# Configure Listeners

> For the complete documentation index, see [llms.txt](https://docs.redpanda.com/llms.txt). Component-specific: [streaming-full.txt](https://docs.redpanda.com/streaming-full.txt)

---
title: Configure Listeners
latest-operator-version: v26.1.4
# EOL = End-of-Life (support lifecycle status)
page-is-nearing-eol: "false"
page-is-past-eol: "true"
page-eol-date: April 30, 2025
latest-console-tag: v3.7.3
latest-connect-version: 4.93.0
docname: security/listener-configuration
page-component-name: streaming
page-version: "24.1"
page-component-version: "24.1"
page-component-title: Streaming
page-relative-src-path: security/listener-configuration.adoc
page-edit-url: https://github.com/redpanda-data/docs/edit/v/24.1/modules/manage/pages/security/listener-configuration.adoc
description: Use listeners to advertise the location of the broker, so other brokers in the cluster can be found.
page-git-created-date: "2023-06-02"
page-git-modified-date: "2024-06-11"
support-status: past end-of-life
---

<!-- Source: https://docs.redpanda.com/streaming/24.1/manage/security/listener-configuration.md -->

Apache Kafka® client libraries must be able to connect to every Redpanda broker instance. If the client and broker are on different subnets, advertise the location of the broker in the Redpanda configuration file so other brokers in the cluster can be found. If not, clients connecting to brokers outside their local network experience connectivity issues.

To try out Redpanda, see the [Redpanda Quickstart](https://docs.redpanda.com/streaming/24.1/get-started/quick-start/).

## [](#anatomy-of-a-listener)Anatomy of a listener

Clients must connect to Redpanda with a TCP socket. A TCP socket is described by an IP address of an interface and a port on the machine that Redpanda runs on. For example:

```yaml
redpanda:
  kafka_api:
    - address: 0.0.0.0
      port: 9092
```

An address of `0.0.0.0` means that Redpanda listens on all interfaces.

## [](#advertise-a-listener)Advertise a listener

By default, the advertised address is the address the listener is bound to, but this is not usually an externally-routable address. Set the advertised address to an address the client can use to connect to the instance of Redpanda.

> 📝 **NOTE**
>
> Ensure that any configuration option with the `advertise_*` prefix uses a valid hostname or IP address. Do not use `0.0.0.0`. Invalid configurations, including the use of `0.0.0.0`, will cause the broker to fail during startup validation.

If the client exists on another subnet, then it needs to know how to reach Redpanda. Do this by configuring the advertised address of the Kafka API in `redpanda.yaml`. For example, if Redpanda is running on the subnet `192.168.4.0/24` with IP address `192.168.4.1`, and the clients are running on the subnet `192.168.5.0/24`, then the client machine needs a gateway configured to route requests to `192.168.4.1`:

```yaml
redpanda:
  advertised_kafka_api:
    - address: 192.168.4.1
      port: 9092
```

It’s also possible to advertise a host name, provided the client can resolve the DNS and has a route to the host.

## [](#multiple-listeners)Multiple listeners

Sometimes it’s useful to have multiple configurations for accessing Redpanda with multiple routes.

Do this by creating multiple listeners, and providing a name for the listener. The name is used to connect the listener and its advertised address. For example:

```yaml
redpanda:
  kafka_api:
    - name: local
      address: 127.0.0.1
      port: 9092
    - name: subnet
      address: 192.168.4.1
      port: 9093
  advertised_kafka_api:
    - name: local
      address: 127.0.0.1
      port: 9092
    - name: subnet
      address: 192.168.4.1
      port: 9093
```

You can also create additional listeners for different configurations of TLS or authentication.

## [](#mixed-mode-authentication-with-multiple-listeners)Mixed-mode authentication with multiple listeners

Redpanda supports using both SASL and mTLS principal extraction authentication methods using multiple listeners. This supports a variety of Kafka clients using various authentication schemes all connecting to your cluster. For example:

```yaml
redpanda:
  kafka_api:
    - address: 0.0.0.0
      port: 9092
      name: sasl_listener
      authentication_method: sasl
    - address: 0.0.0.0
      port: 9192
      name: mtls_listener
      authentication_method: mtls_identity
  kafka_api_tls:
    - name: mtls_listener
      key_file: mtls_broker.key
      cert_file: mtls_broker.crt
      truststore_file: mtls_ca.crt
      enabled: true
      require_client_auth: true
```

## [](#listeners-that-can-be-advertised)Listeners that can be advertised

-   `kafka_api` -> `advertised_kafka_api`: The address that Kafka clients connect to, for each listener.

-   `rpc_server` -> `advertised_rpc_api`: The address that other Redpanda instances connect to.

-   `pandaproxy_api` -> `advertised_pandaproxy_api`: The address that HTTP clients connect to, for each listener.


## Suggested labs

-   [Enable Unified Identity with Azure Entra ID for Redpanda and Redpanda Console](https://docs.redpanda.com/labs/docker-compose/oidc/)
-   [Migrate Data with Redpanda Migrator](https://docs.redpanda.com/labs/docker-compose/redpanda-migrator/)

[Search all labs](https://docs.redpanda.com/labs)