Big Data

Introducing Non-public Networking for Amazon MQ for RabbitMQ

junho 20, 2026
techhdesign


With Non-public Networking for Amazon MQ for RabbitMQ, your brokers can set up outbound connections to personal assets in your VPC with out exposing these assets publicly. This submit explains how the function works and walks you thru setting it up.

Amazon MQ for RabbitMQ brokers might beforehand solely attain exterior locations over the general public web. In case you used a personal Light-weight Listing Entry Protocol (LDAP) server for dealer authentication, you needed to expose that server publicly. In case you needed to federate messages between personal brokers, you wanted workarounds like Community Load Balancers with IP allowlisting, as described in Implementing Federation on Amazon MQ for RabbitMQ Non-public Brokers. Non-public Networking removes these constraints.

You possibly can join your dealer to personal id suppliers, different Amazon MQ for RabbitMQ brokers, or self-hosted RabbitMQ brokers operating in personal subnets. Mixed with cross-Area networking companies like AWS Transit Gateway, you possibly can prolong these connections throughout AWS Areas and accounts, with site visitors staying on the AWS personal community.

The way it works

Non-public Networking connects your dealer to personal locations utilizing three AWS companies: Amazon VPC Lattice, AWS Useful resource Entry Supervisor (AWS RAM), and AWS PrivateLink.

You create a VPC Lattice useful resource gateway in a VPC that may attain your personal vacation spot. You then create a VPC Lattice useful resource configuration that defines the vacation spot, similar to an IP deal with or Area Title System (DNS) identify. You add the useful resource configuration to a RAM useful resource share and affiliate the useful resource share along with your dealer by the UpdateBroker API operation. After rebooting the dealer, the community path is lively and your dealer can attain the personal vacation spot.

The dealer doesn’t should be personal. A publicly accessible dealer works the identical method.

What you possibly can hook up with

Non-public Networking helps three use circumstances.

Non-public id suppliers

In case you use an LDAP server or different id supplier for RabbitMQ authentication, you not want to reveal it publicly. Create a useful resource configuration pointing to your id supplier, affiliate it along with your dealer, and use the DNS identify returned by the DescribeSharedResources API operation rather than the general public endpoint. Observe the present steering for establishing an id supplier, substituting the personal DNS identify.

Self-hosted RabbitMQ brokers

You should utilize Shovel or Federation to attach your Amazon MQ for RabbitMQ dealer to a self-hosted RabbitMQ dealer operating in a personal subnet. Create a useful resource configuration pointing to the self-hosted dealer and use the DNS identify from the DescribeSharedResources API operation in your Shovel or Federation configuration.

This sample is helpful for hybrid cloud architectures the place you run RabbitMQ on Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Kubernetes Service (Amazon EKS), or on-premises infrastructure and wish to alternate messages with Amazon MQ with out exposing both facet publicly.

Different Amazon MQ for RabbitMQ brokers

You possibly can federate or shovel messages between two Amazon MQ for RabbitMQ brokers utilizing Non-public Networking. Create a useful resource configuration pointing to the vacation spot dealer’s endpoint and specify that very same endpoint because the customized area identify on the useful resource configuration. This helps to confirm that the DNS identify resolves appropriately and Transport Layer Safety (TLS) peer verification succeeds.

This extends to brokers in several AWS Areas and totally different AWS accounts. By combining Non-public Networking with cross-Area networking companies like AWS Transit Gateway or VPC peering, you possibly can construct a completely personal federation or shovel path between brokers, with no public endpoints required.

DNS names and customized domains

Every useful resource configuration can embody a customized area identify. In case you add a verified area, that area resolves to the personal vacation spot. If you don’t add a verified area, Amazon MQ gives a DNS identify for the dealer’s personal connection. Retrieve this DNS identify with the DescribeSharedResources API operation.

