问题描述
我将 kafka-connect docker 映像(confluentinc/cp-kafka-connect-base:6.0.1
)部署到 ECS / fargate,为我的 ECS 服务分配了一个安全组,允许传入的 Zooper keeper 和 kafka 引导服务器流量(纯文本和 TLS)作为以及允许我的 ECS 任务对 MSK 集群运行 kafka 操作的 IAM 角色,但连接集群在尝试从 MSK 集群获取代理列表时仍然超时。
kafka connect ECS 服务和 MSK 集群都在 AWS 的同一个私有子网上。
安全组代码
"Type": "AWS::EC2::SecurityGroup","Properties": {
"GroupDescription": "kakfa-connect-sg","SecurityGroupEgress": [
{
"CidrIp": "0.0.0.0/0","Description": "Allow all outbound traffic by default","IpProtocol": "-1"
}
],"SecurityGroupIngress": [
{
"CidrIp": "0.0.0.0/0","Description": "Kafka Bootstrap Server Plaintext","FromPort": 9092,"IpProtocol": "tcp","ToPort": 9092
},{
"CidrIp": "0.0.0.0/0","Description": "Kafka Bootstrap Server TLS","FromPort": 9094,"ToPort": 9094
},"Description": "ZooKeeper TLS","FromPort": 2182,"ToPort": 2182
},"Description": "ZooKeeper Plaintext","FromPort": 2181,"ToPort": 2181
}
],"VpcId": "vpc-id"
}```
IAM role code
```{
"Version": "2012-10-17","Statement": [
{
"Action": "kafka:*","Resource": "*","Effect": "Allow"
}
]
}```
Is there anything i might be missing?
解决方法
MSK 集群上的安全组设置不允许来自我的 kafka 连接集群的流量。