
AWS private connectivity
How to set up private connectivity for IBM® MQ as a Service reserved instances by using AWS PrivateLink.
Using AWS PrivateLink enables secure, private connections from AWS accounts to IBM MQ as a Service without exposing traffic to the public internet.
Prerequisites
- You must have provisioned an IBM MQ as a Service Reserved Instance.
- You must assign the IBM MQ network admin role to the
IBM MQ as a Service networking administrator performing the configuration:
- Go to the IBM MQ as a Service Console at https://aws.console.saas.ibm.com. For help, see https://www.ibm.com/docs/en/saas-console?topic=console-getting-started-saas.
- Go to Access Management and find the user that will configure IBM MQ as a Service private connectivity.
- Select
- Click Save.
AWS private inbound connections
For private inbound connections, IBM MQ as a Service acts as the Provider side and end user applications act as the Consumer side of the AWS PrivateLink connection.
These are the possible states for an IBM MQ as a Service Reserved Instance’s private connection:
- Action Needed: Initial state, no AWS service consumer ARNs (AWS IAM roles) have been configured. Only allow-listed AWS IAM role ARNs have permission to establish connections. Go to Step 1 below
- Inactive: AWS IAM role ARNs have been configured, but no connections have been established yet. Go to Step 2 below
- Active: Connections have been established
The following steps describe how to establish an inbound connection from your AWS account (or third party accounts) to your IBM MQ as a Service Reserved Instance.
Step 1 -IBM MQ as a Service side (Provider) - Configure AWS service consumer ARNs
An AWS PrivateLink endpoint service has already been created for your Reserved Instance. AWS IAM roles must be allow-listed to create VPC endpoints in AWS consumer accounts for your IBM MQ as a Service Reserved Instance over AWS private network.
- Open the IBM MQ as a Service Console, https://aws.console.saas.ibm.com.
- Open the IBM MQ as a Service UI for your Reserved Instance.
- Go to Networking tab:
- The initial state of the Private Inbound connection is Action Needed, indicating that no AWS IAM role ARNs have been configured yet.
- Open the configuration panel for the Private Inbound connection:
- Enter the AWS IAM role ARNs (in the format
arn:aws:iam::{account-id}:role/{role-name}).Note: It is recommended that you create a specific IAM role in your AWS account to create VPC endpoints for IBM MQ as a Service. IAM role ARNs can be defined in your AWS account or in a third party account (where you want that account to have access to queue managers in your Reserved Instance over an AWS private network). - Click Save.
- Enter the AWS IAM role ARNs (in the format
- Return to the Networking tab. and
- The Inactive state indicates no connections have yet been established from consumer accounts to your Reserved Instance.
- Copy the Endpoint Service Name of your Private Inbound connection. It is needed to configure the consumer side of the AWS PrivateLink in your AWS account.
Step 2 - AWS Consumer Side - Creating VPC Endpoint
In your AWS account:
- Assume the IAM role that was allow-listed for your IBM MQ as a Service Private Inbound connection
- Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
- In the navigation pane, choose Endpoints.
- Choose Create endpoint.
- For Type, choose Endpoint services that use NLBs and GWLBs.
- For Service name, enter the Endpoint Service Name of your IBM MQ as a Service Private Inbound connection, and then choose Verify service.
- For VPC, select the VPC from which you will access the endpoint service.
- For Additional settings, select Enable Private DNS name.
- For Subnets, select the subnets in which to create an endpoint network interface.
- Optionally add a tag. Choose Add new tag and enter the tag key and the tag value.
- Assign a Security group to your VPC endpoint.Note: Inbound traffic to the VPC endpoint on port 443 must be allowed.
- Choose Create endpoint. The initial status is Pending. If the IAM role has already been allow-listed, your IBM MQ as a Service Private Inbound connection approves the connection request and the status becomes Available.
For the VPC endpoint that you just created, the Private DNS names attribute gives the
wilcarded private subdomain for all the IBM MQ queue
managers in your Reserved Instance, (for example,
*.qm123.private.us-east-1.mq.ibmappdomain.cloud).
