I came across this article for migrating rabbitmq to amazon mq (rabbitmq).
https://aws.amazon.com/blogs/compute/migrating-message-driven-applications-to-amazon-mq-for-rabbitmq/
I see this sentence:
"In Amazon MQ for RabbitMQ, we only support the secure version of AMQP using TLS. The code snippet below demonstrates AMQPS connection using Pika library. Please note that we do not support peer verification on server side."
Does it mean its mandatory to always have a secure connection for amazon mq (rabbitmq) OR its simply saying that if we decide to go for secure connections we must use TLS
from the documentation Encryption in transit
By default, Amazon MQ brokers use the recommended TLS 1.2 to encrypt data. Amazon MQ does not currently support configuring brokers to use different TLS versions.
Key Concepts Security and authentication
Connections to Amazon MQ brokers use Transport Layer Security (TLS)
Supported wire-level protocols
You can access your brokers by using any programming language that ActiveMQ supports and by enabling TLS explicitly for the following protocols:
Infrastructure security in Amazon MQ
You use AWS published API calls to access Amazon MQ through the network. Clients must support Transport Layer Security (TLS) 1.0 or later. We recommend TLS 1.2 or later. Clients must also support cipher suites with perfect forward secrecy (PFS) such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE). Most modern systems such as Java 7 and later support these modes.
You have to use TLS.
Related
I have a situation where I want to use Google IoT Core to support bi-directional communication between my devices and existing GCP stack. The trouble is, some of my devices cannot connect to GCP's MQTT bridge because they are blocked from reaching it directly. The communication must instead go through my own hosted server. In fact, some devices will not be allowed to trust traffic either inbound or outbound to anything but my own hosted server, and this is completely out of my control.
Basically all suggested solutions that I have found propose the use of MQTT over WebSockets. WebSockets consume too many system resources for the server I have available, and so MQTT proxy over WebSockets is extremely undesirable and likely is not even feasible for my use case. It also defeats the purpose of using a lightweight, low-bandwidth protocol like MQTT in the first place.
To make matters more complicated, Google IoT Core documentation explicitly says that it does not support bridging MQTT brokers with their MQTT bridge. So hosting my own MQTT server seems to be out of the question.
Is it even possible to create a proxy -- either forward or reverse -- for this use case that allows for native, encrypted, full-duplex MQTT traffic? If so, what would be the recommended way to achieve this?
If you have hybrid set-up, meaning you have on-premise servers and a cloud server and you want to bridge them using Google IoT by using MQTT.
You can try in this github link, upon checking this MQTT broker has been tested to Google IoT. Since Google IoT is not supporting 3rd paryt MQTT broker.
I have an existing AWS solution which includes the following. It uses a legacy application (written in C#) running on an EC2 instance. This legacy application implements a TCP server and listens on a specific TCP port. It contains custom code to decode the data and dump it into a database. The choice of the database is less important for now.
I'm after a more contemporary solution based on AWS which can potentially deprecate the existing legacy application. Most options with Amazon IoT involve HTTP and MQTT. I can't change the protocol. It must still be a TCP.
The closest thing I can find is Amazon IoT Greengrass (https://aws.amazon.com/blogs/iot/converting-industrial-protocols-with-aws-iot-greengrass/) which appears to involve running a TCP client in an AWS lambda function, and then forwarding it to MQTT / AWS IoT Core.
I'm curious what other approaches may be possible.
I have created one broker on Amazon MQ and got a SSL endpoint on port 61617. I was looking for one non SSL endpoint as well (like we can have tcp on 61616 on Active MQ). Does Amazon MQ provides only SSL? Is there anyway, we can get the TCP endpoint as well?
AmazonMQ only provides SSL endpoint, it does not expose and TCP endpoint like activeMQ. But it works and connect equally well when you switch from activeMQ tcp endpoint to amazonMQ SSL.
For example:
activemq.broker.url =
failover:(tcp://abc1.gogole.com:61616,tcp://abc1.gogole.com:61616)?randomize=false&maxReconnectAttempts=10
amazonmq.broker.url =
failover:(ssl://efg-1.mq.us-west-2.amazonaws.com:61617,ssl://efg-2.mq.us-west-2.amazonaws.com:61617)?randomize=false&maxReconnectAttempts=5
Any specific use case on why are you looking for TCP endpoint?
I am new to the Kafka and want to deploy Kafka Production cluster for IOT. We will be receiving messages from Raspberry Pi over the internet to our Kafka cluster which we will be hosting on AWS.
Now the concern, since we need to open the KAFKA PORT to the outer internet we are opening a way to system threat as it will compromise with the security by opening port to outer world.
Please let me know what can be done so that we can prevent malicious access using KAFKA port over the internet.
Pardon me if I am not clear with the question, do let me know if rephrasing of queation is needed.
Consider using a REST Proxy in front of your Kafka brokers (such as the one from Confluent). Then you can secure your Kafka cluster just as you would secure any REST API exposed to the public internet. This architecture is proven in production for several very large IoT use cases.
There are two ways that are most effective for Kafka Security.
Implement SSL Encryption for Kafka.
Authentication using SASL
You can follow this guide. http://kafka.apache.org/documentation.html#security_sasl
Now I try out Kinesis REST API with HTTPS and it's work fine. But I want to build it with only HTTP, not HTTPS. Does Kinesis support HTTP without SSL?
No, it doesn't. According to the Regions and Endpoints documentation the Kinesis endpoints only support HTTPS.
http://docs.aws.amazon.com/general/latest/gr/rande.html#ak_region
If you are in a situation where you need to communicate with an API that only supports HTTPS but you are, for some significant reason, constrained to HTTP only, you might find that you could use a proxy that can accept unencrypted connections and originate encrypted connections to the final endpoint. On some of my legacy systems, I have accomplished this with HAProxy 1.5 or higher (previous versions do not have built-in openssl integration)... or Stunnel4, which I used before HAProxy 1.5 was released. Apparently there is now an Stunnel "5."
Of course, this is only viable if the network between the legacy system and your SSL client offloading is trusted.