You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/manage/pages/cluster-maintenance/configure-availability.adoc
+7-3Lines changed: 7 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@ Optimize the availability of your clusters by configuring and tuning properties.
7
7
8
8
== Limit client connections
9
9
10
-
A malicious Kafka client application may create many network connections to execute its attacks. A poorly configured application may also create an excessive number of connections. To mitigate the risk of a client creating too many connections and using too many system resources, you can configure a Redpanda cluster to impose limits on the number of created client connections.
10
+
To mitigate the risk of a client creating too many connections and using too many system resources, you can configure a Redpanda cluster to impose limits on the number of client connections that can be created.
11
11
12
12
The following Redpanda cluster properties limit the number of connections:
13
13
@@ -31,10 +31,12 @@ endif::[]
31
31
ifdef::env-cloud[]
32
32
=== Configure connection count limit by client IP
33
33
34
-
Use the `kafka_connections_max_per_ip` property to limit the number of connections from each client IP address.
34
+
Configure the `kafka_connections_max_per_ip` property to limit the number of connections from each client IP address.
35
35
36
36
IMPORTANT: Per-IP connection controls require Redpanda to see individual client IPs. If clients connect through private link endpoints, NAT gateways, or other shared-IP egress, the per-IP limit applies to the shared IP, affecting all clients behind it and preventing isolation of a single offending client. Similarly, multiple clients running on the same host will share the same IP address, and the limit applies collectively to all those clients.
37
37
38
+
See also: xref:manage:cluster-maintenance/config-cluster.adoc[]
39
+
38
40
==== Configure the limit
39
41
40
42
To configure `kafka_connections_max_per_ip` safely without disrupting legitimate clients, follow these steps:
image::shared:monitor_connections.png[Range of active connections over time]
53
55
54
-
. Set the `kafka_connections_max_per_ip` value based on your analysis. Use the upper bound of normal connections from step 3, or use a lower value if you know how many connections per client IP are being opened.
56
+
. Set the `kafka_connections_max_per_ip` value based on your analysis. Use the upper bound of normal connections observed, or use a lower value if you know how many connections per client IP are being opened.
55
57
56
58
. Continue monitoring the connection metrics after applying the limit to ensure that legitimate clients are not affected and that the problematic client is properly controlled.
57
59
60
+
NOTE: If you find a high load of unexpected connections from multiple IP addresses, `kafka_connections_max_per_ip` alone may be insufficient. If offending IPs outnumber legitimate client IPs, you may need to set `kafka_connections_max_per_ip` so low that it affects legitimate clients. If this is the case, use `kafka_connections_max_overrides` to exempt known legitimate client IPs from the connection limit.
61
+
58
62
==== Limitations
59
63
60
64
* Decreasing the limit does not terminate any currently open Kafka API connections.
0 commit comments