RabbitMQ for PCF v1.7.40

Configuring the RabbitMQ® Service

To configure RabbitMQ for Pivotal Cloud Foundry (PCF), navigate to the tile in the Ops Manager Installation Dashboard and click the Settings tab.

You can configure the following items:

Management Dashboard

You must choose an admin username and password for RabbitMQ.

This will grant you full admin access to RabbitMQ through the Management UI.

Config credentials

Note: To rotate your administrator credentials, enter a new username and password, save your options, and redeploy by returning to the Ops Manager Installation Dashboard and clicking Apply Changes.


You can choose which plugins you want to enable.

You must leave the management plugin enabled otherwise nothing will work.

Config plugins

Click here for more information about RabbitMQ plugins

HAProxy Ports

You can choose which ports HAProxy should load balance to the RabbitMQ nodes.

Config haproxy

By default, all the default ports of all the available plugins will be load-balanced.

However, if you install extra protocol plugins, or provide a custom configuration which changes the ports that RabbitMQ listens on then you must update the list of load-balanced ports.

Note that you must always leave the management plugin listening on port 15672 and load balance that port.

If you change the topology of your RabbitMQ cluster, the HAProxy is automatically reconfigured during the deployment.

Port to protocol mappings

  • 15672 = Management dashboard
  • 5672 = RabbitMQ
  • 5671 = RabbitMQ SSL
  • 1883 = MQTT
  • 8883 = MQTT SSL
  • 61613 = STOMP
  • 61614 = STOMP SSL
  • 15674 = Web STOMP
  • 4567 = RabbitMQ Service Broker
  • 3457 - 3459 = CF Loggregator
  • 4001 = CF Loggregator - Doppler
  • 8300 - 8301 = Consul

Security Groups

To enable access to the RabbitMQ tile service, you must ensure your security group allows access to the HAProxy and RabbitMQ Service Broker VMs configured in your deployment. You can obtain the IP addresses for these from the Ops Manager Status page for the RabbitMQ tile. Ensure the following ports are enabled for those VMs:

  • Inbound
Port(s) Protocol(s) Source Reason
15672 tcp Broker and internet(*) Allowing access to the RabbitMQ Management Dashboard & API
5671 - 5672 tcp All AMQP clients RabbitMQ will listen on those ports for AMQP
1883, 8883 tcp All MQTT clients RabbitMQ will listen on those ports for MQTT
61613, 61614 tcp All STOMP clients RabbitMQ will listen on those ports for STOMP
15674 tcp All Web STOMP clients RabbitMQ will listen on this port for STOMP-over-WebSockets
4567 tcp ERT ERT sends commands to the Service Broker for RabbitMQ
3457 - 3459 tcp ERT Between RabbitMQ and ERT network for Metrics
8300 - 8301 tcp, udp ERT Between RabbitMQ and ERT network for Consul

(*) Everyone that needs to access the RabbitMQ Management Dashboard & API externally

  • Outbound
Port(s) Protocol(s) Destination Reason
3457 - 3459 tcp ERT Between RabbitMQ and ERT network for Metrics
4001 tcp ERT From RabbitMQ to ERT (etcd) for Metron
8300 - 8301 tcp, udp ERT Between RabbitMQ and ERT network for Consul

The following is a template for configuring your Cloud Foundry security groups: [ {"protocol":"tcp","destination":"<haproxy-node-IP-addresses>","ports":"5671,5672,1883,8883,61613,61614,15672,15674"}, {"protocol":"tcp","destination":"<service-broker-node-IP-addresses>","ports":"4567"} ]

Application Security Groups

To allow this service to have network access you must create Application Security Groups (ASGs).

Note: The service is unusable without Application Security Groups.

