Amazon Managed Streaming for Apache Kafka
Developer Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Accessing an Amazon MSK Cluster

You can access your Amazon MSK cluster from an Amazon VPC or from an EC2-Classic instance.

Accessing your Amazon MSK cluster from an Amazon VPC

To access your MSK cluster from an Amazon EC2 instance that is in an Amazon VPC, follow the steps in Step 4: Create a Client Machine.

Accessing your Amazon MSK cluster from an EC2-Classic instance

  1. Sign in to the AWS Management Console and open the Amazon EC2 console at

  2. Choose Running Instances.

  3. Choose your EC2-Classic instance from the list of instances by selecting the check box next to it.

  4. In the Actions menu choose ClassicLink, then choose Link to VPC.

  5. In the Select a VPC list, choose the VPC that you want to link your EC2-Classic instance to. If your VPC is associated with more than one security group, choose the security group you want to associate with your EC2-Classic instance, then choose Link to VPC.

  6. In the Description tab in the lower part of the page, look for Private IPs and copy the private IP associated with your EC2-Classic instance.

  7. Using the AWS CLI, run the following command, replacing ClusterArn with the Amazon Resource Name (ARN) for your MSK cluster.

    aws kafka describe-cluster --region us-east-1 --cluster-arn "ClusterArn"
  8. In the output of the describe-cluster command, look for SecurityGroups and save the ID of the security group for your MSK cluster.

  9. Open the Amazon VPC console at

  10. In the left pane, choose Security Groups.

  11. Choose the security group whose ID you saved after you ran the describe-cluster command. Select the box at the beginning of the row corresponding to this security group.

  12. In the lower half of the page, choose Inbound Rules.

  13. Choose Edit rules, then choose Add Rule.

  14. For the Type field, choose All traffic in the drop-down list.

  15. Leave the Source set to Custom and enter the private IP of your EC2-Classic instance, followed immediately by /32 with no intervening spaces.

  16. Choose Save rules.

Port Information

The following list provides the numbers of the ports that Amazon MSK uses to communicate with client machines.

  • To communicate with producers and consumers in plaintext, brokers use port 9092.

  • To communicate with producers and consumers in TLS, brokers use port 9094.

  • Apache ZooKeeper nodes use port 2181.