FlowMQ

Appearance

AWS PrivateLink

FlowMQ's AWS PrivateLink integration lets you expose your managed FlowMQ instance to your AWS VPC as if it were running inside your own network. Traffic between your VPC and FlowMQ travels over the AWS private backbone instead of the public internet, keeping your messaging data off untrusted networks while still using FlowMQ Cloud's fully managed service.

This page explains how the feature works and walks through the full setup: creating a PrivateLink service in the FlowMQ Cloud dashboard, creating a VPC endpoint in AWS, launching an EC2 instance in the same VPC, and connecting a client to FlowMQ through the private endpoint.

AWS PrivateLink is an AWS networking feature that exposes a service hosted in one VPC to customers in other VPCs through private IP addresses and Elastic Network Interfaces (ENIs). For FlowMQ Cloud, it means:

  • Your applications connect to FlowMQ using private IP addresses inside your VPC.
  • Traffic never leaves the AWS network or traverses the public internet.
  • You control access through standard AWS IAM and security-group policies.
  • You keep the operational benefits of a managed FlowMQ instance while meeting strict network-isolation requirements.

How It Works

A high-level view of the traffic flow:

  1. FlowMQ Cloud provisions a PrivateLink service endpoint for your instance.
  2. You create a VPC endpoint in your AWS VPC that points to the FlowMQ service name.
  3. AWS creates Elastic Network Interfaces inside your VPC subnets.
  4. Your EC2 instance, or any workload in the same VPC, connects to those private IPs.
  5. FlowMQ routes the traffic to your dedicated instance exactly like a public connection, but over the AWS private network.

Supported Protocols

The PrivateLink wizard currently lets you enable the following protocols. You can select one or both:

ProtocolPortNotes
Kafka9094 (SASL_PLAINTEXT)Works with existing Kafka clients using SASL/PLAIN.
MQTT1883 (NONE_TLS)Standard MQTT without TLS. Use the VPC endpoint DNS name as the broker host.

Authentication and authorization work exactly as they do over the public endpoint; PrivateLink changes only the network path.

Prerequisites

Before you start, make sure you have:

  • A FlowMQ Cloud project on a Pro / Enterprise plan (PrivateLink is not available on the Free plan).
  • An AWS account with permission to create VPC endpoints, security groups, and EC2 instances.
  • A VPC with at least one private subnet in the AWS region where your FlowMQ instance is deployed.
  • A way to create or access an EC2 instance inside that VPC, such as a bastion host or direct SSH/RDP access.

FlowMQ Cloud walks you through a four-step wizard to set up PrivateLink.

Before You Begin

PrivateLink is available for Pro / Enterprise projects only. Your project must be fully provisioned and available before you can create a PrivateLink.

Step 1: Configure private access

Authorize your AWS account to create a PrivateLink endpoint in the same region as the FlowMQ project.

  1. Open your project in the FlowMQ Cloud dashboard.
  2. Go to Networking.
  3. Click Create PrivateLink.
  4. Review Cloud provider and Project region. These are read-only and show the AWS region where your project runs.
  5. Enter your AWS account ID as a 12-digit number, for example 123456789012.
  6. In Services, select at least one protocol to expose over PrivateLink:
    • Kafka — TCP 9094
    • MQTT — TCP 1883
  7. Click Continue.

Wait on the page while FlowMQ Cloud prepares the service name. The wizard advances to Step 2 automatically.

Step 2: Create your VPC endpoint

Use the information shown in this step to create an Interface VPC Endpoint in your AWS account.

  1. Copy the AWS service name.

  2. Review the Network access table. It lists the inbound ports you must allow in the VPC endpoint security group:

    ProtocolPortSource
    KafkaTCP 9094Your clients, or the security group attached to them
    MQTTTCP 1883Your clients, or the security group attached to them

  3. Create the Interface VPC Endpoint in your AWS Console. See Create a VPC Endpoint in AWS for the full console walkthrough.

After AWS creates the endpoint, copy its Endpoint ID (for example, vpce-0d19b610f8b7a22c4).

  1. Click Continue to move to Step 3.

Step 3: Confirm your endpoint

  1. Paste the VPC endpoint ID from AWS into AWS VPC endpoint ID.
  2. Click Continue.

The wizard advances to Step 4.

Step 4: Activating private access

FlowMQ enables the private endpoints. This step is automatic.

  1. Wait until the Task status shows Succeeded. This can take a few minutes.
  2. After the task succeeds, the dashboard shows the Private endpoints and Connection details cards.

If the task fails, the status message shows the error. Click Reset to start over.

After PrivateLink is active, create EC2 instances or other workloads in your VPC and connect them through the private endpoints. See Create an EC2 Instance in the Same VPC.

Create a VPC Endpoint in AWS

Next, create an interface VPC endpoint in your AWS VPC that connects to the FlowMQ PrivateLink service.

  1. Sign in to the AWS Management Console and open the VPC service.

  2. In the left navigation pane, choose Endpoints and then choose Create endpoint.

  3. For Name tag, enter a descriptive name such as flowmq-privatelink.

  4. For Type, choose Endpoint services that use NLBs and GWLBs.

  5. Paste the Service name you copied from FlowMQ Cloud (for example, com.amazonaws.vpce.us-east-1.vpce-svc-0123456789abcdef0).

