best practices for using rabbitmq over internet

1,968 views
Skip to first unread message

Jörg Jenni

unread,
Apr 28, 2018, 6:24:17 AM4/28/18
to rabbitmq-users
Hi there

Even though I've read quite a lot about rabbit-mq I can't really figure out if and how rabbit-mq could be used in my scenario.

We sell one software product that is installed in different environments depending on the client's requirements. Some instances of our product are hosted in the cloud by us but many instances are hosted by clients themselves in their respective environments. We would now like to connect ALL instances with one backend using rabbit-mq. 

How can we connect those instances that are hosted by our clients themselves in the lest intrusive way to our backend? What we don't want is that we have to endlessly discuss/manage firewall, port-configurations and vpn-configurations with our clients. I believe the easiest way would be to use https (port 443) or is this assumption wrong? I see this is possible in principle but the lack of libraries makes me think it's not really something that many do.

What is best practice here? How can I connect systems over the internet in the least intrusive way?

Thanks for any thoughts!

Jorg

Michael Klishin

unread,
Apr 28, 2018, 8:51:48 AM4/28/18
to rabbitm...@googlegroups.com
You can have a set of dedicated client connection endpoints on the public Internet
(using domain names such as collector1.megacorp.com, collector2.megacorp.com and so on),
which will use a proxy, load balancer or similar (e.g. Nginx for HTTP location rewrites) to route client traffic to
a RabbitMQ cluster. It can also perform TLS termination if that makes sense, or pass TLS traffic directly to RabbitMQ.

Federation and Shovel plugins are known to be used in "PoS style aggregation" from multiple independent locations or installations
into a centralized cluster. The most common scenario involves local clients at each location publishing to their local RabbitMQ cluster
and Shovel moving messages across WAN to a remote one.

If you have installations that are installed on premises it is important
to consider how they would be provisioned and operated with a significantly different architecture that uses Shovels (for example).
Whether such on premises installations would allow outgoing client or Shovel traffic is another question that immediately comes to mind: if they won't,
the entire idea is likely a no-go.

That's about as much as I can suggest given the amount of information provided. That and: we  do not recommend exposing
entire RabbitMQ clusters to the public Internet. In most cases a set of proxy nodes of some kind (HAproxy is a commonly used tool for this purpose)
is worth having because it gives you certain means for abuse prevention that RabbitMQ itself does not and likely won't any time soon.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
MK

Staff Software Engineer, Pivotal/RabbitMQ

Jörg Jenni

unread,
Apr 28, 2018, 11:14:50 AM4/28/18
to rabbitmq-users

Thanks a lot for your thorough answer.

We don't have much control over the policies of those client that use our system on premise. The on premise system is a monolith and messages would only be used to communicate with the backend (Yes, sort of PoS style aggregation with the backend). It therefore seems, not knowing a lot about Federation and Shovel, that an on premise rabbitmq server is overkill. The maybe naive assumption is that our monolith is a simple client of a central rabbitmq-server that is deployed into the backend. I estimate we would not have more than 1 message/second (or less) exchanged with the backend. But we would have up to 100 on premise clients.

Our monolith already exposes an https-endpoint (via reverse-proxy) to the internet and the easiest would be if all rabbitmq-traffic could somehow be channeled through that. I've also looked at cloud-messaging like Amazon SNS or Google Firebase Cloud Messaging which is maybe much closer to what I envision, but since I'm not sure we can do that politically (dependence and not open source) I still wonder how I could use rabbit-mq in that scenario.

Is the idea to connect our on premise monolith with the backend exclusively through https practical at all or am I better off with e.g Amazon SNS? 

Thanks again. 

Jorg
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Michael Klishin

unread,
Apr 28, 2018, 11:19:10 PM4/28/18
to rabbitm...@googlegroups.com
If you are sure your clients can recover from connection failures and all, they can connect
to a remote cluster over WAN.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages