Kafka multiple listeners The Next CEO of Stack Overflowmacvlan and RST packetsAWS Reserved IP addressesWhat is best practice design for internal traffic between microservices?AWS Rouet 53 Private Hosted Zone route traffic to Ec2 hosted on Private Subnet?not sure how to properly handle listeners/groups + health check in load balancer on awsAWS ALB security group allow connection from only my serversApache Kafka configuration behind NAT/LBKube ingress and elbDoes Kafka replicate the same data across all brokers?Can connect to kafka, but cannot consume
Why do remote companies require working in the US?
Can a single photon have an energy density?
Example of a Mathematician/Physicist whose Other Publications during their PhD eclipsed their PhD Thesis
Is it my responsibility to learn a new technology in my own time my employer wants to implement?
I believe this to be a fraud - hired, then asked to cash check and send cash as Bitcoin
Customer Requests (Sometimes) Drive Me Bonkers!
Why were Madagascar and New Zealand discovered so late?
Which organization defines CJK Unified Ideographs?
Would this house-rule that treats advantage as a +1 to the roll instead (and disadvantage as -1) and allows them to stack be balanced?
Need some help with wall behind rangetop
Can a caster that cast Polymorph on themselves stop concentrating at any point even if their Int is low?
Fastest way to shutdown Ubuntu Mate 18.10
What happens if you roll doubles 3 times then land on "Go to jail?"
What's the point of interval inversion?
Where to find order of arguments for default functions
Can I equip Skullclamp on a creature I am sacrificing?
How to get regions to plot as graphics
Describing a person. What needs to be mentioned?
How to use tikz in fbox?
What makes a siege story/plot interesting?
Is it okay to store user locations?
Inappropriate reference requests from Journal reviewers
Anatomically Correct Mesopelagic Aves
When airplanes disconnect from a tanker during air to air refueling, why do they bank so sharply to the right?
Kafka multiple listeners
The Next CEO of Stack Overflowmacvlan and RST packetsAWS Reserved IP addressesWhat is best practice design for internal traffic between microservices?AWS Rouet 53 Private Hosted Zone route traffic to Ec2 hosted on Private Subnet?not sure how to properly handle listeners/groups + health check in load balancer on awsAWS ALB security group allow connection from only my serversApache Kafka configuration behind NAT/LBKube ingress and elbDoes Kafka replicate the same data across all brokers?Can connect to kafka, but cannot consume
Initial apologies for the long post (this is also on superuser as i wasn't sure the best place for this https://superuser.com/questions/1404421/kafka-multiple-listeners so let me know if one needs closing)...
I have setup a Kafka cluster in AWS with the following listeners and advertised listeners:
KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://ds-kafka-broker0.service.local:9092,INTERNAL://:9093,PRIVATE://ds-kafka-broker0.private.awscloud.co.uk:6000,EXTERNAL://ds-kafka-broker0.dev.awscloud.co.uk:7000
KAFKA_LISTENERS: PLAINTEXT://:9092,INTERNAL://:9093,PRIVATE://:6000,EXTERNAL://:7000
KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: PLAINTEXT:PLAINTEXT,INTERNAL:PLAINTEXT,PRIVATE:PLAINTEXT,EXTERNAL:PLAINTEXT
KAFKA_INTER_BROKER_LISTENER_NAME: INTERNAL
I am having to do this because we run a AWS/On-Prem hybrid environment over direct connect.
Within AWS:
We use VPCE's for connectivity to the Kafka cluster within accounts so the host for the PRIVATE listener is the same for every account and uses a local private R53 zone.
On-Prem:
The private zone does not work with on-prem because we cannot resolve the private.awscloud.co.uk zones that sit in every AWS account so i have to use another zone which in Kafka forces me to use another listener and port range. This is the EXTERNAL listener.
They are all currently using plaintext as i am still in the implementation stage but both will eventually use the same encryption but for my current connectivity testing purposes, this should work. As a running cluster with all the accessories (connect, ksql, schema, etc) all works fine from within the Kafka cluster AWS account.
The problem:
When i connect to the EXTERNAL ports using the following producer.config settings:
bootstrap.servers=EXTERNAL://ds-kafka-broker0.dev.awscloud.co.uk:7000,EXTERNAL://ds-kafka-broker1.dev.awscloud.co.uk:7001,EXTERNAL://ds-kafka-broker2.dev.awscloud.co.uk:7002
#security.protocol=EXTERNAL # commented out as this is not valid in console producer
compression.type=snappy
max.block.ms=5000
linger.ms=5
max.in.flight.requests.per.connection=1
retries=5
batch.size=1000
max.request.size=10000000
acks=1
buffer.memory=67108864
and use the following test console producer command line:
bin/kafka-console-producer --producer.config etc/producer.properties --topic test-create-remote --broker-list EXTERNAL://ds-kafka-broker0.dev.awscloud.co.uk:7000,EXTERNAL://ds-kafka-broker1.dev.awscloud.co.uk:7001,EXTERNAL://ds-kafka-broker2.dev.awscloud.co.uk:7002
the initial connection occurs on 7000 but then Kafka reports back to the client that it should be using the PRIVATE listener and the traffic reconnects onto the 6000 Private port range (confirmed with tcpdump).
This is fine when you are connecting in from within an AWS account as that is what this port range and listener is for but from a client perspective i don't seem to have any control of which listener to use. In this case the connection from on-prem fails because i cannot resolve the PRIVATE address and even if i could, i couldn't connect on the port anyway.
This also makes me wonder why i am getting the PRIVATE listener... Why not the INTERNAL or PLAINTEXT ones if i have no control?
Hope all this makes sense and any pointers appreciated.
linux amazon-web-services kafka
asked Feb 11 at 13:39
Simon ThorleySimon Thorley
11
add a comment |
Initial apologies for the long post (this is also on superuser as i wasn't sure the best place for this https://superuser.com/questions/1404421/kafka-multiple-listeners so let me know if one needs closing)...
I have setup a Kafka cluster in AWS with the following listeners and advertised listeners:
KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://ds-kafka-broker0.service.local:9092,INTERNAL://:9093,PRIVATE://ds-kafka-broker0.private.awscloud.co.uk:6000,EXTERNAL://ds-kafka-broker0.dev.awscloud.co.uk:7000
KAFKA_LISTENERS: PLAINTEXT://:9092,INTERNAL://:9093,PRIVATE://:6000,EXTERNAL://:7000
KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: PLAINTEXT:PLAINTEXT,INTERNAL:PLAINTEXT,PRIVATE:PLAINTEXT,EXTERNAL:PLAINTEXT
KAFKA_INTER_BROKER_LISTENER_NAME: INTERNAL
I am having to do this because we run a AWS/On-Prem hybrid environment over direct connect.
Within AWS:
We use VPCE's for connectivity to the Kafka cluster within accounts so the host for the PRIVATE listener is the same for every account and uses a local private R53 zone.
On-Prem:
The private zone does not work with on-prem because we cannot resolve the private.awscloud.co.uk zones that sit in every AWS account so i have to use another zone which in Kafka forces me to use another listener and port range. This is the EXTERNAL listener.
They are all currently using plaintext as i am still in the implementation stage but both will eventually use the same encryption but for my current connectivity testing purposes, this should work. As a running cluster with all the accessories (connect, ksql, schema, etc) all works fine from within the Kafka cluster AWS account.
The problem:
When i connect to the EXTERNAL ports using the following producer.config settings:
bootstrap.servers=EXTERNAL://ds-kafka-broker0.dev.awscloud.co.uk:7000,EXTERNAL://ds-kafka-broker1.dev.awscloud.co.uk:7001,EXTERNAL://ds-kafka-broker2.dev.awscloud.co.uk:7002
#security.protocol=EXTERNAL # commented out as this is not valid in console producer
compression.type=snappy
max.block.ms=5000
linger.ms=5
max.in.flight.requests.per.connection=1
retries=5
batch.size=1000
max.request.size=10000000
acks=1
buffer.memory=67108864
and use the following test console producer command line:
bin/kafka-console-producer --producer.config etc/producer.properties --topic test-create-remote --broker-list EXTERNAL://ds-kafka-broker0.dev.awscloud.co.uk:7000,EXTERNAL://ds-kafka-broker1.dev.awscloud.co.uk:7001,EXTERNAL://ds-kafka-broker2.dev.awscloud.co.uk:7002
the initial connection occurs on 7000 but then Kafka reports back to the client that it should be using the PRIVATE listener and the traffic reconnects onto the 6000 Private port range (confirmed with tcpdump).
This is fine when you are connecting in from within an AWS account as that is what this port range and listener is for but from a client perspective i don't seem to have any control of which listener to use. In this case the connection from on-prem fails because i cannot resolve the PRIVATE address and even if i could, i couldn't connect on the port anyway.
This also makes me wonder why i am getting the PRIVATE listener... Why not the INTERNAL or PLAINTEXT ones if i have no control?
Hope all this makes sense and any pointers appreciated.
linux amazon-web-services kafka
asked Feb 11 at 13:39
Simon ThorleySimon Thorley
11
add a comment |
Initial apologies for the long post (this is also on superuser as i wasn't sure the best place for this https://superuser.com/questions/1404421/kafka-multiple-listeners so let me know if one needs closing)...
I have setup a Kafka cluster in AWS with the following listeners and advertised listeners:
KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://ds-kafka-broker0.service.local:9092,INTERNAL://:9093,PRIVATE://ds-kafka-broker0.private.awscloud.co.uk:6000,EXTERNAL://ds-kafka-broker0.dev.awscloud.co.uk:7000
KAFKA_LISTENERS: PLAINTEXT://:9092,INTERNAL://:9093,PRIVATE://:6000,EXTERNAL://:7000
KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: PLAINTEXT:PLAINTEXT,INTERNAL:PLAINTEXT,PRIVATE:PLAINTEXT,EXTERNAL:PLAINTEXT
KAFKA_INTER_BROKER_LISTENER_NAME: INTERNAL
I am having to do this because we run a AWS/On-Prem hybrid environment over direct connect.
Within AWS:
We use VPCE's for connectivity to the Kafka cluster within accounts so the host for the PRIVATE listener is the same for every account and uses a local private R53 zone.
On-Prem:
The private zone does not work with on-prem because we cannot resolve the private.awscloud.co.uk zones that sit in every AWS account so i have to use another zone which in Kafka forces me to use another listener and port range. This is the EXTERNAL listener.
They are all currently using plaintext as i am still in the implementation stage but both will eventually use the same encryption but for my current connectivity testing purposes, this should work. As a running cluster with all the accessories (connect, ksql, schema, etc) all works fine from within the Kafka cluster AWS account.
The problem:
When i connect to the EXTERNAL ports using the following producer.config settings:
bootstrap.servers=EXTERNAL://ds-kafka-broker0.dev.awscloud.co.uk:7000,EXTERNAL://ds-kafka-broker1.dev.awscloud.co.uk:7001,EXTERNAL://ds-kafka-broker2.dev.awscloud.co.uk:7002
#security.protocol=EXTERNAL # commented out as this is not valid in console producer
compression.type=snappy
max.block.ms=5000
linger.ms=5
max.in.flight.requests.per.connection=1
retries=5
batch.size=1000
max.request.size=10000000
acks=1
buffer.memory=67108864
and use the following test console producer command line:
bin/kafka-console-producer --producer.config etc/producer.properties --topic test-create-remote --broker-list EXTERNAL://ds-kafka-broker0.dev.awscloud.co.uk:7000,EXTERNAL://ds-kafka-broker1.dev.awscloud.co.uk:7001,EXTERNAL://ds-kafka-broker2.dev.awscloud.co.uk:7002
the initial connection occurs on 7000 but then Kafka reports back to the client that it should be using the PRIVATE listener and the traffic reconnects onto the 6000 Private port range (confirmed with tcpdump).
This is fine when you are connecting in from within an AWS account as that is what this port range and listener is for but from a client perspective i don't seem to have any control of which listener to use. In this case the connection from on-prem fails because i cannot resolve the PRIVATE address and even if i could, i couldn't connect on the port anyway.
This also makes me wonder why i am getting the PRIVATE listener... Why not the INTERNAL or PLAINTEXT ones if i have no control?
