Issue
You need to connect to Kafka via IP addresses, or you need to open firewall IP ranges.
Resolution
The IP addresses for Kafka brokers are not guaranteed to be static, but the KAFKA_URL environment variable will always be kept up to date if there are any changes. The IP addresses should not change without some underlying reason, though (eg, node failure, some form of upgrade, etc). IP addresses may be updated during broker replacement, and the new addresses will be available via the environment variable.
Some users connecting to Kafka from outside the platform use the IP addresses pulled from the environment variables, and then re-poll those environment variables for updates upon a connection error. Other users have a small service in the owning Heroku app which pushes the changes in env vars to the external app upon change.