RabbitMQ for PCF v1.7.14

Configuring RabbitMQ in an IPSec environment

Note: If deploying RabbitMQ for PCF in an IPSec environment, the following steps must be performed

This option will configure and deploy RabbitMQ for PCF in a way that the machines in the deployment will not be in an IPSec network. This is necessary for cluster formation of RabbitMQ. As a result, we recommend you configure RabbitMQ for PCF to use TLS.

Limitations & Risks

  • You can only deploy RabbitMQ to a single AZ.
  • Once IPs have been dynamically assigned (from a prior deployment) you cannot assign different static IPs.

Installing the tile

  1. Import and configure the RabbitMQ tile as ususal, ensuring that you select only a single AZ.
  2. On the Networking page enter the correct number of static IPs required for the number of HAProxy and RabbitMQ Server nodes you have configured on the resources page. These must be in a subnet on the AZ that you’ve configured the product to use.
  3. Do not click Apply Changes until completing the following step.
  4. Following the IPSec Addon documentation add the static IPs you have configured to the no_ipsec_subnets list and update your runtime-config as the guide recommends.
  5. Go back to the Installation Dashboard and click Apply Changes to deploy the changes. This will cause an update of all products, as the runtime-config has to be applied to all products.
  6. Optionally, you can verify that traffic to the RabbitMQ Server and HAProxy nodes is unecrypted:
    1. SSH into a node which should not be encrypted
    2. Run sudo tcpdump -i eth0 "ip proto 50", you should see no packets logged. This verifies there are no IPSec encrypted packets on that network interface. An IPSec encrypted packet will look like this: 11:13:07.801761 IP > ESP(spi=0xcbb4206d,seq=0x2e4), length 232
Create a pull request or raise an issue on the source for this page in GitHub