Configure Node Ports to Access Confluent Components

When you configure Confluent components with the NodePort service for external client access, Kubernetes allocates a different port on each node of Confluent components. Each Kafka broker, the bootstrap service, and each component is accessible on a separate port.

For a Kafka cluster with N brokers, (N+1) number of NodePort services are created:

  • One for the bootstrap server for the initial connection
  • N services, one for each broker, for subsequent direct connections to the brokers

For a RBAC-enabled Kafka cluster with N brokers, if you enable external access to MDS, (N+2) number of NodePort services are created:

  • One for the bootstrap server for the initial connection
  • One for the MDS on the bootstrap server
  • N services, one for each broker, for subsequent direct connections to the brokers

For the additional configuration steps required to allow external access to Metadata Service (MDS), see Configure Networking for RBAC.

To use NodePort services for external communication:

  1. Create a DNS record using the address of one or more of the nodes in your Kubernetes cluster.

  2. To configure Kafka with node ports, set the following in Kafka CR and apply the configuration:

    spec:
      listeners:
        external:
          externalAccess:
          type: nodePort
          nodePort:
            nodePortOffset:  # Required. The value should be be in the range
                             # between 30000 and 32767, inclusive.
    
            host:            # Required. Specify the FQDN that will be
                               # used to configure all advertised listeners.
    
  3. To configure other Confluent components with node ports, set the following in their CRs and apply the configuration:

    spec:
      externalAccess:
        type: nodePort
        nodePort:
          nodePortOffset:  # Required. The value should be in the range
                           # between 30000 and 32767,  inclusive.
    
          host:            # Required. Specify the FQDN that will be used
                           # to configure all advertised listeners.
    

    The access endpoint of each Confluent Platform component will be: <host>:<nodePortOffset>

  4. Create firewall rules to allow connections at the NodePort range that you plan to use. For the steps to create firewall rules, see Using Google Cloud firewall rules.

  5. Verify the NodePort services are correctly created by listing the services in the namespace using the following command:

    kubectl get services -n <namespace> | grep NodePort
    

For a tutorial scenario on configuring external access using NodePort, see the quickstart tutorial for using node port.