# Configure Listeners > For the complete documentation index, see [llms.txt](https://docs.redpanda.com/llms.txt). Component-specific: [streaming-full.txt](https://docs.redpanda.com/streaming-full.txt) --- title: Configure Listeners latest-redpanda-tag: v26.1.9 latest-console-tag: v3.7.3 latest-operator-version: v26.1.4 # EOL = End-of-Life (support lifecycle status) page-is-nearing-eol: "false" page-is-past-eol: "false" page-eol-date: March 31, 2027 latest-connect-version: 4.93.0 docname: security/listener-configuration page-component-name: streaming page-version: "26.1" page-component-version: "26.1" page-component-title: Streaming page-relative-src-path: security/listener-configuration.adoc page-edit-url: https://github.com/redpanda-data/docs/edit/main/modules/manage/pages/security/listener-configuration.adoc description: Use listeners to advertise the location of the broker, so other brokers in the cluster can be found. page-git-created-date: "2023-06-02" page-git-modified-date: "2025-10-14" support-status: supported --- Apache Kafka® client libraries must be able to connect to every Redpanda broker instance. If the client and broker are on different subnets, advertise the location of the broker in the Redpanda configuration file so other brokers in the cluster can be found. If not, clients connecting to brokers outside their local network experience connectivity issues. To try out Redpanda, see the [Redpanda quickstart](https://docs.redpanda.com/streaming/current/get-started/quick-start/). ## [](#anatomy-of-a-listener)Anatomy of a listener Clients connect to Redpanda over TCP. A listener is defined by an interface address and port on the machine running Redpanda. For example: | Configuration | Description | | --- | --- | | address: 0.0.0.0 | Listens on all available interfaces. | | port: 9092 | TCP port for Kafka clients. | ```yaml redpanda: kafka_api: - address: 0.0.0.0 port: 9092 ``` ## [](#advertise-a-listener)Advertise a listener By default, the advertised address is the same as the bound address. For clients outside the local host or subnet, you must set an externally reachable address or hostname. Invalid settings, including `0.0.0.0`, will fail startup validation. ```yaml redpanda: advertised_kafka_api: - address: 192.168.4.1 # Broker’s routable IP or FQDN port: 9092 ``` > 📝 **NOTE** > > - Use a valid hostname or IP. Do not use `0.0.0.0`. > > - When using a DNS hostname, ensure that clients can resolve it and that it matches any TLS certificate Subject Alternative Name (SAN). ## [](#multiple-listeners)Multiple listeners You can define multiple Kafka API listeners to support different interfaces, ports, or authentication methods. Each listener must have a unique `name` property, and the same `name` property must be used in the corresponding [`advertised_kafka_api`](https://docs.redpanda.com/streaming/current/reference/properties/broker-properties/#advertised_kafka_api) listener definition. For details about authentication methods, see the [`authentication_method`](https://docs.redpanda.com/streaming/current/reference/properties/broker-properties/#kafka_api_auth_method) broker property. ```yaml redpanda: kafka_api: - name: local # Unique listener name address: 127.0.0.1 port: 9092 - name: subnet address: 192.168.4.1 port: 9093 advertised_kafka_api: - name: local # Must match the listener name address: 127.0.0.1 port: 9092 - name: subnet address: 192.168.4.1 port: 9093 ``` ## [](#tls-listeners-and-dns-hostnames)TLS listeners and DNS hostnames For encrypted connections, you typically advertise a DNS name matching your TLS certificate. Always include a `name` property for the TLS listener and use it in both [`kafka_api`](https://docs.redpanda.com/streaming/current/reference/properties/broker-properties/#kafka_api) and [`advertised_kafka_api`](https://docs.redpanda.com/streaming/current/reference/properties/broker-properties/#advertised_kafka_api). ```yaml redpanda: kafka_api: - name: tls_listener address: 0.0.0.0 port: 9094 authentication_method: mtls_identity advertised_kafka_api: - name: tls_listener address: redpanda.example.com port: 9094 kafka_api_tls: - name: tls_listener enabled: true key_file: /etc/redpanda/tls/broker.key cert_file: /etc/redpanda/tls/broker.crt truststore_file: /etc/redpanda/tls/ca.crt require_client_auth: true ``` Ensure `redpanda.example.com` matches the SAN in `broker.crt` and that clients trust the `ca.crt`. ## [](#mixed-mode-authentication-with-multiple-listeners)Mixed-mode authentication with multiple listeners Redpanda supports running multiple authentication schemes concurrently. Each listener can specify its [`authentication_method`](https://docs.redpanda.com/streaming/current/reference/properties/broker-properties/#kafka_api_auth_method), and must define a `name` property. ```yaml redpanda: kafka_api: - name: sasl_listener address: 0.0.0.0 port: 9092 authentication_method: sasl - name: mtls_listener address: 0.0.0.0 port: 9192 authentication_method: mtls_identity kafka_api_tls: - name: mtls_listener key_file: mtls_broker.key cert_file: mtls_broker.crt truststore_file: mtls_ca.crt require_client_auth: true ``` ## [](#listeners-that-can-be-advertised)Listeners that can be advertised | Listener | Advertised Listener | Description | | --- | --- | --- | | kafka_api | advertised_kafka_api | Kafka clients connect here. | | rpc_server | advertised_rpc_api | Other Redpanda brokers connect here. | | pandaproxy_api | advertised_pandaproxy_api | HTTP proxy clients connect here. | For each advertised listener, match the `name` of the corresponding listener and provide a valid address and port. ## Suggested labs - [Enable Unified Identity with Azure Entra ID for Redpanda and Redpanda Console](https://docs.redpanda.com/labs/docker-compose/oidc/) - [Migrate Data with Redpanda Migrator](https://docs.redpanda.com/labs/docker-compose/redpanda-migrator/) [Search all labs](https://docs.redpanda.com/labs)