Docs Self-Managed Manage Security Configure Listeners Configure Listeners Apache Kafka® client libraries must be able to connect to every Redpanda broker instance. If the client and broker are on different subnets, advertise the location of the broker in the Redpanda configuration file so other brokers in the cluster can be found. If not, clients connecting to brokers outside their local network experience connectivity issues. To try out Redpanda, see the Redpanda quickstart. Anatomy of a listener Clients connect to Redpanda over TCP. A listener is defined by an interface address and port on the machine running Redpanda. For example: Configuration Description address: 0.0.0.0 Listens on all available interfaces. port: 9092 TCP port for Kafka clients. redpanda: kafka_api: - address: 0.0.0.0 port: 9092 Advertise a listener By default, the advertised address is the same as the bound address. For clients outside the local host or subnet, you must set an externally reachable address or hostname. Invalid settings, including 0.0.0.0, will fail startup validation. redpanda: advertised_kafka_api: - address: 192.168.4.1 # Broker’s routable IP or FQDN port: 9092 Use a valid hostname or IP. Do not use 0.0.0.0. When using a DNS hostname, ensure that clients can resolve it and that it matches any TLS certificate Subject Alternative Name (SAN). Multiple listeners You can define multiple Kafka API listeners to support different interfaces, ports, or authentication methods. Each listener must have a unique name property, and the same name property must be used in the corresponding advertised_kafka_api stanza. redpanda: kafka_api: - name: local # Unique listener name address: 127.0.0.1 port: 9092 - name: subnet address: 192.168.4.1 port: 9093 advertised_kafka_api: - name: local # Must match the listener name address: 127.0.0.1 port: 9092 - name: subnet address: 192.168.4.1 port: 9093 TLS listeners and DNS hostnames For encrypted connections, you typically advertise a DNS name matching your TLS certificate. Always include a name property for the TLS listener and use it in both kafka_api and advertised_kafka_api. redpanda: kafka_api: - name: tls_listener address: 0.0.0.0 port: 9094 authentication_method: mtls_identity advertised_kafka_api: - name: tls_listener address: https://kafka.example.com port: 9094 kafka_api_tls: - name: tls_listener enabled: true key_file: /etc/redpanda/tls/broker.key cert_file: /etc/redpanda/tls/broker.crt truststore_file: /etc/redpanda/tls/ca.crt require_client_auth: true Ensure kafka.example.com matches the SAN in broker.crt and that clients trust the ca.crt. Mixed-mode authentication with multiple listeners Redpanda supports running multiple authentication schemes concurrently. Each listener can specify its method, and must define a name property. redpanda: kafka_api: - name: sasl_listener address: 0.0.0.0 port: 9092 authentication_method: sasl - name: mtls_listener address: 0.0.0.0 port: 9192 authentication_method: mtls_identity kafka_api_tls: - name: mtls_listener key_file: mtls_broker.key cert_file: mtls_broker.crt truststore_file: mtls_ca.crt require_client_auth: true Listeners that can be advertised Listener Advertised Listener Description kafka_api advertised_kafka_api Kafka clients connect here. rpc_server advertised_rpc_api Other Redpanda brokers connect here. pandaproxy_api advertised_pandaproxy_api HTTP proxy clients connect here. For each advertised listener, match the name of the corresponding listener and provide a valid address and port. Back to top × Simple online edits For simple changes, such as fixing a typo, you can edit the content directly on GitHub. Edit on GitHub Or, open an issue to let us know about something that you want us to change. Open an issue Contribution guide For extensive content updates, or if you prefer to work locally, read our contribution guide . Was this helpful? thumb_up thumb_down group Ask in the community mail Share your feedback group_add Make a contribution Configure Kafka TLS Encryption IAM Roles