Configuring RabbitMQ in an IPsec environment
Note: If deploying RabbitMQ for PCF in an IPsec environment, the following steps must be performed
This option will configure and deploy RabbitMQ for PCF in a way that the machines in the deployment will not be in an IPsec network. This is necessary for cluster formation of RabbitMQ. As a result, we recommend you configure RabbitMQ for PCF to use TLS.
Limitations & Risks
- You can only deploy RabbitMQ to a single AZ.
- It is not possible to add a node to an existing RabbitMQ cluster when IPsec is enabled on the RabbitMQ nodes.
- Once IPs have been dynamically assigned (from a prior deployment) you cannot assign different static IPs.
Installing the tile
- Import and configure the RabbitMQ tile as usual, ensuring that you select only a single AZ.
- On the Networking page enter the correct number of static IPs required for the number of HAProxy and RabbitMQ Server nodes you have configured on the resources page. These must be in a subnet on the AZ that you’ve configured the product to use.
- Do not click Apply Changes until completing the following step.
- Following the IPsec Add-On documentation
add the static IPs you have configured to the
no_ipsec_subnetslist and update your runtime-config as the guide recommends.
- Go back to the Installation Dashboard and click Apply Changes to deploy the changes. This will cause an update of all products, as the runtime-config has to be applied to all products.
- Optionally, you can verify that traffic to the RabbitMQ Server and HAProxy nodes is unencrypted:
- SSH into a node which should not be encrypted
sudo tcpdump -i eth0 "ip proto 50", you should see no packets logged. This verifies there are no IPsec encrypted packets on that network interface. An IPsec encrypted packet will look like this:
11:13:07.801761 IP cloud-controller-0.node.dc1.cf.internal > ip-10-0-48-12.eu-west-1.compute.internal: ESP(spi=0xcbb4206d,seq=0x2e4), length 232