1

I have setup an Amazon MQ broker and you get generated a domain *.mq.eu-west-2.amazonaws.com

What is generated is a very long DN and what I want to do is map that to a subdomain of my own domain.

Since all AWS services are over SSL I will need a certificate as well for this subdomain, which I normally just use ACM.

The problem is I cant just CNAME that generate domain and then generate a SSL certificate as that does not work. AWS offer whats called an ALIAS A record in route53 which for other services gets around this problem, BUT it doesnt seem to work with Amazon MQ. The options you get do not include the MQ service.

Looking at some AWS docs it sounds like I need to do the following (but just seems so overkill)

  1. Create private broker
  2. Create network load balancer
  3. Connect the 2 together (which is pretty hard, I couldnt get this to work)
  4. CNAME my subdomain to the NLB

Does anyone else have any suggestions on how best to solve this problem?

Andrew Kew
  • 3,098
  • 3
  • 22
  • 24

2 Answers2

6

For anyone that is interested I think I have figured this one out.

The reason you cant just set a custom domain is because the service allows you to be able to have multi AZ configuration which will mean there are more than 1 broker. The best way to handle when there is more than 1 and with failover is with a load balancer so I think that is what you need to do.

I figured out you dont need a private broker you can use a public one too. In the Amazon MQ console you only get the public IP, but if you go to EC2 and network interfaces you will find the interface using the public IP you have and from that get the private IP

You need to do exactly the same in the network interfaces section of EC2 to get the private IPs of the load balancer (will be 1-2 IPs). You need these private IPs to setup the load balancer and security group. These are the steps

  1. Create an Amazon MQ instance (public or private)
    • I did a public broker
    • Also single instance not multi-AZ
    • Already had a security group created, but if you dont have one create one before or during setup
    • I added rules to the security group for the 2 ports that you access the brokers with
      • 8162 - for the dashboard (HTTPS)
      • 61617 - for the broker (TLS)
  2. Navigate to EC2 -> Network Interfaces - get the private IP for the MQ broker (using the public IP allocated to your instance). If you create a private broker then you can skip this step
  3. Create a certificate for your subdomain in ACM service of AWS. Either validate it using email or DNS
  4. Create a NLB (TCP) with the following settings:
    • Network Load Balanacer (TCP/TLS/UDP)
    • Choose a name
    • Internet facing
    • TLS (Secure TCP) protocol for listener
    • port 61617
    • Availability zone the same as your broker (obvs the same VPC too)
    • Choose certification from ACM
    • Find your certificate created in step 3. You need to validate it before it will show up here
    • Security policy - ELBSecurityPolicy-2016-08
    • ALPN Policy: none
    • New target group - choose a name
    • Target Type - IP
    • Protocol: TLS
    • Port: 61617
    • Health check: Protocol HTTPS
    • Health check: Path /index.html
    • Health check: (override) Port: 8162
    • Registering your target insert the private IP of your broker found in step 2, click Add to list
    • Review
    • Finish
  5. Once the NLB is created, navigate to your security group you linked to the Broker and add the NLB private IPs to the security group (I did all traffic but you can limit it to just the 2 ports you need, for the broker and health checks), 61617 and 8162
  6. Lastly create a domain record in route53 (and alias A record) that maps your subdomain to the domain name allocated to your NLB.

This will give you the subdomain using SSL to access your broker. You can do exactly the same thing but with an Application Load Balancer (HTTPS) to access the console. I create a second LB, a new subdomain and certificate to get this to work and it worked a treat. Only difference between the 2 is the listener is over HTTPS using port 8162, and you have to give 2 subnets when configuring otherwise everything else is pretty much the same (especially the health checks)

Hope this helps anyone, as I couldnt find any docs that explicitly explained how and why to do this, Amazon have some docs but they leave out a lot of detail or reasoning behind why you need to do things, and the blog post I found from them spoke only about doing this with a private broker.

Enjoy.

Andrew Kew
  • 3,098
  • 3
  • 22
  • 24
0

Just wanted to add that I had to use ELBSecurityPolicy-TLS-1-2-2017-01 and ALPN policy HTTP1Only. Before setting those two policies I kept getting a connect error connection ended unexpectedly error and occasionally a connect error write ECONNRESET error. I also agree with Mohammed Yahya that the Broker(s) should remain private. I was following this tutorial which kind of breezes over the NLB settings.

Andrew Wilhelm
  • 141
  • 1
  • 4