Disable or enable direct Apache ZooKeeper client access

You can disable direct Apache ZooKeeper client access on your Amazon MSK Provisioned cluster to verify that your applications do not rely on direct ZooKeeper connections. When ZooKeeper access is disabled, clients can no longer connect to the Apache ZooKeeper nodes on ports 2181 (plaintext) and 2182 (TLS). You can re-enable ZooKeeper access at any time.

Note

This feature is only available for Amazon MSK Provisioned clusters that use ZooKeeper metadata mode with Standard brokers. It is not available for the following cluster types:

Clusters running in KRaft metadata mode
Clusters using Express brokers. ZooKeeper access is managed automatically in Express clusters and cannot be configured manually.
Amazon MSK Serverless clusters

Disabling ZooKeeper access using the console

Sign in to the AWS Management Console, and open the Amazon MSK console at https://console.aws.amazon.com/msk/home?region=us-east-1#/home/.
In the list of clusters, choose the cluster on which you want to disable ZooKeeper access.
Choose the Properties tab, then find the Network settings section.
Choose Disable ZooKeeper access.

Disabling ZooKeeper access using the AWS CLI

Run the following AWS CLI command, replacing ClusterArn and Current-Cluster-Version with the ARN and current version of the cluster. To find the current version of the cluster, use the DescribeCluster operation or the describe-cluster AWS CLI command. An example version is KTVPDKIKX0DER.
```
aws kafka update-connectivity --cluster-arn ClusterArn --current-version Current-Cluster-Version --zookeeper-access '{"Enabled": false}'
```
The output of this update-connectivity command looks like the following JSON example.
```
{
    "ClusterArn": "arn:aws:kafka:us-east-1:012345678012:cluster/exampleClusterName/abcdefab-1234-abcd-5678-cdef0123ab01-2",
    "ClusterOperationArn": "arn:aws:kafka:us-east-1:012345678012:cluster-operation/exampleClusterName/abcdefab-1234-abcd-5678-cdef0123ab01-2/0123abcd-abcd-4f7f-1234-9876543210ef"
}
```
Note
To re-enable ZooKeeper access, use a similar AWS CLI command with the following value for --zookeeper-access instead:
```
'{"Enabled": true}'
```

To get the result of the update-connectivity operation, run the following command, replacing ClusterOperationArn with the ARN that you obtained in the output of the update-connectivity command.


aws kafka describe-cluster-operation --cluster-operation-arn ClusterOperationArn

The output of this describe-cluster-operation command looks like the following JSON example.


{
    "ClusterOperationInfo": {
        "ClientRequestId": "982168a3-939f-11e9-8a62-538df00285db",
        "ClusterArn": "arn:aws:kafka:us-east-1:012345678012:cluster/exampleClusterName/abcdefab-1234-abcd-5678-cdef0123ab01-2",
        "CreationTime": "2026-01-15T21:08:57.735Z",
        "OperationArn": "arn:aws:kafka:us-east-1:012345678012:cluster-operation/exampleClusterName/abcdefab-1234-abcd-5678-cdef0123ab01-2/0123abcd-abcd-4f7f-1234-9876543210ef",
        "OperationState": "UPDATE_COMPLETE",
        "OperationType": "UPDATE_CONNECTIVITY",
        "SourceClusterInfo": {
            "ZookeeperAccess": {
                "Enabled": true
            }
        },
        "TargetClusterInfo": {
            "ZookeeperAccess": {
                "Enabled": false
            }
        }
    }
}

If OperationState has the value UPDATE_IN_PROGRESS, wait a while, then run the describe-cluster-operation command again.

Disabling ZooKeeper access using the Amazon MSK API

To use the API to disable or enable ZooKeeper access on a cluster, see UpdateConnectivity.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Controlling access to Apache ZooKeeper

To place your Apache ZooKeeper nodes in a separate security group