In case you specify an unverified area on a useful resource configuration, it’s ignored. The dealer’s personal connection receives a personal DNS identify as a substitute, which you’ll be able to retrieve with the DescribeSharedResources API operation.

For extra particulars on customized domains and area verification with VPC Lattice, see Customized domains for VPC Lattice assets.

TLS peer verification in RabbitMQ 4

Observe: If you’re operating RabbitMQ 4, evaluation this part earlier than configuring Shovel or Federation connections.

RabbitMQ 4 enforces TLS certificates peer verification by default for Shovel and Federation connections. RabbitMQ 3 doesn’t implement this by default. When utilizing Non-public Networking, the DNS identify that Amazon MQ assigns to the personal connection won’t match the TLS certificates of the vacation spot, which causes peer verification to fail.

The really useful method is to specify the vacation spot dealer’s endpoint (for instance, b-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111.mq.us-east-1.on.aws) because the customized area identify on the useful resource configuration. This exception solely applies to Amazon MQ for RabbitMQ dealer endpoints. You can not use an unverified area for self-hosted brokers. Specifying the Amazon MQ endpoint causes the DNS identify to match the vacation spot’s TLS certificates, and peer verification succeeds. This method works no matter your RabbitMQ model and avoids the difficulty solely.

Getting began

To get began with Non-public Networking for Amazon MQ for RabbitMQ, comply with these steps.

Stipulations

Earlier than you start, confirm you could have the next:

  • An AWS account.
  • The AWS Command Line Interface (AWS CLI) put in and configured.
  • AWS Identification and Entry Administration (IAM) permissions to handle Amazon MQ, VPC Lattice, and AWS RAM assets.
  • An present VPC with connectivity to your personal vacation spot.

Walkthrough

After you could have the stipulations, comply with these steps:

  1. Create an Amazon MQ for RabbitMQ dealer if you don’t have already got one.
  2. Create a VPC Lattice useful resource gateway in a VPC that may attain your personal vacation spot. Be sure the useful resource gateway’s safety group permits outbound site visitors to your vacation spot on the required port (for instance, port 5671 for AMQPS (AMQP over TLS) or port 636 for LDAPS (LDAP over TLS)). The useful resource gateway should share at the very least one Availability Zone with the dealer. Cluster brokers cowl a number of Availability Zones, so that is happy. For single-instance brokers, confirm the Availability Zone overlap.
  3. Create a VPC Lattice useful resource configuration pointing to your personal vacation spot (IP deal with or DNS identify). In case you’re connecting to a different Amazon MQ dealer, specify the vacation spot dealer’s endpoint because the customized area identify on the useful resource configuration, as proven within the following determine.VPC Lattice resource configuration showing the custom domain name field and resource definition populated with the Amazon MQ broker endpointDetermine 1: VPC Lattice useful resource configuration displaying the customized area identify subject and useful resource definition populated with the Amazon MQ dealer endpoint.
  4. Add the useful resource configuration to a RAM useful resource share. The useful resource share should enable exterior principals, as proven within the following determine.RAM resource share configuration with the Allow external principals option selectedDetermine 2: RAM useful resource share configuration with the Enable exterior principals choice chosen.
  5. Affiliate the useful resource share along with your dealer by enhancing the dealer and including the useful resource share. You too can do that utilizing the update-broker command with the AWS CLI. You will need to go your complete record of useful resource share ARNs you need on the dealer. It is a put operation, not an add or take away operation. 
    aws mq update-broker 
  --broker-id b-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 
  --resource-share-arns arn:aws:ram:us-east-1:111122223333:resource-share/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222

    The related RAM useful resource share seems as proven within the following determine.

    Network settings view with associated RAM resource shares

    Determine 3: Community settings view with related RAM useful resource shares.

    Choose the useful resource share within the Related RAM useful resource shares part. The community standing of every shared useful resource is displayed within the Shared assets part, as proven within the following determine.

