Creating a PCI compliant Kafka cluster
The PCI compliance standards relate to the security of user data and transactional information. You can read more about PCI and our support for it here.
In order to create a new cluster compliant with PCI standards, there are several steps that are required:
- Enable PCI Compliant account security settings
- Selecting Kafka as the base bundle
- Include the PCI add-ons
- Select the AWS provider
- Configure any other cluster attributes
- Start cluster provisioning
Table of Contents
Create a cluster
- Heading over to the security tab in your account settings, you must have each checkbox filled out. Notably, we recommend having 2 account owners in case of loss of access for one person. This satisfies the first section of the PCI requirements.From here, enable the ‘PCI compliance mode’ checkbox. This allows you to access the requirements for using PCI with a cluster.ROUTE NOTE: From here on out you can continue with the Console interface to finish the PCI compliant cluster provisioning or alternatively you can continue with the API from here to finish the PCI compliant cluster provisioning.
- Moving back to the Create Cluster page, enter an appropriate name for your cluster (it cannot be changed after cluster creation), choose a cluster configuration matching your performance and pricing requirements.
Note: Instaclustr recommends that cluster nodes are allocated across different racks within a data centre, and that the allocation be evenly distributed. This ensures stability, fault-tolerance and consistent performance.
- Under Applications section, select the Kafka base application, choose the PCI add-on. Additionally, choose any other add-ons you require for this cluster.
Note: Certain add-ons are not PCI compliance, see here for more information
- Under Data Centre section, choose the AWS provider (Other services are not compatible with the PCI compliance at this time), Region, Custom Name, Data Center Network address block, Node Size, Replication Factor and number of nodes. You will also need to select EBS Encryption as a preference due to the requirement of the AWS provider. Refer to our support article on Network Address Allocation to understand how we divide up the specified network range to determine the node IP addresses.
- Under ‘Kafka Options’ section, select your Network and Security settings.
NOTE: Ensure you have the “add xx.xx.xx.xx to cluster firewall allowed addresses” option ticked, this will allow your computer’s IP to connect with the cluster. Certain web proxies may interfere with this mechanism and Instaclustr will see their IP address instead. We suggest you verify the detected address.
- Select SLA Tier you want to tag your cluster with. Non-production clusters may receive lower priority support and reduced SLAs. Production tier is not available when using Developer class nodes. You can find more information here.
- The Summary section displays a brief summary of your cluster configurations and pricing details. Click the Terms and Conditions link to open the Instaclustr Terms and Conditions and other policy documents. After going through the document, select the checkbox to accept the Terms and Conditions. Once you are happy with the cluster configuration and have accepted the terms and conditions, click the Create Cluster button to start creating the cluster.
NOTE: Your cluster will be placed in a deferred state if you have not specified your payment details, if you have not already done so please follow the blue banner to update your payment details.
Once you have confirmed your details, your cluster will begin provisioning.
By enabling a PCI cluster, our security team will get in contact with you to complete additional steps related to PCI on boarding. We recommend reviewing the following support articles as a next step
- Connecting to your cluster
- Connecting to your cluster using CQLSH
Contact us at firstname.lastname@example.org if there is any issue in provisioning your cluster.
Transitioning an existing cluster
If you are looking to transition an existing cluster to a PCI compliant cluster, please contact our support team at email@example.com.