How to Secure Kafka Managed Clusters
Validated on 8 Dec 2022 • Last edited on 9 Mar 2026
Kafka is an open-source distributed event and stream-processing platform built to process demanding real-time data feeds. It is inherently scalable, with high throughput and availability.
Data in Kafka clusters is encrypted at rest with LUKS (Linux Unified Key Setup) and in transit with SSL. However, there are additional steps you can take to ensure that your data is safe.
Restrict Incoming Connections
You can greatly decrease the likelihood of a security breach by restricting which DigitalOcean resources or external IP addresses are allowed to access the nodes in a cluster. This prevents brute force password and denial-of-service attacks from any server not explicitly permitted to connect.
Typically, only application servers are allowed to connect to the database cluster. Users access the public-facing site, and the public-facing server authenticates and manages database connections in turn.
To implement these restrictions, add trusted sources, which define the resources or IP addresses allowed to connect to the database cluster.
Add a Trusted Source Using the Control Panel
To add trusted sources to restrict database access, go to the Databases page and select the cluster you want to add trusted sources to. Click the Network Access tab, then click Add Trusted Sources.
In the Add Trusted Sources dialog, choose one of the following options:
- Enter specific IP addresses or CIDR notations: Enter specific IP addresses or a CIDR range. Or click My current IP address to use the Quick Add option, which adds your machine’s current IP address.
- Quick select Droplets, Kubernetes clusters, Apps, and tags: Use the search to find a resource or click the dropdown menu and select a resource from the list.
When finished, click Add Trusted Sources.