Accessing the Amazon MQ broker web console without public accessibility
If you turn off public accessibility for your broker, you must perform the following steps to access the broker web console.
Prerequisites
To perform the following steps, you must configure the following:
-
VPCs
-
The VPC without an internet gateway, to which the Amazon MQ broker is attached, named
private-vpc
. -
A second VPC, with an internet gateway, named
public-vpc
. -
Both VPCs must be connected (for example, using VPC peering) so that the Amazon EC2 instances in the public VPC can communicate with the EC2 instances in the private VPC.
-
If you use VPC peering, the route tables for both VPCs must be configured for the peering connection.
-
-
Security Groups
-
The security group used to create the Amazon MQ broker, named
private-sg
. -
A second security group used for the EC2 instance in the
public-vpc
VPC, namedpublic-sg
. -
private-sg
must allow inbound connections frompublic-sg
. We recommend restricting this security group to port 8162 for ActiveMQ, and port 443 for RabbitMQ. -
public-sg
must allow inbound connections from your machine on port 22.
-
To access the web console of an Amazon MQ broker without public accessibility
-
Create a Linux EC2 instance in
public-vpc
(with a public IP, if necessary). -
To verify that your VPC is configured correctly, establish an
ssh
connection to the EC2 instance and use thecurl
command with the URI of your broker. -
From your machine, create an
ssh
tunnel to the EC2 instance using the path to your private key file and the IP address of your public EC2 instance. For example:ssh -i ~/.ssh/id_rsa -N -C -q -f -D 8080 ec2-user@203.0.113.0
A forward proxy server is started on your machine.
-
Install a proxy client such as FoxyProxy
on your machine. -
Configure your proxy client using the following settings:
-
For proxy type, specify
SOCKS5
. -
For IP address, DNS name, and server name, specify
localhost
. -
For port, specify
8080
. -
Remove any existing URL patterns.
-
For the URL pattern, specify
*.mq.*.amazonaws.com*
-
For the connection type, specify
HTTP(S)
.
When you enable your proxy client, you can access the web console on your machine.
-