How to access the Amazon MQ broker web console using Systems Manager Session Manager's port forwarding feature
I tried accessing the Amazon MQ broker web console using Systems Manager Session Manager's port forwarding feature.
The following document uses SSH port forwarding to connect to a private broker.
I tried connecting using the port forwarding function of Systems Manager Session Manager instead of SSH.
https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/accessing-web-console-of-broker-without-public-accessibility.html
Merit of using Systems Manager Session Manager
There is no need to expose the SSH port and no need to set a public IP address, which has merit in terms of security.
Additionally, CloudTrail retains the StartSession API history, making it easy to track who connected.
AWS Components Diagram
The AWS architecture looks like this:
Preparation before connection
Please install the AWS CLI using the steps in the document below.
https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
Please install the Session Manager plugin by following the steps in the document below.
https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html
AWS resource creation
Create AWS resources using the CloudFormation template below.
Save the template below with the file name "RabbitMQ.yaml".
AWSTemplateFormatVersion: "2010-09-09"
Description: port forwarding Stack
Metadata:
# ------------------------------------------------------------#
# Metadata
# ------------------------------------------------------------#
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Parameters for VPC
Parameters:
- VPCCIDR
- Label:
default: Parameters for Subnet
Parameters:
- PrivateSubnet01CIDR
- Label:
default: Parameters for EC2
Parameters:
- EC2VolumeSize
- EC2VolumeIOPS
- EC2AMI
- EC2InstanceType
- Label:
default: Parameters for MQ
Parameters:
- MQUserPass
- MQUserName
Parameters:
# ------------------------------------------------------------#
# Parameters
# ------------------------------------------------------------#
VPCCIDR:
Default: 10.1.0.0/16
Type: String
PrivateSubnet01CIDR:
Default: 10.1.0.0/24
Type: String
EC2VolumeSize:
Default: 32
Type: Number
EC2VolumeIOPS:
Default: 3000
Type: Number
EC2AMI:
Default: /aws/service/ami-amazon-linux-latest/al2023-ami-kernel-6.1-x86_64
Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
EC2InstanceType:
Default: t3.micro
Type: String
MQUserPass:
Type: String
NoEcho: true
MQUserName:
Default: testuser
Type: String
Resources:
# ------------------------------------------------------------#
# VPC
# ------------------------------------------------------------#
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: !Ref VPCCIDR
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: test-vpc
# ------------------------------------------------------------#
# Subnet
# ------------------------------------------------------------#
PrivateSubnet01:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: ap-northeast-1a
CidrBlock: !Ref PrivateSubnet01CIDR
Tags:
- Key: Name
Value: test-private-01
VpcId: !Ref VPC
# ------------------------------------------------------------#
# RouteTable
# ------------------------------------------------------------#
PrivateRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: test-private-rtb
PrivateRtAssociation1:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PrivateRouteTable
SubnetId: !Ref PrivateSubnet01
# ------------------------------------------------------------#
# Security Group
# ------------------------------------------------------------#
EC2SGSSM:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: for EC2
GroupName: EC2-sg
SecurityGroupEgress:
- CidrIp: 0.0.0.0/0
FromPort: -1
IpProtocol: -1
ToPort: -1
Tags:
- Key: Name
Value: EC2-sg
VpcId: !Ref VPC
MQSG:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: for MQ
GroupName: MQ-sg
SecurityGroupEgress:
- CidrIp: 0.0.0.0/0
FromPort: -1
IpProtocol: -1
