Introduction

CloudAMQP Console

Tutorials

Marketplaces

Features

Protocols

Code Sample

MQTT Code Sample

How to enable VPC Connect on CloudAMQP

This page is available on dedicated instances in AWS and Azure with PrivateLink enabled or GCP with Private Service Connect enabled. We call this VPC Connect.

When using VPC Connect, clusters can be connected just as they were living inside a VPC. CloudAMQP creates an Endpoint Service to connect the VPC, creating a new network interface to communicate with the cluster.

Pricing

PrivateLink/Private Service Connect is included in VPCs, which are $99/month.

How to enable VPC Connect

Your instance must have VPC features enabled. It's either enabled if you chose dedicated VPC when creating the CloudAMQP instance or you can enabled them by going to the CloudAMQP Console and the list of instances. Click Edit next to an instance and then Enable VPC Features.

Enable VPC Features

Once the VPC features is enabled, a menu item called VPC Connect under the Network section in the CloudAMQP console will be available. Click enable to start the process to enable PrivateLink/Private Service Connect on your instance.

AWS Privatelink

It takes a 1-3 minutes to activate PrivateLink, displaying the screen below. If all the fields are not shown, it is not activated completely. In this case, allow for about one minute before refreshing the screen and all the fields to become active.

The ports on the CloudAMQP instances, open via PrivateLink, are 443, 5671, 5672, 1883, 8883, 61613, 61614, 5551 and 5552. Other ports can be opened upon request.

PrivateLink AWS

Allowlist

The only configuration needed is to add ARN principal for an AWS account, user or role to the allowlist.

Allowlist AWS

Connecting to the cluster

Once the new PrivateLink is activated, create an Endpoint for it in your AWS account. If using the AWS web interface, click the radio button Find service by name and paste the service name shown in the PrivateLink view of the CloudAMQP console. Click the Verify button in the AWS console to verify that the PrivateLink service exists. Then select the VPC in your account that is to be connected to the CloudAMQP instance.

Do not create the PrivateLink endpoint in all available subnets. Only select the subnets which matches the availability zone id for the servers. The load balancer that is behind the Private link is available in all availability zones in the current region. This means that when you create the endpoint in your account all subnets will be checked by default. You can find what availability zones your servers are in on the PrivateLink tab in your CloudAMQP Console.

As of this writing, AWS does not support cross-region PrivateLinks. Please ensure that the CloudAMQP instance and the VPC that will connect to it are in the same AWS region.

If your VPC is configured to enable DNS support, check the box to enable the DNS name for the endpoint. In this case, you will see the CloudAMQP hostname listed in the Private DNS name section of the details view for the PrivateLink endpoint.

If your VPC cannot enable DNS support, amqp clients will need to use the AWS-provided DNS name to connect over PrivateLink. Alternatively, to enable the DNS configurations for your VPC, follow these steps:

  1. Enable DNS resolution on your VPC (enableDnsSupport).
  2. Enable DNS Hostnames (enableDnsHostnames).
  3. Your EC2 instances must use the Amazon resolving DNS servers, typically communicated to the EC2 instance using the VPC DHCP Options.
  4. When you have created the VPC Peering Connection between your VPC and the CloudAMQP VPC, you must enable support for DNS resolution.

Once these four steps are done, the CloudAMQP hostname can be used by instances connecting via PrivateLink.

To complete the Endpoint creation, click the Create endpoint button at the bottom of the form in the AWS console. PrivateLink should now be ready to use, and clients should succeed in connecting to the CloudAMQP RabbitMQ server.

You'll find more information on the AWS website: AWS PrivateLink.

Azure Privatelink

Enabling PrivateLink takes somewhere between 1-3 minutes, and the setup time may vary depending on how your cluster is currently configured. If your cluster was set up before Jan. 31, 2022, the setup would take more time, and it would also require downtime for each server in the resource group. The reason is that the network interface must be reconfigured for each server, which requires downtime.

The ports on the CloudAMQP instances, open via PrivateLink, are 443, 5671, 5672, 1883, 8883, 61613, 61614, 5551 and 5552. Other ports can be opened upon request.

PrivateLink Azure

Allowlist

Once everything is configured and the PrivateLink Service is up and running, it’s time to specify who should have access to connect to it.

In Azure PrivateLink, access is restricted to subscription IDs. You can list multiple IDs, and once you have added a subscription ID to the allow list, you can create a PrivateLink resource in that subscription and connect. All PrivateLink connections are listed in the UI.

Allowlist Azure

Connecting to the cluster

You will also need to ensure that your DNS resolves the hostname of the cluster to the IP of your PrivateLink endpoint. We recommend using a Private DNS Zone. In the private DNS zone, create an A record that points to the IP address of the Private Endpoint. Best practice is to use the public hostname of the cluster (e.g. [your-cluster-name].rmq[5].cloudamqp.com) so that clients are able to use TLS if necessary. You can test the connection by using one of many network troubleshooting tool (such as dig, netcat, telnet..) and verify connection is successful to the cluster using the internal IP of the PrivateLink endpoint.

Note that since we are using a service endpoint in the VNET on our end, you are unable to initiate connection from the cluster to your internal network. For example, creating a shovel to an internal endpoint is not possible. If this is a requirement then we recommend using VPC Peering.

Check out Microsoft Azure documentation for more information: What is Azure Private Link?

GCP Private Service Connect

It takes a 1-3 minutes to activate Private Service Connect, displaying the screen below. If all the fields are not shown, it is not activated completely. In this case, allow for about one minute before refreshing the screen and all the fields to become active.

The ports on the CloudAMQP instances, open via Private Service Connect, are 443, 5671, 5672, 5551 and 5552.

Private Service Connect GCP

Allowlist

By default, the service denies all connections. To allow your project to connect with this service you need to add it to the allowlist. Enter the name of the Google Cloud project permitted to connect over the service.

Allowlist GCP

Connecting to the cluster

When the Private Service Connect is enabled, you need to create a connect endpoint from your Google Cloud console. Go to Private Service Connect menu under Network Services. Click Connect Endpoint , choose Published service and enter the service name listed on VPC Connect configuration page (see above). Follow the guide to finish creating the endpoint.

After the endpoint has been created, click to open it. It will display the IP of the endpoint. This IP is used to connect to the brokers over the published Private Service Connect service.

Check out Google Private Service Connect documentation for more information: What is Private Service Connect?