ApsaraMQ for Kafka provides default endpoints, Secure Sockets Layer (SSL) endpoints, and Simple Authentication and Security Layer (SASL) endpoints to meet different connection and security requirements. Default endpoints are suitable for messaging in virtual private clouds (VPCs) with high security requirements. SASL endpoints are suitable for scenarios in which transmission encryption is not required but messaging authentication is required. If you want to encrypt transmission links and authenticate messaging, we recommend that you use SSL endpoints.
Basic concepts
SASL mechanisms are used by ApsaraMQ for Kafka for identity authentication. The following SASL mechanisms are used:
PLAIN: a simple authentication mechanism that is used to verify usernames and passwords. The PLAIN mechanism provided by ApsaraMQ for Kafka allows you to dynamically create SASL users without the need to restart an instance.
SCRAM: a hash-based username and password verification mechanism used on clients and brokers. Compared with the PLAIN mechanism, the SCRAM-SHA-256 encryption algorithm provides better security protection. The SCRAM-SHA-256 encryption algorithm also allows you to dynamically create SASL users without the need to restart an instance.
ApsaraMQ for Kafka implements SSL encryption to protect data security during data transmission. This prevents data interception and eavesdropping when data is being transferred over the network.
Background information
Internet: If you access ApsaraMQ for Kafka instances over the Internet, messages must be authenticated and encrypted. The PLAIN mechanism of SASL must be used together with SSL to ensure that the messages are not transferred in plaintext without being encrypted.
VPC: A VPC is an isolated network environment. If you access ApsaraMQ for Kafka instances in VPCs, messages can be transferred in a secure channel by using the PLAINTEXT protocol without being encrypted. If you have high requirements on security protection, you can perform SASL identity authentication on messages. Then, the messages are transferred in a secure channel. You can select the PLAIN or SCRAM mechanism for identity authentication based on your business requirements for security protection.
The default SASL user of an ApsaraMQ for Kafka instance is used for identity authentication. The default SASL user has the permissions to read data from and write data to all topics and consumer groups created on the instance. If you want to perform fine-grained access control, enable the access control list (ACL) feature, create a SASL user, and then grant the SASL user the permissions on the resources of your ApsaraMQ for Kafka instance based on your business requirements. After you enable the ACL feature, the permissions that are granted to the default SASL user become invalid. For more information, see Grant permissions to SASL users.
Endpoints for Internet- and VPC-connected instances
You can access Internet- and VPC-connected ApsaraMQ for Kafka instances over the Internet and in VPCs. You can use the SSL endpoint, default endpoint, or SASL endpoint of your instance to connect to ApsaraMQ for Kafka from a client. For more information, see Comparison among endpoints for Internet- and VPC-connected instances.
Network type | Port | Endpoint | Protocol | Scenario |
Internet | 9093 | SSL endpoint | SASL_SSL | Encryption is required during message transmission and identity authentication is required during message production and consumption. The following mechanisms are supported for identity authentication:
|
VPC | 9092 | Default endpoint | PLAINTEXT | No encryption is required during message transmission and no identity authentication is required during message production and consumption. |
9094 | SASL endpoint | SASL_PLAINTEXT | No encryption is required during message transmission but identity authentication is required during message production and consumption. The following mechanisms are supported for identity authentication:
|
Endpoints for VPC-connected instances
You can access VPC-connected ApsaraMQ for Kafka instances only in VPCs. You can use the default endpoint or SASL endpoint of your instance to connect to ApsaraMQ for Kafka from a client. For more information, see Comparison between endpoints for VPC-connected instances.
Network type | Port | Endpoint | Protocol | Scenario |
VPC | 9092 | Default endpoint | PLAINTEXT | No encryption is required during message transmission and no identity authentication is required during message production and consumption. |
9094 | SASL endpoint | SASL_PLAINTEXT | No encryption is required during message transmission but identity authentication is required during message production and consumption. The following mechanisms are supported for identity authentication:
|