How to enable PrivateLink on CloudAMQP

This page is available on dedicated instances in AWS and Azure with Privatelink enabled

When using PrivateLink, clusters can be connected just as they were living inside a VPC. CloudAMQP creates an Endpoint Service to connect the VPC, creating a new network interface to communicate with the cluster.


PrivateLink is included in VPCs, which are $99/month.

How to enable PrivateLink

Your instance must have VPC features enabled, you can enabled them by going to the CloudAMQP Console and the list of instances. Click Edit next to an instance and then Enable VPC.

Enable VPC/PrivateLink

Once enabled a menu item called PrivateLink will be available in the instance details, including all configuration settings.

It only takes a minute to activate PrivateLink, displaying the screen below. If all the fields are not shown, it is not activated completely. In this case, allow for about one minute before refreshing the screen and all the fields to become active.

The ports on the CloudAMQP instances, open via PrivateLink, are 443, 5671, 5672, 1883, 8883, 61613, 61614, 5551 and 5552. Other ports can be opened upon request.

AWS Privatelink

The only configuration needed is the principal for an AWS account in the format arn:aws:iam::aws-account-id:root.

For a specific IAM user, the ARN is in the format arn:aws:iam::aws-account-id:user/user-name

For a specific IAM role, the ARN is in the format arn:aws:iam::aws-account-id:role/role-name

Once the new PrivateLink is activated, create an Endpoint for it in your AWS account. If using the AWS web interface, click the radio button Find service by name and paste the service name shown in the PrivateLink view of the CloudAMQP console. Click the Verify button in the AWS console to verify that the PrivateLink service exists. Then select the VPC in your account that is to be connected to the CloudAMQP instance.

Do not create the PrivateLink endpoint in all available subnets. Only select the subnets which matches the availability zone id for the servers. The load balancer that is behind the Private link is available in all availability zones in the current region. This means that when you create the endpoint in your account all subnets will be checked by default. You can find what availability zones your servers are in on the PrivateLink tab in your CloudAMQP Console.

As of this writing, AWS does not support cross-region PrivateLinks. Please ensure that the CloudAMQP instance and the VPC that will connect to it are in the same AWS region.

If your VPC is configured to enable DNS support, check the box to enable the DNS name for the endpoint. In this case, you will see the CloudAMQP hostname listed in the Private DNS name section of the details view for the PrivateLink endpoint.

If your VPC cannot enable DNS support, amqp clients will need to use the AWS-provided DNS name to connect over PrivateLink. Alternatively, to enable the DNS configurations for your VPC, follow these steps:

  1. Enable DNS resolution on your VPC (enableDnsSupport).
  2. Enable DNS Hostnames (enableDnsHostnames).
  3. Your EC2 instances must use the Amazon resolving DNS servers, typically communicated to the EC2 instance using the VPC DHCP Options.
  4. When you have created the VPC Peering Connection between your VPC and the CloudAMQP VPC, you must enable support for DNS resolution.

Once these four steps are done, the CloudAMQP hostname can be used by instances connecting via PrivateLink.

To complete the Endpoint creation, click the Create endpoint button at the bottom of the form in the AWS console. PrivateLink should now be ready to use, and clients should succeed in connecting to the CloudAMQP RabbitMQ server.

You'll find more information on the AWS website: AWS PrivateLink.

Azure Privatelink

Enabling PrivateLink takes somewhere between 1-3 minutes, and the setup time may vary depending on how your cluster is currently configured. If your cluster was set up before Jan. 31, 2022, the setup would take more time, and it would also require downtime for each server in the resource group. The reason is that the network interface must be reconfigured for each server, which requires downtime.

Once everything is configured and the PrivateLink Service is up and running, it’s time to specify who should have access to connect to it.

In Azure PrivateLink, access is restricted to subscription IDs. You can list multiple IDs, and once you have added a subscription ID to the allow list, you can create a PrivateLink resource in that subscription and connect. All PrivateLink connections are listed in the UI.

PrivateLink Configuration

You will also need to ensure that your DNS resolves the hostname of the cluster to the IP of your PrivateLink endpoint. We recommend using a Private DNS Zone. In the private DNS zone, create an A record that points to the IP address of the Private Endpoint. Best practice is to use the public hostname of the cluster (e.g. [your-cluster-name].rmq[5] so that clients are able to use TLS if necessary. You can test the connection by using one of many network troubleshooting tool (such as dig, netcat, telnet..) and verify connection is successful to the cluster using the internal IP of the PrivateLink endpoint.

Note that since we are using a service endpoint in the VNET on our end, you are unable to initiate connection from the cluster to your internal network. For example, creating a shovel to an internal endpoint is not possible. If this is a requirement then we recommend using VPC Peering.

Check out Microsoft Azure documentation for more information: What is Azure Private Link?