Important Notice: CloudKarafka is shutting down. Read all about it in our End of Life Announcement

Guide: Encrypted and Plaintext Connections

If you want to connect to an Apache Kafka cluster, you can choose between two types of connections: Encrypted or Plaintext (unencrypted).

Encrypted Connection

  • An encrypted connection provides a secure way to transfer data between two systems, ensuring that the information in transit cannot be read or intercepted by unauthorized parties
  • It is necessary to use encrypted connections when connecting to a cluster on CloudKarafka when the connection goes over the public internet. (Other connection attempts are blocked by default.)
  • CloudKarafka uses TLSv1.3 by default but can fall back to TLSv1.2 if your client doesn’t support newer versions.

Verification of established connections

An encrypted connection enables clients to verify that the established connection is going to the correct broker, ensuring that no one is performing a man-in-the-middle attack. The clients validate that the broker has a valid certificate for the URL they are using to connect. At CloudKarafka, we use LetsEncrypt for our certificates.

Set up an encrypted connection

Once you have made a connection, you must authenticate your identity to the broker. You can do this by using either a username and password or a client certificate.

Using username and password

To connect to a cluster on CloudKarafka over an encrypted connection and authenticate with username and password use these settings:

  • bootstrap.servers=CLUSTER_HOSTNAME:9094
  • security.protocol=SASL_SSL
  • sasl.mechanism=SCRAM-SHA-512

Note the port number!

Using client certificate

To connect to a cluster on CloudKarafka over an encrypted connection and authenticate with a client certificate use these settings:

  • bootstrap.servers=CLUSTER_HOSTNAME:9093
  • security.protocol=SSL

Note the port number!

Plaintext connections

Although it is always recommended to use an encrypted connection when connecting to brokers over the public Internet, there are use cases where plaintext connections may be beneficial. CloudKarafka only allows you to connect to the broker using a plaintext connection when you create a VPC peering (link) between your servers and the CloudKarafka cluster.

VPC peering is a way to connect two or more Virtual Private Clouds (VPCs) within a single cloud provider's network which allows them to communicate with one another as if they were on the same network.

Connection over a VPC peering will keep the data off the public internet so there is no need to use encryption over peerings.

Benefits of using VPC peering and plaintext connections

Encryption demands more computing resources while processing messages in the broker, as it needs to be decrypted before it can be processed. This task is consuming more CPU and takes more time. Consequently, it is more efficient to connect over a VPC peering and use plaintext connections.

Set up a plaintext connection

Using username and password

For plaintext connections, the only alternative is to use ‘username and password’ to authenticate.

Use these settings:

  • bootstrap.servers=CLUSTER_HOSTNAME:9092
  • security.protocol=SASL_PLAINTEXT
  • sasl.mechanism=SCRAM-SHA-512

Be sure to note the port number!