Kafka multiple listeners
Initial apologies for the long post (this is also on superuser as i wasn't sure the best place for this https://serverfault.com/questions/953357/kafka-multiple-listeners so let me know if one needs closing)...
I have setup a Kafka cluster in AWS with the following listeners and advertised listeners:
KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://ds-kafka-broker0.service.local:9092,INTERNAL://:9093,PRIVATE://ds-kafka-broker0.private.awscloud.co.uk:6000,EXTERNAL://ds-kafka-broker0.dev.awscloud.co.uk:7000
KAFKA_LISTENERS: PLAINTEXT://:9092,INTERNAL://:9093,PRIVATE://:6000,EXTERNAL://:7000
KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: PLAINTEXT:PLAINTEXT,INTERNAL:PLAINTEXT,PRIVATE:PLAINTEXT,EXTERNAL:PLAINTEXT
KAFKA_INTER_BROKER_LISTENER_NAME: INTERNAL
I am having to do this because we run a AWS/On-Prem hybrid environment over direct connect.
Within AWS:
We use VPCE's for connectivity to the Kafka cluster within accounts so the host for the PRIVATE listener is the same for every account and uses a local private R53 zone.
On-Prem:
The private zone does not work with on-prem because we cannot resolve the private.awscloud.co.uk zones that sit in every AWS account so i have to use another zone which in Kafka forces me to use another listener and port range. This is the EXTERNAL listener.
They are all currently using plaintext as i am still in the implementation stage but both will eventually use the same encryption but for my current connectivity testing purposes, this should work. As a running cluster with all the accessories (connect, ksql, schema, etc) all works fine from within the Kafka cluster AWS account.
The problem:
When i connect to the EXTERNAL ports using the following producer.config settings:
bootstrap.servers=EXTERNAL://ds-kafka-broker0.dev.awscloud.co.uk:7000,EXTERNAL://ds-kafka-broker1.dev.awscloud.co.uk:7001,EXTERNAL://ds-kafka-broker2.dev.awscloud.co.uk:7002
#security.protocol=EXTERNAL # commented out as this is not valid in console producer
compression.type=snappy
max.block.ms=5000
linger.ms=5
max.in.flight.requests.per.connection=1
retries=5
batch.size=1000
max.request.size=10000000
acks=1
buffer.memory=67108864
and use the following test console producer command line:
bin/kafka-console-producer --producer.config etc/producer.properties --topic test-create-remote --broker-list EXTERNAL://ds-kafka-broker0.dev.awscloud.co.uk:7000,EXTERNAL://ds-kafka-broker1.dev.awscloud.co.uk:7001,EXTERNAL://ds-kafka-broker2.dev.awscloud.co.uk:7002
the initial connection occurs on 7000 but then Kafka reports back to the client that it should be using the PRIVATE listener and the traffic reconnects onto the 6000 Private port range (confirmed with tcpdump).
This is fine when you are connecting in from within an AWS account as that is what this port range and listener is for but from a client perspective i don't seem to have any control of which listener to use. In this case the connection from on-prem fails because i cannot resolve the PRIVATE address and even if i could, i couldn't connect on the port anyway.
This also makes me wonder why i am getting the PRIVATE listener... Why not the INTERNAL or PLAINTEXT ones if i have no control?
Hope all this makes sense and any pointers appreciated.
linux amazon-web-services
asked Feb 11 at 12:49
Simon ThorleySimon Thorley
12
add a comment |
Initial apologies for the long post (this is also on superuser as i wasn't sure the best place for this https://serverfault.com/questions/953357/kafka-multiple-listeners so let me know if one needs closing)...
I have setup a Kafka cluster in AWS with the following listeners and advertised listeners:
KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://ds-kafka-broker0.service.local:9092,INTERNAL://:9093,PRIVATE://ds-kafka-broker0.private.awscloud.co.uk:6000,EXTERNAL://ds-kafka-broker0.dev.awscloud.co.uk:7000
KAFKA_LISTENERS: PLAINTEXT://:9092,INTERNAL://:9093,PRIVATE://:6000,EXTERNAL://:7000
KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: PLAINTEXT:PLAINTEXT,INTERNAL:PLAINTEXT,PRIVATE:PLAINTEXT,EXTERNAL:PLAINTEXT
KAFKA_INTER_BROKER_LISTENER_NAME: INTERNAL
I am having to do this because we run a AWS/On-Prem hybrid environment over direct connect.
Within AWS:
We use VPCE's for connectivity to the Kafka cluster within accounts so the host for the PRIVATE listener is the same for every account and uses a local private R53 zone.
On-Prem:
The private zone does not work with on-prem because we cannot resolve the private.awscloud.co.uk zones that sit in every AWS account so i have to use another zone which in Kafka forces me to use another listener and port range. This is the EXTERNAL listener.