  6. Choose Verify service to confirm that AWS can resolve the service name.

  7. For VPC, select the VPC where your applications run.

  8. For Subnets, select the private subnets where you want AWS to place endpoint network interfaces. Select at least two subnets across different availability zones for high availability.

  9. For Security group, choose or create a security group that allows inbound traffic from your EC2 instances on the ports your protocols use:

    ProtocolInbound portSource
    Kafka9094Your EC2 security group or VPC CIDR
    MQTT1883Your EC2 security group or VPC CIDR

  10. For Policy, choose Full access unless your organization requires a custom endpoint policy.

  11. Choose Create endpoint.

  12. Wait for the endpoint status to become Available. This can take a few minutes.

  13. On the endpoint details page, note the DNS names. You will use the regional DNS name in your client configuration.

Create an EC2 Instance in the Same VPC

After the VPC endpoint is available, launch an EC2 instance inside the same VPC and configure it to connect to FlowMQ through the endpoint.

  1. Open the EC2 service in the AWS Management Console.
  2. Choose Instances > Launch instances.
  3. Enter a name such as flowmq-privatelink-client.
  4. Select an Amazon Machine Image (AMI). For testing, Amazon Linux 2023 is a good default.
  5. Choose an instance type. A t3.micro is sufficient for verification.
  6. For Key pair, select or create a key pair for SSH access.
  7. For Network settings:
    • VPC: select the same VPC used for the VPC endpoint.
    • Subnet: select one of the subnets where the VPC endpoint has an ENI.
    • Auto-assign public IP: choose Disable if the subnet is private. You will need a bastion host or SSM Session Manager for access.
  8. For Security group, create or select a security group that allows:
    • Outbound traffic to the VPC endpoint security group on the ports you enabled (Kafka 9094, MQTT 1883).
    • Inbound SSH (port 22) or AWS Systems Manager access for administration.
  9. Launch the instance and wait for it to reach the Running state.
  10. Connect to the instance using SSH, Session Manager, or your organization's remote-access method.

Install a Client and Test Connectivity

Once connected to the EC2 instance, install a client for your protocol and verify that you can reach FlowMQ through the VPC endpoint.

Verify port connectivity

From the EC2 instance, test that the MQTT and Kafka ports on the VPC endpoint are reachable.

For MQTT:

bash
nc -vz <your-vpc-endpoint-dns-name> 1883

For Kafka:

bash
nc -vz <your-vpc-endpoint-dns-name> 9094

A successful response shows the connection succeeded and the port is open. If the command times out, check the VPC endpoint status, security-group rules, and that the EC2 instance is in a subnet associated with the endpoint.

MQTT quick test

Install MQTTX CLI and publish a test message:

bash
mqttx pub \
  -h <your-vpc-endpoint-dns-name> \
  -p 1883 \
  -l mqtts \
  -t "test/hello" \
  --username your-username \
  --password your-password \
  --message "Hello from PrivateLink"

Kafka quick test

Install a Kafka client and list topics:

bash
# Example using the open-source Kafka console tools
export BOOTSTRAP_SERVERS=<your-vpc-endpoint-dns-name>:9094
kafka-topics.sh --bootstrap-server $BOOTSTRAP_SERVERS --list \
  --command-config client.properties

A minimal client.properties:

properties
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \
  username="your-username" \
  password="your-password";

Production Client Configuration

Point your existing clients at the VPC endpoint DNS name and use the private port. No other changes are needed.

SettingValue
Host / Bootstrap serversVPC endpoint regional DNS name
Port1883 (MQTT), 9094 (Kafka)
TLS / SSLDisabled
AuthenticationSame credentials used for the public endpoint

Use Cases and Benefits

PrivateLink is useful when you:

  • Must keep messaging traffic off the public internet for compliance.
  • Connect workloads in a separate AWS account to FlowMQ Cloud.
  • Want to enforce access with AWS security groups instead of IP allowlists.
  • Reduce data-transfer costs by keeping traffic on the AWS backbone.

It gives you private connectivity using standard AWS VPC constructs, without VPNs or code changes.

Troubleshooting

If a client cannot connect through PrivateLink, check the following:

  1. Endpoint status: In the AWS console, confirm the VPC endpoint status is Available.
  2. Task status: In the FlowMQ Cloud dashboard, confirm the PrivateLink task shows Succeeded.
  3. Security groups: Verify the EC2 security group allows outbound traffic to the endpoint security group on the correct port, and the endpoint security group allows inbound from the EC2 source.
  4. Subnet placement: Confirm the EC2 instance is in a subnet associated with the VPC endpoint.
  5. Port connectivity: From the EC2 instance, run nc -vz <endpoint-dns> 1883 (MQTT) or nc -vz <endpoint-dns> 9094 (Kafka).
  6. Region match: The FlowMQ PrivateLink service and the AWS VPC endpoint must be in the same AWS region.

Next Steps

  • Review Authentication to configure usernames and passwords for clients connecting over PrivateLink.
  • Review Authorization to control which clients can publish or subscribe after they connect.
  • See Streaming or Cross-Protocol Routing for examples of messaging patterns you can run over the private endpoint.

© 2025 FlowMQ. All rights reserved.