VPC Connect on CloudAMQP

Overview

VPC Connect creates a private network path between your Virtual Private Cloud (VPC) and your CloudAMQP cluster. Instead of connecting over the public internet, your applications communicate with CloudAMQP through a secure, private endpoint within your cloud provider's network infrastructure.

Prerequisites

Before setting up VPC Connect, ensure your CloudAMQP instance meets these requirements:

• Dedicated instance required: VPC Connect is only available on dedicated CloudAMQP instances
• VPC features enabled: Your instance must have VPC features activated (see setup instructions below)
• Regional alignment: Your CloudAMQP instance and target VPC must be in the same cloud region

Pricing

VPC Connect functionality is included with VPC-enabled instances at $99/month. There are no additional charges for the private connection itself.

Enabling VPC Features

To use VPC Connect, you first need to enable VPC features on your CloudAMQP instance:

1. Navigate to your CloudAMQP Console and view your instances list
2. Click the Edit button next to your target instance
3. Select Enable VPC Features and confirm the change

After enabling VPC features, you'll see a new VPC Connect menu item under the Network section in your CloudAMQP console.

AWS PrivateLink Setup

Activation

To enable AWS PrivateLink for your CloudAMQP instance:

1. Navigate to the VPC Connect section in your CloudAMQP console
2. Click "Enable" to start the PrivateLink activation process
3. Wait 1-3 minutes for the activation to complete

Note: If you don't see all configuration fields immediately, wait about one minute and refresh the page. The service needs time to fully activate.

Once active, PrivateLink opens the following ports on your CloudAMQP instance: 443, 5671, 5672, 1883, 8883, 61613, 61614, 5551, 5552
Additional ports can be opened upon request through support.

Access Control (Allowlist)

Configure which AWS accounts can access your PrivateLink service by adding ARN principals to the allowlist. You can specify:

• AWS account IDs
• Specific IAM users
• IAM roles

Creating the VPC Endpoint

After PrivateLink is activated in CloudAMQP, create a VPC endpoint in your AWS account:

Step 1: Create the Endpoint

1. Open the AWS VPC console and navigate to Endpoints
2. Click "Create Endpoint"
3. Select "Find service by name"
4. Paste the service name from your CloudAMQP PrivateLink configuration
5. Click "Verify" to confirm the service exists
6. Select your target VPC

Step 2: Configure Subnets

Important: Do not select all available subnets. Only choose subnets that match the availability zone IDs where your CloudAMQP servers are located. You can find these availability zones in the PrivateLink tab of your CloudAMQP console.

Step 3: DNS Configuration

If your VPC has DNS support enabled, check the box to "Enable DNS name for the endpoint." This allows you to use the CloudAMQP hostname directly.

If DNS support is not enabled, you'll need to either:

• Use the AWS-provided DNS name for connections, or
• Enable DNS support for your VPC (recommended)

Enabling DNS Support for Your VPC

To use CloudAMQP hostnames with PrivateLink, configure DNS support:

1. Enable DNS resolution (enableDnsSupport) on your VPC
2. Enable DNS hostnames (enableDnsHostnames) on your VPC
3. Configure your EC2 instances to use Amazon DNS servers via VPC DHCP Options
4. If using VPC Peering, enable DNS resolution support

Complete the Setup

Click "Create endpoint" to finalize the configuration. Your applications can now connect to CloudAMQP through the private endpoint.

Regional Limitation: AWS PrivateLink connections must be within the same region. Ensure your CloudAMQP instance and VPC are in the same AWS region.

For more information, visit: AWS PrivateLink Documentation

Azure Private Link Setup

Activation

To enable Azure Private Link for your CloudAMQP instance:

1. Navigate to the VPC Connect section in your CloudAMQP console
2. Click "Enable" to start the Private Link activation process
3. Wait 1-3 minutes for the activation to complete

Note: If you don't see all configuration fields immediately, wait about one minute and refresh the page. The service needs time to fully activate.

Azure Private Link opens the following ports: 443, 5671, 5672, 1883, 8883, 61613, 61614, 5551, 5552
Additional ports can be opened upon request through support.

Setup time may vary for clusters created before Jan 31, 2022, which may require brief downtime for network interface reconfiguration.

Allowlist

Once everything is configured and the PrivateLink Service is up and running, it’s time to specify who should have access to connect to it.

In Azure PrivateLink, access is restricted to subscription IDs. You can list multiple IDs, and once you have added a subscription ID to the allow list, you can create a PrivateLink resource in that subscription and connect. All PrivateLink connections are listed in the UI.

Creating the Private Endpoint

DNS Configuration (Recommended)

For proper hostname resolution, set up a Private DNS Zone:

1. Create an Azure Private DNS Zone
2. Create an A record pointing to your Private Endpoint's IP address
3. Use your cluster's public hostname (e.g., your-cluster-name.rmq5.cloudamqp.com) as the record name
4. This enables TLS connections and maintains consistency with your existing configuration

Testing Your Connection

Verify your Private Link setup using network troubleshooting tools:

• Use %code dig to verify DNS resolution
• Test connectivity with %code netcat or %code telnet
• Confirm connection to the cluster using the Private Endpoint's internal IP

Important Limitations

Note: Azure Private Link uses a service endpoint model. This means:

• Your applications can connect TO CloudAMQP through the private link
• CloudAMQP CANNOT initiate connections back to your internal network
• Features like shovels to internal endpoints are not supported
• For bidirectional connectivity, consider VPC Peering instead

For more information, see: Azure Private Link Documentation

GCP Private Service Connect Setup

Activation

To enable GCP Private Service Connect:

1. Navigate to VPC Connect in your CloudAMQP console
2. Click "Enable" to start Private Service Connect activation
3. Wait 1-3 minutes for the service to become fully active

Note: If configuration fields don't appear immediately, wait about one minute and refresh the page.

Unlike other cloud providers, GCP Private Service Connect opens ALL ports that are allowed by your CloudAMQP firewall configuration, giving you maximum flexibility.

Access Control (Allowlist)

By default, Private Service Connect denies all connection attempts. Grant access by:

1. Adding Google Cloud project IDs to the allowlist
2. Specifying which projects can create connection endpoints
3. Managing access through the CloudAMQP console

Enter the exact name of each Google Cloud project that should be permitted to connect to your CloudAMQP instance.

Automatic Firewall Configuration

When you enable VPC Connect, CloudAMQP automatically:

• Creates a Private Service Connect network in GCP
• Adds the network's CIDR block to your firewall allowlist
• Configures the necessary routing rules

Important: Do not remove the automatically created firewall rule. Removing it will break VPC connectivity.

Creating the Connection Endpoint

After enabling Private Service Connect in CloudAMQP, create a connection endpoint in your Google Cloud console:

Step-by-Step Setup

1. Navigate to "Network Services" → "Private Service Connect" in Google Cloud Console
2. Click "Connect Endpoint"
3. Select "Published service" as the connection type
4. Enter the service name from your CloudAMQP VPC Connect configuration page
5. Complete the endpoint creation following Google's setup wizard

Getting the Connection IP

Once your endpoint is created:

1. Click on the newly created endpoint to view its details
2. Note the assigned IP address - this is your connection endpoint
3. Configure your applications to use this IP address when connecting to CloudAMQP

Your applications will connect to CloudAMQP using this private IP address instead of the public hostname, ensuring all traffic stays within Google Cloud's private network.

For comprehensive setup guidance, refer to: Google Cloud Private Service Connect Documentation