Setting up RabbitMQ on OCI
Tom MooreOverview
RabbitMQ is a popular open source message broker. It is estimated that millions of developers use RabbitMQ as an integration point for their applications. As customers look to move applications to the cloud, they often want to utilize the same technologies in the clod as they use on premises, at least for the immediate term.
Open source tools like RabbitMQ can be run anywhere, they assist developers to build loosely coupled applications. This loose coupling assists customers with moving applications to the cloud, by serving as an integration point between applications in the data center applications in the cloud.
In this blog post I am going to cover how you can get RabbitMQ up and running in OCI quickly and easily.
Note: In this post I will cover the basics of getting a single RabbitMQ server up and running. I will not cover clustering multiple RabbitMQ servers.
Infrastructure Pre-requisits
As with most infrastructure projects in OCI you will first need a Virtual Cloud Network to host your infrastructure. I won’t go through the instructions for that set up in this blog post. The New VCN wizard makes it incredibly easy to have a new VCN up and running. For this blog post I will be assuming that you have created a new VCN using the “Create VCN Wizard.”
Once created your new VCN will have a pair of subnets, one public and one private.
Network security group
In order to allow applications to connect to your RabbitMQ instances, you are going to need a Network Security Group with the rules to allow incoming traffic. Create a new Network Security Group in your VCN and allow the following rules:
| Source | Port | Description |
| 0.0.0.0/0 | 80 | HTTP |
| 0.0.0.0/0 | 5672 | RabbitMQ Data |
| 0.0.0.0/0 | 15672 | RabbigMQ Management |
| 0.0.0.0/0 | 5671 | Secure RabbitMQ Data |
| 0.0.0.0/0 | 15671 | Secure RabbitMQ Management |
I add in port 80 to allow for quick network connectivity testing. RabbitMQ by default uses two ports, 5672 and 15672 for data and management respectively. There is also a set of secure ports for data and management, 5671 and 15671 respectively.
Because this traffic is application specific, you should not add these rules to the default security list.
Compute Instances
The next task is to set up the actual RabbitMQ server. For this we will launch a new compute instance.
In the launch instance dialog I am going to choose the following options:
Canonical Ubuntu 24.04 Image
VM.Standard.E5.Flex - Shape
Select the subnet you want to deploy your instance to
Provide any SSH keys that you want to be able to connect to the instance with.
The best practice from a security standpoint is to launch the new instance into the private subnet of your VCN and then configure a load balancer to provide access to the instance. This prevents the instance from being directly exposed to the public internet. Launching the instance into the public subnet is more convenient initially, however is is less secure because the instance is publicly accessible.
Expand the “Show Advanced Options” section at the bottom of the instance launch page, and copy the following Cloud Init script.
#!/bin/sh
apt install -y ufw
apt install -y apache2
# Open firewall ports
ufw allow apache
ufw allow 5672/tcp
ufw allow 15672/tcp
ufw allow 5671/tcp
ufw allow 15671/tcp
ufw --force enable
apt-get install curl gnupg apt-transport-https -y
## Team RabbitMQ's main signing key
curl -1sLf https://keys.openpgp.org/vks/v1/by-fingerprint/0A9AF2115F4687BD29803A206B73A36E6026DFCA | sudo gpg --dearmor | sudo tee /usr/share/keyrings/com.rabbitmq.team.gpg > /dev/null
