Oracle Cloud Infrastructure Documentation

Using Add-ons with Kafka Clusters

You can further extend the functionality of your managed Kafka clusters by installing add-ons. Add-ons enhance the base capabilities of OCI Streaming with Apache Kafka, so you can customize cluster behavior, as needed.

To find all the currently supported add-ons, use ListAddonOptions. Review the resulting list and then install the add-ons you need.

Currently, there is only one add-on available for installation: the Public connectivity add-on.

Public Connectivity for Kafka Clusters

By default, all Kafka clusters are created with private connectivity and can be accessed only from within the VCN and subnet specified during cluster creation. If required, you can make active Kafka clusters accessible over the public internet by configuring and installing a public connectivity add-on. This add-on allows customers to connect from external networks (on-premises or other cloud environments) through authenticated and controlled connections—thus simplifying migrations, integration, and hybrid workloads.

Important

Before installing the Public connectivity add-on, secure your Kafka cluster by first creating an Apache Kafka access control list (ACL) and then updating the cluster's configuration to change the allow.everyone.if.no.acl.found property to false. These steps provide administrators with more control over access to the cluster, thus improving the cluster's overall security posture.

After you create the ACL and change the allow.everyone.if.no.acl.found property, you're ready to install the public connectivity add-on for your cluster. To install the public connectivity add-on, see Installing Cluster Add-ons.

When you configure the add-on, you specify the authentication type and Network CIDR ranges that can access the cluster:

  • Authentication type

    Maintain end-to-end encryption and authentication using Kafka's built-in SASL/SCRAM or mTLS authentication mechanisms.

  • Network CIDRs

    Specify the Network CIDRs that can access the cluster to control which authenticated principals (from SASL or mTLS) can produce or consume from specific topics.

    Enforcing this fine-grained authorization at the CIDR level provides an essential layer of security within the cluster itself.

How cluster access works after installing the add-on:
  • OCI provides platform-level Layer 3/4 DDoS mitigation for high-volume attacks across Oracle Cloud data centers.

    Traffic enters through an OCI Network Load Balancer operating in Layer 4 pass-through mode.

  • TLS isn't terminated at the ingress; rather, to preserve end-to-end TLS and Kafka protocol semantics, it's terminated only at the Kafka brokers.
  • Client identity is enforced at the broker layer using mTLS or SASL/SCRAM, and authorization is enforced using Kafka ACLs.
  • Traffic is allowed according to the CIDR ranges specified in the Public connectivity add-on configuration.

After installing the add-on, you can enable audit logs to track cluster activity. See Streaming with Apache Kafka Logging.

You can also use metrics to monitor the performance of your public connectivity add-ons separately from other cluster traffic, providing valuable insights into throughput and connection load. For more information, see Streaming with Apache Kafka Metrics.

Note

Kafka clusters enabled with public connectivity incur egress data charges that are passed through to your tenancy for billing. This gives you clear visibility into the cluster's resource consumption.