If an external Kafka service has brokers with hostnames that are not publicly resolvable, for example, where hostnames are registered in a corporate DNS server which is not accessible from outside, it is currently not possible for MM2 to successfully connect.

The workaround to use IP addresses is not sufficient, since after bootstrap the broker hostnames will be returned and subsequent connections will go there.

We will also likely see issues with TLS handshakes when brokers present certificates belonging to hostnames that the Aiven side does not understand.

The only current workaround is for the configuration of the external Kafka service to change so that extra listeners or certificates are added, but this is often very difficult to achieve in a production environment where change is tightly managed or where downtime is to be avoided.