmission.
Basic Concept
SASL (Simple Authentication and Security Layer): A security protocol for identity verification that supports two authentication mechanisms:
PLAIN mechanism: Uses plaintext mode to perform simple username and password verification.
SCRAM mechanism: The server and client use a hash algorithm for secure authentication with username and password. TDMQ for CKafka supports two encryption algorithms of different strengths: SCRAM-SHA-256 and SCRAM-SHA-512.
SSL (Secure Sockets Layer): A data transmission security protocol that uses encryption to ensure data is not stolen or tampered with during transmission, effectively improving communication security.
Protocol Comparison
Protocol type | Protocol Description | VPC Network Whether Supported | Public Network Whether Supported |
PLAINTEXT | Message sending and receiving authentication not required, data is transmitted in plain text. | ✓ | × |
SASL_PLAINTEXT | Message sending and receiving use SASL method to authenticate, data is transmitted in plain text with better performance. | ✓ | ✓ |
SASL_SSL | Message sending and receiving use SASL method to authenticate, data is encrypted with SSL Certificates during transmission to prevent eavesdropping or interception, ensuring higher security. | ✓ (Supported in Pro Edition only, not supported in version 3.2.3) | ✓ (Supported in Pro Edition only, not currently supported in version 3.2.3) |
SASL_SCRAM_SHA_256 | Message sending and receiving use SASL method to authenticate. Passwords are stored using hash algorithm (SHA-256) and plaintext passwords are not transmitted. Data is transmitted in plain text. | ✓ (Supported only for instances on versions 1.1.1, 2.4.1, and 2.8.1. Existing instances require upgrading the broker minor version or submit a ticket to apply.) | × |
SASL_SCRAM_SHA_512 | Message sending and receiving use SASL method to authenticate. Passwords are stored using hash algorithm (SHA-512) and plaintext passwords are not transmitted. Data is transmitted in plain text. SHA-512 is more secure than SHA-256 but has larger compute overhead. | ✓ (Supported only for instances on versions 1.1.1, 2.4.1, and 2.8.1. Existing instances require upgrading the broker minor version or submit a ticket to apply.) | × |
Security Group Requirements
After cluster configuration adjustment or migration, the port range may be changed. If you have set up access restrictions (security group) in your server configuration, please open the following port range on servers to avoid message read/write abnormal after adjustment or migration.
Port range to open for VPC routing: 9092 - 60000.
Port range to open for public network route: 50000 - 53000.
Port range to open for support routing: 6000 - 12000.
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No
Feedback