Hope all this makes sense and any pointers appreciated.
linux amazon-web-services kafka
asked Feb 11 at 13:39
Simon ThorleySimon Thorley
11
Initial apologies for the long post (this is also on superuser as i wasn't sure the best place for this https://superuser.com/questions/1404421/kafka-multiple-listeners so let me know if one needs closing)...
I have setup a Kafka cluster in AWS with the following listeners and advertised listeners:
KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://ds-kafka-broker0.service.local:9092,INTERNAL://:9093,PRIVATE://ds-kafka-broker0.private.awscloud.co.uk:6000,EXTERNAL://ds-kafka-broker0.dev.awscloud.co.uk:7000
KAFKA_LISTENERS: PLAINTEXT://:9092,INTERNAL://:9093,PRIVATE://:6000,EXTERNAL://:7000
KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: PLAINTEXT:PLAINTEXT,INTERNAL:PLAINTEXT,PRIVATE:PLAINTEXT,EXTERNAL:PLAINTEXT
KAFKA_INTER_BROKER_LISTENER_NAME: INTERNAL
I am having to do this because we run a AWS/On-Prem hybrid environment over direct connect.
Within AWS:
We use VPCE's for connectivity to the Kafka cluster within accounts so the host for the PRIVATE listener is the same for every account and uses a local private R53 zone.
On-Prem:
The private zone does not work with on-prem because we cannot resolve the private.awscloud.co.uk zones that sit in every AWS account so i have to use another zone which in Kafka forces me to use another listener and port range. This is the EXTERNAL listener.
They are all currently using plaintext as i am still in the implementation stage but both will eventually use the same encryption but for my current connectivity testing purposes, this should work. As a running cluster with all the accessories (connect, ksql, schema, etc) all works fine from within the Kafka cluster AWS account.
The problem:
When i connect to the EXTERNAL ports using the following producer.config settings:
bootstrap.servers=EXTERNAL://ds-kafka-broker0.dev.awscloud.co.uk:7000,EXTERNAL://ds-kafka-broker1.dev.awscloud.co.uk:7001,EXTERNAL://ds-kafka-broker2.dev.awscloud.co.uk:7002
#security.protocol=EXTERNAL # commented out as this is not valid in console producer
compression.type=snappy
max.block.ms=5000
linger.ms=5
max.in.flight.requests.per.connection=1
retries=5
batch.size=1000
max.request.size=10000000
acks=1
buffer.memory=67108864
and use the following test console producer command line:
bin/kafka-console-producer --producer.config etc/producer.properties --topic test-create-remote --broker-list EXTERNAL://ds-kafka-broker0.dev.awscloud.co.uk:7000,EXTERNAL://ds-kafka-broker1.dev.awscloud.co.uk:7001,EXTERNAL://ds-kafka-broker2.dev.awscloud.co.uk:7002
the initial connection occurs on 7000 but then Kafka reports back to the client that it should be using the PRIVATE listener and the traffic reconnects onto the 6000 Private port range (confirmed with tcpdump).
This is fine when you are connecting in from within an AWS account as that is what this port range and listener is for but from a client perspective i don't seem to have any control of which listener to use. In this case the connection from on-prem fails because i cannot resolve the PRIVATE address and even if i could, i couldn't connect on the port anyway.
This also makes me wonder why i am getting the PRIVATE listener... Why not the INTERNAL or PLAINTEXT ones if i have no control?
Hope all this makes sense and any pointers appreciated.
linux amazon-web-services kafka
linux amazon-web-services kafka
asked Feb 11 at 13:39
Simon ThorleySimon Thorley
11
asked Feb 11 at 13:39
Simon ThorleySimon Thorley
11
asked Feb 11 at 13:39
Simon ThorleySimon Thorley
11
asked Feb 11 at 13:39
Simon ThorleySimon Thorley
11
asked Feb 11 at 13:39
Simon ThorleySimon Thorley
11
11
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Just thought i would post my solution for this. This was nothing to do with the Kafka configuration!
This was running on AWS ECS(EC2, not Fargate) and as there is currently a limitation of 1 target group per task so 1 target group was used in the background for both listeners (6000 & 7000). This target group was the 6000 port so it was translating 7000 to 6000, hence me always getting back the same listener.
