How to enable PrivateLink on CloudAMQP

This page is available on dedicated instances in AWS and Azure with Privatelink enabled

When using PrivateLink, clusters can be connected just as they were living inside a VPC. CloudAMQP creates an Endpoint Service to connect the VPC, creating a new network interface to communicate with the cluster.

Pricing

If VPC is already enabled, there is no additional charge for PrivateLink. To add PrivateLink without previously having a VPC, the cost is $99 per month. We only charge for PrivateLink while it is enabled, so if you disable it, we won’t charge.

How to enable PrivateLink

To enable PrivateLink, go to the CloudAMQP Console and the list of instances. Click Edit next to an instance and then PrivateLink.

Enable PrivateLink

This screen displays the option to enable PrivateLink.

PrivateLink settings

Once enabled, a new menu item will appear called PrivateLink, including all configuration settings.

It only takes a minute to activate PrivateLink, displaying the screen below. If all the fields are not shown, it is not activated completely. In this case, allow for about one minute before refreshing the screen and all the fields to become active.

The ports on the CloudAMQP instances, open via PrivateLink, are 443, 5671, 5672, 1883, 8883, 61613, 61614, 5551 and 5552. Other ports can be opened upon request.

AWS Privatelink

The only configuration needed is the principal for an AWS account in the format arn:aws:iam::aws-account-id:root.

For a specific IAM user, the ARN is in the format arn:aws:iam::aws-account-id:user/user-name

For a specific IAM role, the ARN is in the format arn:aws:iam::aws-account-id:role/role-name

Once the new PrivateLink is activated, create an Endpoint for it in your AWS account. If using the AWS web interface, click the radio button Find service by name and paste the service name shown in the PrivateLink view of the CloudAMQP console. Click the Verify button in the AWS console to verify that the PrivateLink service exists. Then select the VPC in your account that is to be connected to the CloudAMQP instance.

As of this writing, AWS does not support cross-region PrivateLinks. Please ensure that the CloudAMQP instance and the VPC that will connect to it are in the same AWS region.

If your VPC is configured to enable DNS support, check the box to enable the DNS name for the endpoint. In this case, you will see the CloudAMQP hostname listed in the Private DNS name section of the details view for the PrivateLink endpoint.

If your VPC cannot enable DNS support, amqp clients will need to use the AWS-provided DNS name to connect over PrivateLink. Alternatively, to enable the DNS configurations for your VPC, follow these steps:

  1. Enable DNS resolution on your VPC (enableDnsSupport).
  2. Enable DNS Hostnames (enableDnsHostnames).
  3. Your EC2 instances must use the Amazon resolving DNS servers, typically communicated to the EC2 instance using the VPC DHCP Options.
  4. When you have created the VPC Peering Connection between your VPC and the CloudAMQP VPC, you must enable support for DNS resolution.

Once these four steps are done, the CloudAMQP hostname can be used by instances connecting via PrivateLink.

To complete the Endpoint creation, click the Create endpoint button at the bottom of the form in the AWS console. PrivateLink should now be ready to use, and clients should succeed in connecting to the CloudAMQP RabbitMQ server.

You'll find more information on the AWS website: AWS PrivateLink.

Azure Privatelink

Enabling PrivateLink takes somewhere between 1-3 minutes, and the setup time may vary depending on how your cluster is currently configured. If your cluster was set up before Jan. 31, 2022, the setup would take more time, and it would also require downtime for each server in the resource group. The reason is that the network interface must be reconfigured for each server, which requires downtime.

Once everything is configured and the PrivateLink Service is up and running, it’s time to specify who should have access to connect to it.

In Azure PrivateLink, access is restricted to subscription IDs. You can list multiple IDs, and once you have added a subscription ID to the allow list, you can create a PrivateLink resource in that subscription and connect. All PrivateLink connections are listed in the UI.

PrivateLink Configuration

Check out Microsoft Azure documentation for more information: What is Azure Private Link?