They are all currently using plaintext as i am still in the implementation stage but both will eventually use the same encryption but for my current connectivity testing purposes, this should work. As a running cluster with all the accessories (connect, ksql, schema, etc) all works fine from within the Kafka cluster AWS account.
The problem:
When i connect to the EXTERNAL ports using the following producer.config settings:
bootstrap.servers=EXTERNAL://ds-kafka-broker0.dev.awscloud.co.uk:7000,EXTERNAL://ds-kafka-broker1.dev.awscloud.co.uk:7001,EXTERNAL://ds-kafka-broker2.dev.awscloud.co.uk:7002
#security.protocol=EXTERNAL # commented out as this is not valid in console producer
compression.type=snappy
max.block.ms=5000
linger.ms=5
max.in.flight.requests.per.connection=1
retries=5
batch.size=1000
max.request.size=10000000
acks=1
buffer.memory=67108864
and use the following test console producer command line:
bin/kafka-console-producer --producer.config etc/producer.properties --topic test-create-remote --broker-list EXTERNAL://ds-kafka-broker0.dev.awscloud.co.uk:7000,EXTERNAL://ds-kafka-broker1.dev.awscloud.co.uk:7001,EXTERNAL://ds-kafka-broker2.dev.awscloud.co.uk:7002
the initial connection occurs on 7000 but then Kafka reports back to the client that it should be using the PRIVATE listener and the traffic reconnects onto the 6000 Private port range (confirmed with tcpdump).
This is fine when you are connecting in from within an AWS account as that is what this port range and listener is for but from a client perspective i don't seem to have any control of which listener to use. In this case the connection from on-prem fails because i cannot resolve the PRIVATE address and even if i could, i couldn't connect on the port anyway.
This also makes me wonder why i am getting the PRIVATE listener... Why not the INTERNAL or PLAINTEXT ones if i have no control?
Hope all this makes sense and any pointers appreciated.
linux amazon-web-services
asked Feb 11 at 12:49
Simon ThorleySimon Thorley
12
add a comment |
Initial apologies for the long post (this is also on superuser as i wasn't sure the best place for this https://serverfault.com/questions/953357/kafka-multiple-listeners so let me know if one needs closing)...
I have setup a Kafka cluster in AWS with the following listeners and advertised listeners:
KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://ds-kafka-broker0.service.local:9092,INTERNAL://:9093,PRIVATE://ds-kafka-broker0.private.awscloud.co.uk:6000,EXTERNAL://ds-kafka-broker0.dev.awscloud.co.uk:7000
KAFKA_LISTENERS: PLAINTEXT://:9092,INTERNAL://:9093,PRIVATE://:6000,EXTERNAL://:7000
KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: PLAINTEXT:PLAINTEXT,INTERNAL:PLAINTEXT,PRIVATE:PLAINTEXT,EXTERNAL:PLAINTEXT
KAFKA_INTER_BROKER_LISTENER_NAME: INTERNAL
I am having to do this because we run a AWS/On-Prem hybrid environment over direct connect.
Within AWS:
We use VPCE's for connectivity to the Kafka cluster within accounts so the host for the PRIVATE listener is the same for every account and uses a local private R53 zone.
On-Prem:
The private zone does not work with on-prem because we cannot resolve the private.awscloud.co.uk zones that sit in every AWS account so i have to use another zone which in Kafka forces me to use another listener and port range. This is the EXTERNAL listener.
They are all currently using plaintext as i am still in the implementation stage but both will eventually use the same encryption but for my current connectivity testing purposes, this should work. As a running cluster with all the accessories (connect, ksql, schema, etc) all works fine from within the Kafka cluster AWS account.
The problem:
When i connect to the EXTERNAL ports using the following producer.config settings:
bootstrap.servers=EXTERNAL://ds-kafka-broker0.dev.awscloud.co.uk:7000,EXTERNAL://ds-kafka-broker1.dev.awscloud.co.uk:7001,EXTERNAL://ds-kafka-broker2.dev.awscloud.co.uk:7002
#security.protocol=EXTERNAL # commented out as this is not valid in console producer
compression.type=snappy
max.block.ms=5000
linger.ms=5
max.in.flight.requests.per.connection=1
retries=5
batch.size=1000
max.request.size=10000000
acks=1
buffer.memory=67108864
and use the following test console producer command line:
bin/kafka-console-producer --producer.config etc/producer.properties --topic test-create-remote --broker-list EXTERNAL://ds-kafka-broker0.dev.awscloud.co.uk:7000,EXTERNAL://ds-kafka-broker1.dev.awscloud.co.uk:7001,EXTERNAL://ds-kafka-broker2.dev.awscloud.co.uk:7002
the initial connection occurs on 7000 but then Kafka reports back to the client that it should be using the PRIVATE listener and the traffic reconnects onto the 6000 Private port range (confirmed with tcpdump).
