This architecture helps to provide restricted access to an Amazon MQ- RabbitMQ Broker when using with Public consumers
To secure an Amazon RabbitMQ Broker for Public consumers you need to create a broker with private access ( private broker) and create an internet facing Network Load Balancer (NLB). The NLB should be created with a Security Group that you can use to restrict traffic to only IPs that you want to allow.
Below is the architecture associated with it:-
Below are the high level steps for the same:-
- Create an Amazon MQ RabbitMQ Broker with Access type as Private access. This creates the broker that isn’t publicly accessible and can be accessed only within a VPC
- Once the broker is created, navigate to the broker’s detail page and get the host endpoint.
- Use a terminal to retrieve the IP Addresses using the host (Linux) or nslookup (Windows) command for the endpoint
- Use the IP Addresses to create a Network Load Balancer with a target group of the IP address
- Restrict access to the NLB using the Security group to allow list traffic for your desired IPs only for ports 443 and 5671
You can refer to this reference blog for detailed steps