Application Container Network Connections

Application containers that use instances of the RabbitMQ service require the following outbound network connections:

Destination Ports Protocol Reason
HAProxy IPs 5672 tcp Application containers using AMQP
HAProxy IPs 5671 tcp Application containers using AMQP over SSL
HAProxy IPs 1883 tcp Application containers using MQTT
HAProxy IPs 8883 tcp Application containers using MQTT over SSL
HAProxy IPs 61613 tcp Application containers using STOMP
HAProxy IPs 61614 tcp Application containers using STOMP over SSL
HAProxy IPs 61613 tcp Application containers using Web STOMP

Create an ASG name rabbitmq-app-containers with the above configuration and bind it to the appropriate space, or, to provide access to all started apps, bind it to the default-running ASG set and restart your apps. If you are using an external load balancer or have more than one IP address for HAProxy, you must also create egress rules for these. Example:

      "ports": "5671-5672",
      "protocol": "tcp",
      "destination": ""


You can provide SSL certificates and keys for use by the RabbitMQ cluster.

Config ssl

SSL is simultaneously provided on the AMQPS port (5671) and the management port (15672).

If you provide SSL keys and certificates, you disable non-SSL support.

No other plugins are automatically configured for use with SSL.

SSL settings are applied equally across all machines in the cluster.

For more information about SSL support, see

You can provide an Erlang cookie to be used by the cluster. This can be useful if you want to connect directly to the RabbitMQ cluster, such as with rabbitmqctl, or to connect other machines running Erlang.

Config erlang

Scaling Known Issue

If you have not set the Erlang cookie and you want to scale-out your cluster size. You’ll need to perform the following steps:

  • Follow the steps for troubleshooting with the BOSH CLI
  • bosh ssh rabbitmq-server/0
  • sudo -i
  • echo $(cat /var/vcap/store/rabbitmq/.erlang.cookie)
  • Paste the value from the above command into the Erlang cookie field displayed above.

You’ll then be able to adjust the size of your cluster and run Apply Changes.

Changing the Value Known Issue

If you want to change your Erlang cookie value, it’s required that you stop your RabbitMQ cluster first. To do this, target your BOSH Director, then issue a bosh stop rabbitmq-server command.

RabbitMQ Config

You can provide a full rabbitmq.config file, if you want.

Config rabbitmq

This file is then provided to all the nodes in the cluster.

For more information about the RabbitMQ configuration, see

TLS Support

TLS v1.0 is disabled by default, due to insecurities.

Config tls1

You can enable it again by selecting the checkbox.

TLS v1.1 and 1.2 are enabled by default and cannot be turned on or off.

External load balancer

Config elb

You can configure a DNS name or IP address of an external load balancer to be returned in the binding credentials (VCAP_SERVICES) to application developers.

Assigned IPs

RabbitMQ for PCF does not support changing the IP addresses which have been assigned to the RabbitMQ deployments. Doing so will cause the deployment to fail. For example you cannot change the subnet into which the RabbitMQ cluster was originally provisioned. For more information, see Changing Network or IP Addresses Results in a Failed Deployment.

Static IPs

Switching from dynamic IPs to static IPs (Upgrading)

It is not possible to switch from dynamic IPs to a different set of static IPs, but you can set up Ops Manager so the current set of dynamically assigned IPs will always continue to be used.

  1. Go to the Status page on the RabbitMQ product.
  2. Note the IPs for the RabbitMQ Server and HAProxy for RabbitMQ jobs, in the order nodes appear in the UI.
  3. Go to the Settings tab, and navigate to the Networking page.
  4. Fill the IP addresses you got from the Status page. IP addresses should be in a comma-separated list.

Config static ip

RabbitMQ Server settings that cannot be overwritten

  • rabbit halt_on_upgrade_failure false
  • rabbitmq_mqtt subscription_ttl 1800000
  • rabbit disk_free_limit 50MB
  • log_levels [{connection,info}]
  • halt_on_upgrade_failure false
  • {rabbit, [ {collect_statistics_interval, 60000}] }
  • {rabbitmq_management, [ {rates_mode, none}] }

When SSL is enabled:

  • rabbit tcp_listeners []
  • rabbit ssl_listeners [5671]
  • rabbitmq_management listener [{port,15672},{ssl,false}]
  • rabbitmq_mqtt ssl_listeners [8883]
  • rabbitmq_stomp ssl_listeners [61614]
Create a pull request or raise an issue on the source for this page in GitHub