ToPort: -1
SecurityGroupIngress:
- SourceSecurityGroupId: !Ref EC2SGSSM
FromPort: 443
IpProtocol: tcp
ToPort: 443
Tags:
- Key: Name
Value: MQ-sg
VpcId: !Ref VPC
VPCEndpointSG:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: for Systems Manager
GroupName: VPCEndpoint-sg
SecurityGroupEgress:
- CidrIp: 0.0.0.0/0
FromPort: -1
IpProtocol: -1
ToPort: -1
SecurityGroupIngress:
- SourceSecurityGroupId: !Ref EC2SGSSM
FromPort: 443
IpProtocol: tcp
ToPort: 443
Tags:
- Key: Name
Value: VPCEndpoint-sg
VpcId: !Ref VPC
# ------------------------------------------------------------#
# VPC Endpoint
# ------------------------------------------------------------#
SystemsManagerEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
VpcEndpointType: Interface
PrivateDnsEnabled: true
ServiceName: !Sub com.amazonaws.${AWS::Region}.ssm
VpcId: !Ref VPC
SubnetIds:
- !Ref PrivateSubnet01
SecurityGroupIds:
- !Ref VPCEndpointSG
SystemsManagerMessageEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
VpcEndpointType: Interface
PrivateDnsEnabled: true
ServiceName: !Sub com.amazonaws.${AWS::Region}.ssmmessages
VpcId: !Ref VPC
SubnetIds:
- !Ref PrivateSubnet01
SecurityGroupIds:
- !Ref VPCEndpointSG
# ------------------------------------------------------------#
# IAM
# ------------------------------------------------------------#
EC2IAMRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- 'sts:AssumeRole'
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
RoleName: iam-role-ec2
Tags:
- Key: Name
Value: iam-role-ec2
EC2IAMInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
InstanceProfileName: iam-instanceprofile-ec2
Roles:
- !Ref EC2IAMRole
# ------------------------------------------------------------#
# EC2
# ------------------------------------------------------------#
EC2SSM:
Type: AWS::EC2::Instance
Properties:
BlockDeviceMappings:
- DeviceName: /dev/xvda
Ebs:
DeleteOnTermination: true
Encrypted: true
Iops: !Ref EC2VolumeIOPS
VolumeSize: !Ref EC2VolumeSize
VolumeType: gp3
DisableApiTermination: false
IamInstanceProfile: !Ref EC2IAMInstanceProfile
ImageId: !Ref EC2AMI
InstanceType: !Ref EC2InstanceType
NetworkInterfaces:
- DeleteOnTermination: true
DeviceIndex: 0
GroupSet:
- !Ref EC2SGSSM
SubnetId: !Ref PrivateSubnet01
Tags:
- Key: Name
Value: test-ec2-ssm
# ------------------------------------------------------------#
# MQ
# ------------------------------------------------------------#
MQ:
Type: AWS::AmazonMQ::Broker
Properties:
BrokerName: test-mq
DeploymentMode: SINGLE_INSTANCE
EngineType: RABBITMQ
HostInstanceType: mq.t3.micro
PubliclyAccessible: false
SecurityGroups:
- !Ref MQSG
SubnetIds:
- !Ref PrivateSubnet01
Users:
- Password: !Ref MQUserPass
Username: !Ref MQUserName
After saving the file, run the following AWS CLI command.
Please enter the password to be set in RabbitMQ in "ParameterValue".
aws cloudformation create-stack --stack-name mq --template-body file://RabbitMQ.yaml --parameters ParameterKey=MQUserPass,ParameterValue=yyyyy --capabilities CAPABILITY_NAMED_IAM
Can check the resource creation status by checking the CloudFormation console.
Connection
Once the resource creation is complete, check the RabbitMQ web console URL from the Amazon MQ console.
After confirming the URL, start the session with the following command.
aws ssm start-session \
--target "EC2 Instance ID" \
--document-name AWS-StartPortForwardingSessionToRemoteHost \
--parameters host="<hostid>.mq.<your-region>.amazonaws.com",portNumber=443,localPortNumber="4443" \
--region="your-region"
When "Waiting for connections..." appears, access the following URL from your browser.
https://localhost:4443
After connecting from a browser, you can log in by entering "testuser" as the username and the password you entered when creating the resource as the password.
- Topics
- Application Integration
- Tags
- Amazon MQ
- Language
- English
Relevant content
- AWS OFFICIALUpdated 4 years ago
- AWS OFFICIALUpdated 6 months ago
