Skip to main content
The AutoMQ Cloud BYOC (Bring Your Own Cloud) environment deploys all its components into your Virtual Private Cloud (VPC) on AWS, ensuring complete data privacy and security. A properly configured VPC is a prerequisite for a successful AutoMQ installation. This guide details the steps to prepare a new or existing VPC for AutoMQ deployment.
Throughout this document, “AutoMQ” refers to AutoMQ HK Limited and its affiliates.

VPC Requirements

For Proof-of-Concept (POC) testing, we recommend creating a new VPC to isolate the AutoMQ deployment and test applications. In production environments, you will likely use an existing VPC. In this case, you must verify that your VPC meets AutoMQ’s requirements and make any necessary adjustments. To install the AutoMQ BYOC environment, your AWS VPC must meet the following requirements:
VPC Checklist
Description
Public Subnet: 1
  • The public subnet is used to deploy the AutoMQ BYOC environment console. The environment console provides a WebUI, which users need to access via the public network.
Private Subnet: 1 or 3
  • The private subnet is used to deploy the AutoMQ data plane cluster.
  • AutoMQ supports single-zone deployment and three-zone deployment, with each availability zone requiring a subnet.
S3 Endpoint: 1
  • All AutoMQ components access S3 through the S3 endpoint using the internal network, avoiding public network transmission.
  • The S3 endpoint is created at the VPC level, and the endpoint route table needs to cover all internal subnets.
EC2 Interface Endpoint: 1
  • An EC2 Interface Endpoint is necessary for AutoMQ components to privately access EC2 and Auto Scaling Group (ASG) APIs.
  • This endpoint must be accessible from all private subnets where AutoMQ will be deployed.
DNS Hostnames and Resolution: Enabled
  • AutoMQ uses Route 53 to allocate VPC internal DNS resolution. Therefore, the VPC needs to enable DNS hostnames and DNS resolution.
NAT Gateway: 1
  • A NAT Gateway is required if you plan to deploy the AutoMQ data plane on Amazon EKS.
  • The private subnets hosting the EKS nodes must have a route to the NAT Gateway for outbound internet access.

Failure to configure a NAT Gateway will prevent the AutoMQ cluster from being installed on EKS.

Prerequisites

The AWS account used for setup must be either the root account or an IAM user/role with sufficient permissions. If using an IAM principal, ensure the following AWS managed policies (or equivalent custom policies) are attached:
  • AmazonVPCFullAccess: Permissions to manage the VPC.
  • AmazonS3FullAccess: Permissions to manage S3.
  • AmazonRoute53FullAccess: Permissions to manage Route 53.
The policies listed are AWS managed policies. For production environments, we recommend following the principle of least privilege by creating custom IAM policies with more restrictive permissions tailored to your specific needs.

Scenario 1: Create a New VPC

This scenario is ideal for POC testing or if you do not have an existing VPC. Follow these steps to create a new VPC that meets AutoMQ’s requirements.

Step 1: Create a VPC and Enable the S3 Endpoint

Log in to the VPC console using your AWS cloud account. Taking the Singapore region as an example, visit the VPC console, and click “Create VPC.” When using the “VPC and more” creation wizard, you can configure the VPC and its core components simultaneously. Confirm the following options and click “Create VPC”:
  1. VPC Name: Set the VPC name to a custom name.
  2. CIDR: Set an appropriate CIDR subnet.
  3. Availability Zones: It is recommended to select 1-3 zones based on your business deployment needs.
  4. Public subnets: Configure at least one public subnet to host the AutoMQ environment console.
  5. VPC endpoints: Select “S3 Gateway” to create the S3 endpoint.
  6. DNS options: Ensure both “Enable DNS hostnames” and “Enable DNS resolution” are checked. AutoMQ relies on these for internal service discovery.
  7. NAT Gateway: Ensure that a NAT Gateway is enabled if AutoMQ is deployed on EKS.

Step 2: Create EC2 Endpoint

Create an EC2 Interface Endpoint within the VPC to allow AutoMQ components to access the EC2 API over the AWS private network. When creating the EC2 endpoint, configure the following:
  1. Service category: Select “AWS services”.
  2. Service name: Search for and select com.amazonaws.<region>.ec2.
  3. VPC: Select the VPC created in the previous step.
  4. Subnets: Select all private subnets where the AutoMQ data plane might be deployed.
  5. Security group: Create a new security group and add an inbound rule to allow TCP traffic on port 443 from your VPC’s CIDR block (or 0.0.0.0/0 for simplicity in test environments).
AutoMQ clusters require access to the EC2 API via the VPC internal network. When creating the EC2 Interface Endpoint, ensure that the subnet and security group configurations are correct. An incorrect configuration will cause the AutoMQ cluster to fail during startup.All subnets and availability zones planned for AutoMQ cluster deployment must be covered; no possible subnet should be omitted.Security group rules must ensure access to port 443 is smooth and allow sources from 0.0.0.0/0.

Scenario 2: Configuring an Existing VPC

If you plan to install AutoMQ in an existing VPC, you must first verify that its configuration meets all requirements.

Step 1: Check and Enable DNS Configuration

Access the existing VPC network, click on details, and review the VPC configuration. Verify that both “DNS hostnames” and “DNS resolution” are enabled for the VPC.

Step 2: Check and Create S3 Endpoints

Confirm whether the current VPC has an S3 gateway endpoint created. If there is no S3 endpoint, you need to create one. If an S3 endpoint does not exist, create one.
When creating the S3 Gateway Endpoint, ensure its route table includes all private subnets where the AutoMQ cluster might be deployed. This ensures that all traffic to S3 from your cluster nodes stays within the AWS private network.

Step 3: Check and Create EC2 Endpoints

Verify that an EC2 Interface Endpoint exists and is correctly configured. If not, create one to allow private access to the EC2 API. When creating the EC2 endpoint, configure the following:
  1. Service category: Select “AWS services”.
  2. Service name: Search for and select com.amazonaws.<region>.ec2.
  3. VPC: Select your existing VPC.
  4. Subnets: Select all private subnets where the AutoMQ data plane might be deployed.
  5. Security group: Create or select a security group and add an inbound rule to allow TCP traffic on port 443 from your VPC’s CIDR block.

Next Steps

After setting up the VPC network, you can proceed to install the AutoMQ BYOC environment. On AWS, AutoMQ supports installation through the following two methods:
  • Install the AutoMQ environment through the AWS Marketplace: Users can select the corresponding product link from the AWS Marketplace to install the AutoMQ BYOC environment. Install Env from Marketplace▸
  • Install the AutoMQ environment through the Terraform Module: Users can install the AutoMQ BYOC environment using the AutoMQ Terraform Module with Terraform. Install Env via Terraform Module▸