This blog post (https://rmoff.net/2018/08/02/kafka-listeners-explained/) was quite helpful but didn't go far enough to cover my problem but there was 1 key quote within it that helped:
When connecting to a broker, the listener that will be returned to the
client will be the listener to which you connected (based on the
port).
Then when i was talking the problem through with someone and i was talking about the single load balancer when i had a light bulb moment... Now on port dedicated target groups and all is well.
answered 19 hours ago
Simon ThorleySimon Thorley
11
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f953357%2fkafka-multiple-listeners%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Just thought i would post my solution for this. This was nothing to do with the Kafka configuration!
This was running on AWS ECS(EC2, not Fargate) and as there is currently a limitation of 1 target group per task so 1 target group was used in the background for both listeners (6000 & 7000). This target group was the 6000 port so it was translating 7000 to 6000, hence me always getting back the same listener.
This blog post (https://rmoff.net/2018/08/02/kafka-listeners-explained/) was quite helpful but didn't go far enough to cover my problem but there was 1 key quote within it that helped:
When connecting to a broker, the listener that will be returned to the
client will be the listener to which you connected (based on the
port).
Then when i was talking the problem through with someone and i was talking about the single load balancer when i had a light bulb moment... Now on port dedicated target groups and all is well.
answered 19 hours ago
Simon ThorleySimon Thorley
11
add a comment |
Just thought i would post my solution for this. This was nothing to do with the Kafka configuration!
This was running on AWS ECS(EC2, not Fargate) and as there is currently a limitation of 1 target group per task so 1 target group was used in the background for both listeners (6000 & 7000). This target group was the 6000 port so it was translating 7000 to 6000, hence me always getting back the same listener.
This blog post (https://rmoff.net/2018/08/02/kafka-listeners-explained/) was quite helpful but didn't go far enough to cover my problem but there was 1 key quote within it that helped:
When connecting to a broker, the listener that will be returned to the
client will be the listener to which you connected (based on the
port).
Then when i was talking the problem through with someone and i was talking about the single load balancer when i had a light bulb moment... Now on port dedicated target groups and all is well.
answered 19 hours ago
Simon ThorleySimon Thorley
11
add a comment |
Just thought i would post my solution for this. This was nothing to do with the Kafka configuration!
This was running on AWS ECS(EC2, not Fargate) and as there is currently a limitation of 1 target group per task so 1 target group was used in the background for both listeners (6000 & 7000). This target group was the 6000 port so it was translating 7000 to 6000, hence me always getting back the same listener.
This blog post (https://rmoff.net/2018/08/02/kafka-listeners-explained/) was quite helpful but didn't go far enough to cover my problem but there was 1 key quote within it that helped:
When connecting to a broker, the listener that will be returned to the
client will be the listener to which you connected (based on the
port).
Then when i was talking the problem through with someone and i was talking about the single load balancer when i had a light bulb moment... Now on port dedicated target groups and all is well.
answered 19 hours ago
Simon ThorleySimon Thorley
11
Just thought i would post my solution for this. This was nothing to do with the Kafka configuration!
This was running on AWS ECS(EC2, not Fargate) and as there is currently a limitation of 1 target group per task so 1 target group was used in the background for both listeners (6000 & 7000). This target group was the 6000 port so it was translating 7000 to 6000, hence me always getting back the same listener.
This blog post (https://rmoff.net/2018/08/02/kafka-listeners-explained/) was quite helpful but didn't go far enough to cover my problem but there was 1 key quote within it that helped:
When connecting to a broker, the listener that will be returned to the
client will be the listener to which you connected (based on the
port).
Then when i was talking the problem through with someone and i was talking about the single load balancer when i had a light bulb moment... Now on port dedicated target groups and all is well.
answered 19 hours ago
Simon ThorleySimon Thorley
11
answered 19 hours ago
Simon ThorleySimon Thorley
11
answered 19 hours ago
Simon ThorleySimon Thorley
11
answered 19 hours ago
Simon ThorleySimon Thorley
11
11
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f953357%2fkafka-multiple-listeners%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