This is fine when you are connecting in from within an AWS account as that is what this port range and listener is for but from a client perspective i don't seem to have any control of which listener to use. In this case the connection from on-prem fails because i cannot resolve the PRIVATE address and even if i could, i couldn't connect on the port anyway.
This also makes me wonder why i am getting the PRIVATE listener... Why not the INTERNAL or PLAINTEXT ones if i have no control?
Hope all this makes sense and any pointers appreciated.
linux amazon-web-services
asked Feb 11 at 12:49
Simon ThorleySimon Thorley
12
Initial apologies for the long post (this is also on superuser as i wasn't sure the best place for this https://serverfault.com/questions/953357/kafka-multiple-listeners so let me know if one needs closing)...
I have setup a Kafka cluster in AWS with the following listeners and advertised listeners:
KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://ds-kafka-broker0.service.local:9092,INTERNAL://:9093,PRIVATE://ds-kafka-broker0.private.awscloud.co.uk:6000,EXTERNAL://ds-kafka-broker0.dev.awscloud.co.uk:7000
KAFKA_LISTENERS: PLAINTEXT://:9092,INTERNAL://:9093,PRIVATE://:6000,EXTERNAL://:7000
KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: PLAINTEXT:PLAINTEXT,INTERNAL:PLAINTEXT,PRIVATE:PLAINTEXT,EXTERNAL:PLAINTEXT
KAFKA_INTER_BROKER_LISTENER_NAME: INTERNAL
I am having to do this because we run a AWS/On-Prem hybrid environment over direct connect.
Within AWS:
We use VPCE's for connectivity to the Kafka cluster within accounts so the host for the PRIVATE listener is the same for every account and uses a local private R53 zone.
On-Prem:
The private zone does not work with on-prem because we cannot resolve the private.awscloud.co.uk zones that sit in every AWS account so i have to use another zone which in Kafka forces me to use another listener and port range. This is the EXTERNAL listener.
They are all currently using plaintext as i am still in the implementation stage but both will eventually use the same encryption but for my current connectivity testing purposes, this should work. As a running cluster with all the accessories (connect, ksql, schema, etc) all works fine from within the Kafka cluster AWS account.
The problem:
When i connect to the EXTERNAL ports using the following producer.config settings:
bootstrap.servers=EXTERNAL://ds-kafka-broker0.dev.awscloud.co.uk:7000,EXTERNAL://ds-kafka-broker1.dev.awscloud.co.uk:7001,EXTERNAL://ds-kafka-broker2.dev.awscloud.co.uk:7002
#security.protocol=EXTERNAL # commented out as this is not valid in console producer
compression.type=snappy
max.block.ms=5000
linger.ms=5
max.in.flight.requests.per.connection=1
retries=5
batch.size=1000
max.request.size=10000000
acks=1
buffer.memory=67108864
and use the following test console producer command line:
bin/kafka-console-producer --producer.config etc/producer.properties --topic test-create-remote --broker-list EXTERNAL://ds-kafka-broker0.dev.awscloud.co.uk:7000,EXTERNAL://ds-kafka-broker1.dev.awscloud.co.uk:7001,EXTERNAL://ds-kafka-broker2.dev.awscloud.co.uk:7002
the initial connection occurs on 7000 but then Kafka reports back to the client that it should be using the PRIVATE listener and the traffic reconnects onto the 6000 Private port range (confirmed with tcpdump).
This is fine when you are connecting in from within an AWS account as that is what this port range and listener is for but from a client perspective i don't seem to have any control of which listener to use. In this case the connection from on-prem fails because i cannot resolve the PRIVATE address and even if i could, i couldn't connect on the port anyway.
This also makes me wonder why i am getting the PRIVATE listener... Why not the INTERNAL or PLAINTEXT ones if i have no control?
Hope all this makes sense and any pointers appreciated.
linux amazon-web-services
linux amazon-web-services
asked Feb 11 at 12:49
Simon ThorleySimon Thorley
12
asked Feb 11 at 12:49
Simon ThorleySimon Thorley
12
edited Feb 11 at 13:40
Simon Thorley
asked Feb 11 at 12:49
Simon ThorleySimon Thorley
12
asked Feb 11 at 12:49
Simon ThorleySimon Thorley
12
asked Feb 11 at 12:49
Simon ThorleySimon Thorley
12
12
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1404421%2fkafka-multiple-listeners%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1404421%2fkafka-multiple-listeners%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
