Skip to main content
All components of the AutoMQ Cloud BYOC environment are deployed within your AWS account to ensure data privacy and security. Before installing AutoMQ, you need to prepare various AWS resources in advance. This article describes how to prepare the necessary cloud resources for AutoMQ on the AWS public cloud.
In this document, “AutoMQ,” “AutoMQ service provider,” and “the AutoMQ service” all refer to AutoMQ HK Limited and its affiliates.

Prepare VPC

You can choose to use an existing VPC when installing AutoMQ, or create a new one for it. For production environments, we recommend checking and adjusting your existing VPC configuration to meet AutoMQ’s requirements. For POC testing, creating a new VPC is a quicker option.

VPC Requirements

To deploy AutoMQ BYOC environment on AWS, your VPC must meet the following conditions:
ResourceRequirement Description
Control Plane Subnet1. Used to deploy the AutoMQ BYOC environment console, which needs to connect to the public network via NAT or other methods.
Data Plane Subnet1 or 3. Used to deploy the AutoMQ data plane cluster. The number of subnets depends on whether you choose a single-AZ or three-AZ deployment model.
S3 Gateway Endpoint1. Ensures AutoMQ components access S3 via the AWS internal network, avoiding public network traffic costs. The endpoint’s route table must cover all private subnets.
EC2 Interface Endpoint1. Ensures AutoMQ components can call EC2 and Auto Scaling APIs via the AWS internal network.
DNS ConfigurationEnabled. The VPC must have DNS hostnames and DNS resolution enabled, as AutoMQ relies on Route 53 for DNS resolution within the VPC.
NAT Gateway1. If you plan to deploy the AutoMQ data plane cluster on EKS, you must configure a NAT gateway and the correct public outbound routes for the private subnets where the EKS worker nodes are located.
Note: If the NAT gateway is not configured correctly, the AutoMQ cluster installation on EKS will fail.

Scenario 1: Create a New VPC

If you need to create a new VPC for AutoMQ, we recommend using the VPC and more feature in the AWS VPC console.
  1. Log in to the AWS VPC console.
  2. In the left navigation pane, choose Your VPCs, then click Create VPC.
  3. In VPC settings, select VPC and more.
  4. In the Name tag auto-generation section, set a clear name for your VPC.
  5. Configure the IPv4 CIDR block, Number of Availability Zones, Number of public subnets, and Number of private subnets.
  6. Depending on your deployment needs, choose whether to create NAT gateway(s) and VPC endpoints.
    • NAT Gateway: If you plan to deploy on EKS, select at least 1 per AZ.
    • VPC Endpoints: Select S3 Gateway, which will automatically create a gateway-type S3 endpoint.
  7. Ensure that both Enable DNS hostnames and Enable DNS resolution under DNS options are checked.
  8. Click Create VPC.
After the VPC is created, you also need to manually create an EC2 interface endpoint for it.
  1. In the AWS VPC console, choose Endpoints from the left navigation pane.
  2. Click Create endpoint.
  3. Name tag: Name the endpoint.
  4. Service category: Select AWS services.
  5. Services: Search for and select the com.amazonaws.<region>.ec2 interface service.
  6. VPC: Select the VPC you just created.
  7. Subnets: Select all the private subnets intended for AutoMQ deployment.
  8. Security groups: Select or create a security group and add an inbound rule to allow HTTPS (443) traffic from your VPC’s CIDR.
  9. Click Create endpoint.

Scenario 2: Configure an Existing VPC

If you are deploying AutoMQ in an existing VPC, please verify that the following configurations meet the requirements.

1. Check DNS Configuration

  1. In the AWS VPC console, choose Your VPCs from the left navigation pane.
  2. Select your target VPC and view the Details tab.
  3. Confirm that the values for DNS hostnames and DNS resolution are both Enabled. If not, click Actions -> Edit VPC settings to modify them.

2. Check S3 Endpoint

  1. In the AWS VPC console, choose Endpoints from the left navigation pane.
  2. Search for and check if there is an S3 endpoint of type Gateway (service name com.amazonaws.<region>.s3) associated with your VPC.
  3. If it doesn’t exist, click Create endpoint to create one.
    • When creating it, ensure its route table (Route tables) is associated with all private subnets that will be used for deploying AutoMQ.

3. Check EC2 Endpoint

  1. On the Endpoints page, continue to search for and check if there is an EC2 endpoint of type Interface (service name com.amazonaws.<region>.ec2) associated with your VPC.
  2. If it doesn’t exist, click Create endpoint to create one.
    • Subnets: Ensure you select all private subnets that will be used for deploying AutoMQ.
    • Security groups: Select or create a security group and add an inbound rule to allow HTTPS (443) traffic from your VPC’s CIDR.