    RAM resource share selection showing the network status of each shared resource

    Determine 4: RAM useful resource share choice displaying the community standing of every shared useful resource.

  6. Reboot the dealer from the AWS Administration Console or the AWS CLI to create the community path: 
    aws mq reboot-broker --broker-id b-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111

  7. Retrieve the DNS names in your RabbitMQ configuration. This operation additionally surfaces points encountered throughout setup: 
    aws mq describe-shared-resources --broker-id b-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111

  8. Use the DNS identify returned within the output in your Shovel, Federation, or id supplier configuration. Including new useful resource configurations to an present RAM useful resource share doesn’t routinely replace the dealer. You will need to name update-broker and reboot the dealer for the brand new useful resource configurations to take impact.

Cleansing up

Non-public Networking makes use of VPC Lattice and PrivateLink assets that incur ongoing prices. In case you not want the personal connection:

  1. Name update-broker with the useful resource share faraway from the record (or an empty record to take away all), then reboot the dealer.
  2. After the dealer reboot completes and the assets are not in use, delete the VPC Lattice useful resource configuration and useful resource gateway.
  3. Optionally, take away the Amazon MQ account principal from the RAM useful resource share. This principal should be in use if different brokers are related to the identical useful resource share, so solely take away it if no different brokers rely upon it.
  4. In case you created a brand new Amazon MQ for RabbitMQ dealer for this walkthrough and not want it, delete the dealer from the Amazon MQ console or with the delete-broker command.

Operational conduct: Useful resource entry and reboots

Eradicating a VPC Lattice useful resource configuration from a RAM useful resource share whereas the dealer is actively utilizing it revokes entry instantly, with no reboot required. Eradicating a principal from a RAM useful resource share has the identical impact: brokers related by that principal lose entry to the assets within the share instantly. These are intentional safety behaviors managed by RAM and VPC Lattice.

Including new useful resource configurations to an present useful resource share doesn’t take impact routinely. You will need to name update-broker and reboot the dealer for the brand new useful resource configurations to take impact. That is by design. It helps confirm that modifications to a useful resource share solely attain the dealer when somebody with dealer administration permissions explicitly triggers the replace, offering clear safety separation between share administration and dealer administration.

Non-public Networking is obtainable for Amazon MQ for RabbitMQ brokers in all of the AWS Areas the place Amazon VPC Lattice is obtainable. Amazon MQ for ActiveMQ brokers don’t assist this function.

Pricing

Non-public Networking makes use of Amazon VPC Lattice and AWS PrivateLink. Information processing and information switch prices apply to site visitors despatched by the personal connection. There may be an Amazon MQ pricing of $0.01 per GB of information processed by the useful resource endpoint. For particulars, see the Amazon MQ pricing web page, VPC Lattice pricing web page and AWS PrivateLink pricing web page.

Conclusion

On this submit, we defined how Non-public Networking for Amazon MQ for RabbitMQ works and walked by the setup course of. Whether or not you’re securing a personal id supplier, federating messages between brokers, or connecting to self-hosted RabbitMQ, your dealer can now attain personal locations with out exposing them publicly.

To study extra, see the Amazon MQ Non-public Networking documentation.

In case you have questions or suggestions, go away a touch upon this submit.

In regards to the authors

Jean-Sébastien Dominique

Jean-Sébastien Dominique

Jean-Sébastien is a Software program Improvement Engineer at Amazon Internet Providers with 20 years of expertise throughout a variety of software program growth domains. He’s within the intersection of programs design, human elements, and AI – how individuals and complicated programs work together in follow.

Ishita Chakraborty

Ishita Chakraborty

Ishita is a Senior Technical Account Supervisor at Amazon Internet Providers with experience in serverless and messaging architectures. She works with enterprise prospects to ship technical options and strategic steering – from infrastructure optimization to AI/ML adoption.

Deixe um comentário

O seu endereço de e-mail não será publicado. Campos obrigatórios são marcados com *