Securing a Stream
This information describes securing a stream.
Streaming data is encrypted both at rest and in transit. Private endpoints within your virtual cloud network (VCN) can be used to restrict access to your streams so they cannot be accessed through the internet.
Both encryption and private access are configured at the stream pool level to make managing groups of streams easier. See Creating a Stream Pool and Updating the Master Encryption Key Assigned to a Stream Pool for more information. For security best practices, see Securing a Stream.
Encryption
By default, all encryption-related matters are handled by Oracle, but you can manage your own encryption keys using OCI Vault. Vault allows you to bring your own Advanced Encryption Standard (AES) symmetric keys and manage, rotate, disable, and delete them as needed.
Because encryption keys are managed at the stream pool level, you can use a different encryption key for each logical stream grouping or virtual Kafka cluster.
To use your own encryption key:
- Ensure that you have the required IAM policies.
- Import your key.
- Change the master encryption key assigned to the stream pool.
For more information, see Overview of Vault and Managing Keys.
Private Endpoints
Private endpoints associate a private IP address within a VCN to the stream pool, allowing Streaming traffic to avoid traversing the internet.
To create a private endpoint for Streaming, you need access to a VCN with a private subnet when you create the stream pool. See About Private Endpoints and VCNs and Subnets for more information.
To use private endpoints:
- Ensure that you have the required IAM policies.
- Select Private Endpoint and provide the required information when you create your stream pool.
Because streams using private endpoints are not accessible from the internet, you cannot use the Console to show their latest messages.