Connect to an Amazon MSK cluster
By default, clients can access an MSK cluster only if they're in the same VPC as the cluster. All communication between your Kafka clients and your MSK cluster are private by default and your streaming data never traverses the internet. To connect to your MSK cluster from a client that's in the same VPC as the cluster, make sure the cluster's security group has an inbound rule that accepts traffic from the client's security group. For information about setting up these rules, see Security Group Rules. For an example of how to access a cluster from an Amazon EC2 instance that's in the same VPC as the cluster, see Get started using Amazon MSK.
To connect to your MSK cluster from a client that's outside the cluster's VPC, see Access from within Amazon but outside cluster's VPC.