Communication security for RabbitMQ clustering

Review communication security considerations when you use RabbitMQ clustering. When RabbitMQ is used in a highly available (HA) topology, a RabbitMQ cluster is used.

The cluster contains all of the HA controller nodes. Message queues are mirrored across all nodes in the cluster to make the message queues and their contents available in the event of a failure. Message queue synchronization between nodes in the cluster is done over a separate distribution port. Communication over the distribution port is not encrypted; this is independent of whether RabbitMQ is configured to use encrypted connections for messaging clients. The cloud must be configured with a network that has security appropriate for the cloud. This can be done by using mechanisms such as a private network, virtual private network, or VLAN.

IBM® Cloud Manager with OpenStack allows an administrator to identify a network to be used by RabbitMQ communication; it is used by cluster distribution and client connections. The controller node management interface is used by default.

If you are deploying a prescribed configuration by using the knife os manage deploy cloud command, the network is configured by adding openstack.endpoints.mq.bind_interface to the override_attributes of the Environment Information section of the cloud YAML file. For example:

environment:
  base: example-ibm-os-ha-controller-n-compute
  default_attributes:
    # (Optional) Add Default Environment Attributes

  override_attributes:
    # (Optional) Add Override Environment Attributes
    ntp.servers: [0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org, 3.pool.ntp.org]
    openstack.endpoints.mq.bind_interface: eth2

If you are performing an advanced deployment by using the knife os manage deploy topology command, the network is identified by the openstack.endpoints.mq.bind_interface attribute in the default_attributes section of your cloud environment file.