## Community mirror of Cloudsmith: modern Erlang repository
curl -1sLf https://github.com/rabbitmq/signing-keys/releases/download/3.0/cloudsmith.rabbitmq-erlang.E495BB49CC4BBE5B.key | sudo gpg --dearmor | sudo tee /usr/share/keyrings/rabbitmq.E495BB49CC4BBE5B.gpg > /dev/null
## Community mirror of Cloudsmith: RabbitMQ repository
curl -1sLf https://github.com/rabbitmq/signing-keys/releases/download/3.0/cloudsmith.rabbitmq-server.9F4587F226208342.key | sudo gpg --dearmor | sudo tee /usr/share/keyrings/rabbitmq.9F4587F226208342.gpg > /dev/null
## Add apt repositories maintained by Team RabbitMQ
tee /etc/apt/sources.list.d/rabbitmq.list <<EOF
## Provides modern Erlang/OTP releases
##
deb [arch=amd64 signed-by=/usr/share/keyrings/rabbitmq.E495BB49CC4BBE5B.gpg] https://ppa1.rabbitmq.com/rabbitmq/rabbitmq-erlang/deb/ubuntu noble main
deb-src [signed-by=/usr/share/keyrings/rabbitmq.E495BB49CC4BBE5B.gpg] https://ppa1.rabbitmq.com/rabbitmq/rabbitmq-erlang/deb/ubuntu noble main
# another mirror for redundancy
deb [arch=amd64 signed-by=/usr/share/keyrings/rabbitmq.E495BB49CC4BBE5B.gpg] https://ppa2.rabbitmq.com/rabbitmq/rabbitmq-erlang/deb/ubuntu noble main
deb-src [signed-by=/usr/share/keyrings/rabbitmq.E495BB49CC4BBE5B.gpg] https://ppa2.rabbitmq.com/rabbitmq/rabbitmq-erlang/deb/ubuntu noble main
## Provides RabbitM
##
deb [arch=amd64 signed-by=/usr/share/keyrings/rabbitmq.9F4587F226208342.gpg] https://ppa1.rabbitmq.com/rabbitmq/rabbitmq-server/deb/ubuntu noble main
deb-src [signed-by=/usr/share/keyrings/rabbitmq.9F4587F226208342.gpg] https://ppa1.rabbitmq.com/rabbitmq/rabbitmq-server/deb/ubuntu noble main
# another mirror for redundancy
deb [arch=amd64 signed-by=/usr/share/keyrings/rabbitmq.9F4587F226208342.gpg] https://ppa2.rabbitmq.com/rabbitmq/rabbitmq-server/deb/ubuntu noble main
deb-src [signed-by=/usr/share/keyrings/rabbitmq.9F4587F226208342.gpg] https://ppa2.rabbitmq.com/rabbitmq/rabbitmq-server/deb/ubuntu noble main
EOF
## Update package indices
apt-get update -y
## Install Erlang packages
apt-get install -y erlang-base \
erlang-asn1 erlang-crypto erlang-eldap erlang-ftp erlang-inets \
erlang-mnesia erlang-os-mon erlang-parsetools erlang-public-key \
erlang-runtime-tools erlang-snmp erlang-ssl \
erlang-syntax-tools erlang-tftp erlang-tools erlang-xmerl
## Install rabbitmq-server and its dependencies
apt-get install rabbitmq-server -y --fix-missing
rabbitmq-plugins enable rabbitmq_management
#
# Update these to reflect your environment
#
rabbitmqctl add_user admin P@ssword1
rabbitmqctl add_user_tag admin administrator
rabbitmqctl add_vhost ociqueue
rabbitmqctl set_permissions -p "ociqueue" "admin" ".*" ".*" ".*"
rabbitmqctl set_user_tags "admin" "administrator"
Note that the end of the script currently has hard-coded values for the administrative user name and password. These need to be updated for your environment. I will work on moving those out into Terraform variables when I package this all up for GitHub in the near future.
Once your instance has been created, you need to edit the instance definition and update the Network Security Group to select the Network Security Group that was created above. If you do not do this, then traffic will not be able to be routed to your instance.
Setting up your load balancer
If you have launched your instance into a public subnet, then the following instructions are not required.
Assuming you have launched the RabbitMQ instance in a private subnet, anything outside of the VNC has no way of accessing the instance. This is fine if all of the applications that will be accessing your queue reside inside the VCN, or have a VPN connection to the machine. However if you require access to the RabbitMQ from a machine that is on the internet, you will need to set up a means of accessing the RabbitMQ.
