This page is available on dedicated instances in AWS and Azure with Privatelink enabled
When using PrivateLink, clusters can be connected just as they were living inside a VPC. CloudAMQP creates an Endpoint Service to connect the VPC, creating a new network interface to communicate with the cluster.
If VPC is already enabled, there is no additional charge for PrivateLink. To add PrivateLink without previously having a VPC, the cost is $99 per month. We only charge for PrivateLink while it is enabled, so if you disable it, we won’t charge.
To enable PrivateLink, go to the CloudAMQP Console and the list of instances. Click Edit next to an instance and then PrivateLink.
This screen displays the option to enable PrivateLink.
Once enabled, a new menu item will appear called PrivateLink, including all configuration settings.
It only takes a minute to activate PrivateLink, displaying the screen below. If all the fields are not shown, it is not activated completely. In this case, allow for about one minute before refreshing the screen and all the fields to become active.
The ports on the CloudAMQP instances, open via PrivateLink, are 443, 5671, 5672, 1883, 8883, 61613, 61614, 5551 and 5552. Other ports can be opened upon request.
The only configuration needed is the principal for an AWS account in the format arn:aws:iam::aws-account-id:root.
For a specific IAM user, the ARN is in the format arn:aws:iam::aws-account-id:user/user-name
For a specific IAM role, the ARN is in the format arn:aws:iam::aws-account-id:role/role-name
Once the new PrivateLink is activated, create an Endpoint for it in your AWS account. If using the AWS web interface, click the radio button Find service by name and paste the service name shown in the PrivateLink view of the CloudAMQP console. Click the Verify button in the AWS console to verify that the PrivateLink service exists. Then select the VPC in your account that is to be connected to the CloudAMQP instance.
Do not create the PrivateLink endpoint in all available subnets. Only select the subnets which matches the availability zone id for the servers. The load balancer that is behind the Private link is available in all availability zones in the current region. This means that when you create the endpoint in your account all subnets will be checked by default. You can find what availability zones your servers are in on the PrivateLink tab in your CloudAMQP Console.
As of this writing, AWS does not support cross-region PrivateLinks. Please ensure that the CloudAMQP instance and the VPC that will connect to it are in the same AWS region.
If your VPC is configured to enable DNS support, check the box to enable the DNS name for the endpoint. In this case, you will see the CloudAMQP hostname listed in the Private DNS name section of the details view for the PrivateLink endpoint.
If your VPC cannot enable DNS support, amqp clients will need to use the AWS-provided DNS name to connect over PrivateLink. Alternatively, to enable the DNS configurations for your VPC, follow these steps:
Once these four steps are done, the CloudAMQP hostname can be used by instances connecting via PrivateLink.
To complete the Endpoint creation, click the Create endpoint button at the bottom of the form in the AWS console. PrivateLink should now be ready to use, and clients should succeed in connecting to the CloudAMQP RabbitMQ server.
You'll find more information on the AWS website: AWS PrivateLink.
Enabling PrivateLink takes somewhere between 1-3 minutes, and the setup time may vary depending on how your cluster is currently configured. If your cluster was set up before Jan. 31, 2022, the setup would take more time, and it would also require downtime for each server in the resource group. The reason is that the network interface must be reconfigured for each server, which requires downtime.
Once everything is configured and the PrivateLink Service is up and running, it’s time to specify who should have access to connect to it.
In Azure PrivateLink, access is restricted to subscription IDs. You can list multiple IDs, and once you have added a subscription ID to the allow list, you can create a PrivateLink resource in that subscription and connect. All PrivateLink connections are listed in the UI.
Check out Microsoft Azure documentation for more information: What is Azure Private Link?