Now you are ready to start connecting IBM MQ applications to AWS queue managers in your IBM MQ as a Service Reserved Instance over AWS private network.
Connecting an IBM MQ client to an IBM MQ as a Service queue manager
- Complete the steps previously described for establishing a private inbound connection. (See AWS private inbound connections.)
- Configure access for the IBM MQ client as described in Configuring access for connecting an application to a queue manager.
- Configure and test the IBM MQ client as described in Connecting a sample application to a queue manager.
- To administer the queue manager, see the available options in Administering a queue manager.
Connecting an on-prem IBM MQ queue manager to an IBM MQ as a Service queue manager
When connecting an on-premises queue manager to a cloud queue manager, an inbound private networking connection is required. This allows connections to be initiated from the on-prem queue manager only. This section describes how to configure IBM MQ to create a bi-directional connection initiated from the on-prem queue manger.
- Configure your on-prem connectivity to have access to your VPC in AWS using AWS VPN or AWS Direct Connect.
- Complete the steps previously described for establishing a private inbound connection from your VPC in AWS to your IBM MQ as a Service Reserved Instance . (See AWS private inbound connections.)
- Use runmqsc to configure the following channels on the cloud queue
manager:
(You can alternatively define these channels by using the mq.ibmappdomain.cloud web console, or the IBM MQ REST API.)* Receiver Channel DEFINE CHANNEL(CLIENT.TO.CLOUD) CHLTYPE(RCVR) TRPTYPE(TCP) SSLCIPH('ANY_TLS12_OR_HIGHER') SSLCAUTH(OPTIONAL) SET CHLAUTH('CLIENT.TO.CLOUD') TYPE(QMGRMAP) QMNAME('CLIENT01') ACTION(ADD) USERSRC(CHANNEL) REFRESH SECURITY(*) TYPE(CONNAUTH) * Server Channel DEFINE QLOCAL('TO.ONPREM') USAGE(XMITQ) DEFINE CHANNEL(CLOUD.TO.CLIENT) CHLTYPE(SVR) TRPTYPE(TCP) XMITQ('TO.ONPREM') SSLCIPH('ANY_TLS12_OR_HIGHER') CERTLABL('qmgrcert') SSLCAUTH(OPTIONAL) REFRESH SECURITY(*) TYPE(SSL) SET CHLAUTH('CLOUD.TO.CLIENT') TYPE(QMGRMAP) QMNAME('CLIENT01') ACTION(ADD) USERSRC(CHANNEL) REFRESH SECURITY(*) TYPE(CONNAUTH) * Remote Queue DEFINE QREMOTE (ONPREM.REMOTE.QUEUE) RNAME (DEV.QUEUE.1) RQMNAME ('CLIENT01') XMITQ ('TO.ONPREM') - Use runmqsc to configure the following channels on the on-prem queue
manager:
(You can alternatively define these channels by using the IBM MQ console, or the IBM MQ REST API.)* Sender Channel DEFINE QLOCAL('TO.CLOUD') USAGE(XMITQ) DEFINE CHANNEL(CLIENT.TO.CLOUD) CHLTYPE(SDR) CONNAME('<cloudqm_hostname>(443)') TRPTYPE(TCP) XMITQ('TO.CLOUD') SSLCIPH('ANY_TLS12_OR_HIGHER') SET CHLAUTH('CLIENT.TO.CLOUD') TYPE(QMGRMAP) QMNAME('CLOUDQM1') ACTION(ADD) USERSRC(CHANNEL) REFRESH SECURITY(*) TYPE(CONNAUTH) START CHANNEL('CLIENT.TO.CLOUD') * Requester Channel DEFINE CHANNEL(CLOUD.TO.CLIENT) CHLTYPE(RQSTR) CONNAME('<cloudqm_hostname>(443)') TRPTYPE(TCP) SSLCIPH('ANY_TLS12_OR_HIGHER') CERTLABL('qmgrcert') REFRESH SECURITY(*) TYPE(SSL)