I always recommend against putting servers into public subnets. Doing so increases the attack surface of the instance. Instead, my preference it to leverage a load balancer on a public subnet. I do this for a few reasons:
Being a managed service Oracle takes care of maintaining the load balancer
Using load balancers protects my instance from OS specific exploits
If there is a new security issue, Oracle will be able to patch the load balancers faster than I can see about patching my instances
By using a load balancer as the front end, I can change the back end infrastructure without the clients knowing. This would allow me to implement clustering on the back end, or perform a zero downtime upgrade of the infrastructure.
You can create a new load balancer under Networking in the OCI console. For the new load balancer, select a public load balancer, the default bandwidth, and for Networking select the VCN that you have used to set up RabbitMQ and the relevant public subnet.
The other options can be left as default for the moment.
On the next page, you will select your instances to add to the target group for the load balancer. This will be the instances that you created and installed RabbitMQ on. Part of the script installed a default Apache web server, so we can use the default health check to the instance.
The next page sets up your default listener. For this I am going to choose TCP as the protocol and port 80.
Leave the rest of the options default for the moment. Once the load balancer has been created we will have to create additional listeners for the RabbitMQ ports 5672 and 15672. (And 5671 and 15671 if we enable TLS encryption for Rabbit MQ as well.)
The rest of the configuration for the load balancer should be pretty straight forward. You can accept most of the defaults and configure optional logging.
Once your load balancer has been created, you want to edit the details of the load balancer and enable the load balancer to use the Network Security Group created earlier as well.
At this point, you can test your load balancer by opening a web browser and using the load balancers IP address to view the default Apache web page running on the instance.
The final step is to create your RabbitMQ listeners. Each listener will need a new back end set that maps to a destination port.
Add additional back end sets
In your load balancer, on the left hand side select “Backend sets” and choose the option to create a new back end set.
Create two back end sets, rabbitmq-management-backend and rabbitmq-data-backend. For the health check, configure port 80 and use / as the path. This will leverage the Apache web server for the health check.
Once you have created the backend sets, you need to edit the set and add the RabbitMQ server to each back end set. Click into the back end set, select Back ends from the left navigation menu. Then click “Add backends”
For both back end sets you will add the RabbitMQ server you set up previously. For the management back end configure port 15672 and for the data back end set configure port 5672.
Configure listeners
The final step in setting up your configuration is to enable listeners for ports 5672 and 15672 on the load balancer. From the load balancer in the console, select Listeners from the left hand side.
Use the option to create a new listener.
Create a listener for the RabbitMQ Management port, 15672 and select the rabbitmq-management-backend created earlier.
Repeat the process for the rabbitmq-data-listener on port 5672 and select the rabbitmq-data-backend created in the previouse step.
Finishing up
Once everything is configured, for best results, reboot your instance. I find this helps resolve issues connecting with the RabbitMQ server. Once the server reboots, you can connect via a RabbitMQ client using the load balancer IP Address.
Summary
You can set up RabbitMQ on Ubuntu 24.04 in OCI using a scripted install. By positioning the instance in a private subnet and using a load balancer, you are able to improve the security posture of the instance.
Subscribe to my newsletter
Read articles from Tom Moore directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Tom Moore
Tom Moore
I am a Master Principal Cloud Architect for Oracle Cloud (OCI). I create content designed to help developers with Cloud-Based technologies. This includes AWS, OCI, and occasionally Azure. I'm not excluding GCP, I just haven't had any excuse to dive into GCP yet. As far as development is concerned, my area of focus is predominantly .NET, though these days, I do branch out occasionally into NodeJS and Python. I am available for in-person speaking events as well as virtual sessions. I can usually be found at Boston Code Camp. Opinions expressed on my blog are my own, and should not be considered to be the opinions of my employer.