Configure Listeners

Apache Kafka® client libraries must be able to connect to every Redpanda broker instance. If the client and broker are on different subnets, advertise the location of the broker in the Redpanda configuration file so other brokers in the cluster can be found. If not, clients connecting to brokers outside their local network experience connectivity issues.

To try out Redpanda, see the Redpanda quickstart.

Anatomy of a listener

Clients connect to Redpanda over TCP. A listener is defined by an interface address and port on the machine running Redpanda. For example:

Configuration Description

address: 0.0.0.0

Listens on all available interfaces.

port: 9092

TCP port for Kafka clients.

 
redpanda:
  kafka_api:
    - address: 0.0.0.0
      port: 9092
yaml

By default, the advertised address is the same as the bound address. For clients outside the local host or subnet, you must set an externally reachable address or hostname. Invalid settings, including 0.0.0.0, will fail startup validation.

redpanda:
  advertised_kafka_api:
    - address: 192.168.4.1 # Broker’s routable IP or FQDN
      port: 9092
yaml

  • Use a valid hostname or IP. Do not use 0.0.0.0.

  • When using a DNS hostname, ensure that clients can resolve it and that it matches any TLS certificate Subject Alternative Name (SAN).

Multiple listeners

You can define multiple Kafka API listeners to support different interfaces, ports, or authentication methods. Each listener must have a unique name property, and the same name property must be used in the corresponding advertised_kafka_api stanza.

redpanda:
  kafka_api:
    - name: local # Unique listener name
      address: 127.0.0.1
      port: 9092

    - name: subnet
      address: 192.168.4.1
      port: 9093

  advertised_kafka_api:
    - name: local # Must match the listener name
      address: 127.0.0.1
      port: 9092

    - name: subnet
      address: 192.168.4.1
      port: 9093
yaml

TLS listeners and DNS hostnames

For encrypted connections, you typically advertise a DNS name matching your TLS certificate. Always include a name property for the TLS listener and use it in both kafka_api and advertised_kafka_api.

redpanda:
  kafka_api:
    - name: tls_listener
      address: 0.0.0.0
      port: 9094
      authentication_method: mtls_identity

  advertised_kafka_api:
    - name: tls_listener
      address: https://kafka.example.com
      port: 9094

  kafka_api_tls:
    - name: tls_listener
      enabled: true
      key_file: /etc/redpanda/tls/broker.key
      cert_file: /etc/redpanda/tls/broker.crt
      truststore_file: /etc/redpanda/tls/ca.crt
      require_client_auth: true
yaml

Ensure kafka.example.com matches the SAN in broker.crt and that clients trust the ca.crt.

Mixed-mode authentication with multiple listeners

Redpanda supports running multiple authentication schemes concurrently. Each listener can specify its method, and must define a name property.

redpanda:
  kafka_api:
    - name: sasl_listener
      address: 0.0.0.0
      port: 9092
      authentication_method: sasl

    - name: mtls_listener
      address: 0.0.0.0
      port: 9192
      authentication_method: mtls_identity

  kafka_api_tls:
    - name: mtls_listener
      key_file: mtls_broker.key
      cert_file: mtls_broker.crt
      truststore_file: mtls_ca.crt
      require_client_auth: true
yaml

Listeners that can be advertised

Listener Advertised Listener Description

kafka_api

advertised_kafka_api

Kafka clients connect here.

rpc_server

advertised_rpc_api

Other Redpanda brokers connect here.

pandaproxy_api

advertised_pandaproxy_api

HTTP proxy clients connect here.

For each advertised listener, match the name of the corresponding listener and provide a valid address and port.