Prepare Private DNS (Optional)

The AutoMQ cluster exposes service addresses to applications through Private DNS, which relies on private domain name resolution within the VPC. Therefore, a Private DNS must be configured to provide reliable domain name resolution services. You can choose to have the AutoMQ console create the Private DNS Zone automatically or prepare it yourself by following the tutorial below.

Private DNS Zone Requirements

When configuring Private DNS, the following two key conditions must be met:
Condition
Description
Importance
Associated VPC
The Private DNS must be associated with the VPC where AutoMQ is deployed.Required
Domain Name and TLS Consistency
If you need to use the TLS feature later, the domain name of the Private DNS must be consistent with the domain name in the TLS certificate.As needed

Private DNS Configuration Steps

Step 1: Check Existing Private DNS

  1. Log in to the AWS console and visit the Route53 console.
  2. In the left navigation bar, select Hosted zones.
  3. Check if a Private DNS associated with the target VPC already exists.

Step 2: Create or Configure Private DNS

If a Private DNS already exists:
  1. Select the target Private DNS and click Details.
  2. Confirm that the Type is Private hosted zone.
  3. Check the VPCs section to ensure it includes the VPC where AutoMQ is deployed.
  4. Record the domain name information for subsequent TLS feature configuration.
If you need to create a new Private DNS:
  1. Click Create hosted zone.
  2. Configure the basic information:
    • Domain name: Enter a private domain name (e.g., internal.example.com).
    • Type: Select Private hosted zone.
    • VPC: Select the VPC where AutoMQ is deployed and the corresponding region.
  3. Click Create hosted zone.

Step 3: Verify the Configuration

  1. On the Private DNS details page, confirm the VPC association status.
  2. Check if the domain name configuration meets the planning requirements for the TLS feature.
  3. Record the ID and domain name of the Private DNS, which will be provided to the AutoMQ components during subsequent installation.

Prepare Cluster Security Group (Optional)

During the cluster deployment process, you can opt to use a pre-configured security group for precise network access control. If you choose this method, you must create a security group in advance and configure its inbound rules according to the table below. If you prefer to simplify network configuration, you can choose to have AutoMQ automatically create a new security group with all the necessary rules during cluster creation, in which case you can skip this section.
PortPurposeRequired Access SourceEnablement Condition
9093Exposes the PLAINTEXT protocol for internal communication among Controller nodes.
  • Internal cluster components
Enabled by default
9103Exposes the SASL_PLAINTEXT protocol for internal communication among Controller nodes.
  • Internal cluster components
Enabled by default
9092Exposes the Kafka service to clients via the PLAINTEXT protocol.
  • Console
  • Internal cluster components
  • Applications
Enabled by default
9102Exposes the Kafka service to clients via the SASL_PLAINTEXT protocol.
  • Console
  • Internal cluster components
  • Applications
Enabled by default
9112Exposes the Kafka service to clients via the SASL_SSL protocol.
  • Console
  • Internal cluster components
  • Applications
Optional
9122Exposes the Kafka service to clients via the SSL protocol.
  • Console
  • Internal cluster components
  • Applications
Optional
9090Provides an endpoint for Prometheus Metrics Exporter to read metrics.
  • Console
  • Applications (Optional)
Enabled by default
22Default SSH port for cluster nodes, exposed to the console node for emergency troubleshooting.
  • Console
Enabled by default
8081Service port for the managed Schema Registry.
  • Internal cluster components
  • Applications
Optional, required only when TableTopic is enabled.

Prepare FSx File System Security Group (Optional)

If you plan to use AutoMQ in an AWS environment and leverage FSx for NetApp ONTAP as the storage backend for the WAL (Write-Ahead Log), you need to configure a dedicated security group for the FSx file system. This section details the required inbound rules for that security group. If you prefer AutoMQ to automatically create and configure this security group during deployment, you can skip this section.
PortAccess SourcePurposeEnablement Condition
443
  • Console
  • Internal cluster components
Allows the AutoMQ cluster and console to call the FSx for ONTAP management API.Enabled by default
22
  • Internal cluster components
Allows nodes within the AutoMQ cluster to access the FSx service.Enabled by default
111
  • Internal cluster components
Allows nodes within the AutoMQ cluster to access the FSx service.Enabled by default
635
  • Internal cluster components
Allows nodes within the AutoMQ cluster to access the FSx service.Enabled by default
2049
  • Internal cluster components
Allows nodes within the AutoMQ cluster to access the FSx service.Enabled by default
4045
  • Internal cluster components
Allows nodes within the AutoMQ cluster to access the FSx service.Enabled by default
4046
  • Internal cluster components
Allows nodes within the AutoMQ cluster to access the FSx service.Enabled by default