Controlling access to Apache ZooKeeper
For security reasons you can limit access to the Apache ZooKeeper nodes that are part of your Amazon MSK cluster. To limit access to the nodes, you can assign a separate security group to them. You can then decide who gets access to that security group.
Important
This section does not apply for clusters running in KRaft mode. See KRaft mode.
This topic contains the following sections:
To place your Apache ZooKeeper nodes in a separate security group
-
Get the Apache ZooKeeper connection string for your cluster. To learn how, see ZooKeeper mode. The connection string contains the DNS names of your Apache ZooKeeper nodes.
-
Use a tool like
host
orping
to convert the DNS names you obtained in the previous step to IP addresses. Save these IP addresses because you need them later in this procedure. Sign in to the Amazon Web Services Management Console and open the Amazon EC2 console at https://console.amazonaws.cn/ec2/
. In the left pane, under NETWORK & SECURITY, choose Network Interfaces.
-
In the search field above the table of network interfaces, type the name of your cluster, then type return. This limits the number of network interfaces that appear in the table to those interfaces that are associated with your cluster.
-
Select the check box at the beginning of the row that corresponds to the first network interface in the list.
-
In the details pane at the bottom of the page, look for the Primary private IPv4 IP. If this IP address matches one of the IP addresses you obtained in the first step of this procedure, this means that this network interface is assigned to an Apache ZooKeeper node that is part of your cluster. Otherwise, deselect the check box next to this network interface, and select the next network interface in the list. The order in which you select the network interfaces doesn't matter. In the next steps, you will perform the same operations on all network interfaces that are assigned to Apache ZooKeeper nodes, one by one.
-
When you select a network interface that corresponds to an Apache ZooKeeper node, choose the Actions menu at the top of the page, then choose Change Security Groups. Assign a new security group to this network interface. For information about creating security groups, see Creating a Security Group
in the Amazon VPC documentation. -
Repeat the previous step to assign the same new security group to all the network interfaces that are associated with the Apache ZooKeeper nodes of your cluster.
-
You can now choose who has access to this new security group. For information about setting security group rules, see Adding, Removing, and Updating Rules
in the Amazon VPC documentation.
Using TLS security with Apache ZooKeeper
You can use TLS security for encryption in transit between your clients and your Apache ZooKeeper nodes. To implement TLS security with your Apache ZooKeeper nodes, do the following:
Clusters must use Apache Kafka version 2.5.1 or later to use TLS security with Apache ZooKeeper.
Enable TLS security when you create or configure your cluster. Clusters created with Apache Kafka version 2.5.1 or later with TLS enabled automatically use TLS security with Apache ZooKeeper endpoints. For information about setting up TLS security, see How do I get started with encryption?.
Retrieve the TLS Apache ZooKeeper endpoints using the DescribeCluster operation.
Create an Apache ZooKeeper configuration file for use with the
kafka-configs.sh
andkafka-acls.sh
tools, or with the ZooKeeper shell. With each tool, you use the --zk-tls-config-file
parameter to specify your Apache ZooKeeper config.The following example shows a typical Apache ZooKeeper configuration file:
zookeeper.ssl.client.enable=true zookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty zookeeper.ssl.keystore.location=kafka.jks zookeeper.ssl.keystore.password=test1234 zookeeper.ssl.truststore.location=truststore.jks zookeeper.ssl.truststore.password=test1234
For other commands (such as
kafka-topics
), you must use theKAFKA_OPTS
environment variable to configure Apache ZooKeeper parameters. The following example shows how to configure theKAFKA_OPTS
environment variable to pass Apache ZooKeeper parameters into other commands:export KAFKA_OPTS=" -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.ssl.trustStore.location=/home/ec2-user/kafka.client.truststore.jks -Dzookeeper.ssl.trustStore.password=changeit"
After you configure the
KAFKA_OPTS
environment variable, you can use CLI commands normally. The following example creates an Apache Kafka topic using the Apache ZooKeeper configuration from theKAFKA_OPTS
environment variable:<path-to-your-kafka-installation>
/bin/kafka-topics.sh --create --zookeeperZooKeeperTLSConnectString
--replication-factor 3 --partitions 1 --topic AWSKafkaTutorialTopic
Note
The names of the parameters you use in your Apache ZooKeeper configuration file and those you
use in your KAFKA_OPTS
environment variable are not consistent. Pay
attention to which names you use with which parameters in your configuration file
and KAFKA_OPTS
environment variable.
For more information about accessing your Apache ZooKeeper nodes with TLS, see KIP-515: Enable ZK client to use the new TLS supported
authentication