# Pre-configuring an Apache Kafka® cluster connection


You can connect to Managed Service for Apache Kafka® cluster hosts:

* Over the internet if you configured [public access](../cluster-update.md#change-sg-set) for your cluster. This cluster allows connections only via [SSL](#get-ssl-cert).
* From Yandex Cloud virtual machines located in the same [cloud network](../../../vpc/concepts/network.md). If the cluster is not publicly accessible, you do not need to use SSL to connect from these VMs.

You can connect to an Apache Kafka® cluster both with encryption (`SASL_SSL`, port 9091) and without it (`SASL_PLAINTEXT`, port 9092).


To connect to an Apache Kafka® cluster:

1. [Create users](../cluster-accounts.md#create-account) for clients (producers and consumers) with access to the appropriate topics.
1. Connect the clients to the cluster:
   * Producers using the [Kafka Producer API](https://kafka.apache.org/42/apis/#producer-api).
   * Consumers using the [Kafka Consumer API](https://kafka.apache.org/42/apis/#consumer-api).

There are ready-made Apache Kafka® API implementations for most popular programming languages. For use cases, see [Code examples](code-examples.md).


## Configuring security groups {#configuring-security-groups}

To connect to a cluster, [security groups](../../../vpc/concepts/security-groups.md) must include rules allowing traffic from certain ports, IP addresses, or from other security groups.

Rule settings depend on the chosen connection method:

{% list tabs group=connection_method %}

- Over the internet {#internet}

  [Configure all cluster security groups](../../../vpc/operations/security-group-add-rule.md) to allow incoming traffic on port 9091 from any IP address. To do this, create the following inbound rule:

  * **Port range**: `9091`.
  * **Protocol**: `TCP`.
  * **Source**: `CIDR`.
  * **CIDR blocks**: `0.0.0.0/0`.

  To allow the use of [Managed Service for Apache Kafka® API](../../concepts/available-apis.md), e.g., to work with [Managed Schema Registry](../../concepts/managed-schema-registry.md), add the following inbound rule:

  * **Port range**: `443`.
  * **Protocol**: `TCP`.
  * **Source**: `CIDR`.
  * **CIDR blocks**: `0.0.0.0/0`.

- From a Yandex Cloud VM {#cloud}

  1. [Configure all cluster security groups](../../../vpc/operations/security-group-add-rule.md) to allow incoming traffic on ports 9091 and 9092 from your VM’s security group. To do this, create the following inbound rule in these groups:

     * **Port range**: `9091-9092`.
     * **Protocol**: `TCP`.
     * **Source**: `Security group`.
     * **Security group**: If your cluster and VM share the same security group, select `Current` (`Self`). Otherwise, specify the VM security group.

     To allow the use of [Managed Service for Apache Kafka® API](../../concepts/available-apis.md), e.g., to work with [Managed Schema Registry](../../concepts/managed-schema-registry.md), add the following inbound rule:

       * **Port range**: `443`.
       * **Protocol**: `TCP`.
       * **Source**: `CIDR`.
       * **CIDR blocks**: `0.0.0.0/0`.

  1. [Configure the VM security group](../../../vpc/operations/security-group-add-rule.md) to allow VM connections and traffic between the VM and cluster hosts.

     For example, you can set the following rules for your VM:

     * For incoming traffic:
       * **Port range**: `22`.
       * **Protocol**: `TCP`.
       * **Source**: `CIDR`.
       * **CIDR blocks**: `0.0.0.0/0`.

       This rule allows inbound connections to the VM over SSH.

     * For outgoing traffic:
        * **Protocol**: `Any`.
        * **Port range**: `0-65535`.
        * **Destination name**: `CIDR`.
        * **CIDR blocks**: `0.0.0.0/0`.

       This rule permits all outbound traffic, allowing you to install any necessary certificates and tools on your VM.

{% endlist %}

{% note info %}

You can specify more granular security group rules, such as allowing traffic only in specific subnets.

Make sure to configure the security groups correctly for all subnets where the cluster hosts will reside. With incomplete or incorrect security group settings, you may lose access to the cluster.

{% endnote %}

For more information about security groups, see [here](../../concepts/network.md#security-groups).


## Obtaining an SSL certificate {#get-ssl-cert}

To use an encrypted connection, get an SSL certificate:

{% list tabs group=operating_system %}

- Linux (Bash)/macOS (Zsh) {#linux-macos}

   ```bash
   mkdir -p /usr/local/share/ca-certificates/Yandex/ && \
   wget "https://storage.yandexcloud.net/cloud-certs/CA.pem" \
        --output-document /usr/local/share/ca-certificates/Yandex/YandexInternalRootCA.crt && \
   chmod 0655 /usr/local/share/ca-certificates/Yandex/YandexInternalRootCA.crt
   ```

   The certificate will be saved to the `/usr/local/share/ca-certificates/Yandex/YandexInternalRootCA.crt` file.

- Windows (PowerShell) {#windows}

   ```powershell
   mkdir $HOME\.kafka; curl.exe -o $HOME\.kafka\YandexInternalRootCA.crt https://storage.yandexcloud.net/cloud-certs/CA.pem
   ```

   The certificate will be saved to the `$HOME\.kafka\YandexInternalRootCA.crt` file.

   Your corporate security policies and antivirus software may block the certificate download. For more information, see [FAQ](../../qa/index.md#get-ssl-error).

{% endlist %}

This certificate is also used to access the [Managed Service for Apache Kafka® REST API](../../concepts/available-apis.md).

## Getting FQDNs of Apache Kafka® hosts {#get-fqdn}

To connect to a host, you need its fully qualified domain name ([FQDN](../../concepts/network.md#hostname)). Here is an example of a Apache Kafka® host FQDN:

```text
rc1a-goh2a9tr********.mdb.yandexcloud.net
```

You can get the FQDN using one of the following methods:

* Check the FQDN in the management console:

    1. Navigate to the cluster page.
    1. Navigate to **Hosts**.
    1. Copy the **Host FQDN** column value.

* In the [management console](https://console.yandex.cloud), copy the cluster connection command It contains the broker host FQDN. To get the command, go to the cluster page and click **Connect**.

* [Get the list of cluster hosts](../cluster-hosts.md#list-hosts) using the CLI or API.

With the [Managed Service for Apache Kafka® REST API](../../concepts/available-apis.md), you can send requests to any broker host: the API is available from all the cluster's broker hosts.

## What's next {#whats-next}

* [Connect](clients.md) to the cluster using command line tools.
* [Integrate](code-examples.md) the cluster connection into your application code.