This topic helps you diagnose and resolve connection failures for ApsaraMQ for RabbitMQ. Follow each step in order. Most connection issues are resolved in the first two steps.
Step 1: Verify your credentials
ApsaraMQ for RabbitMQ supports two authentication models. The credentials you need depend on which model your instance uses.
Open source authentication
Create a custom username and password for your instance. For details, see Create a username and password.
RAM authentication
Generate a username and password from an Alibaba Cloud AccessKey pair. For details, see Create a static username and password.
Do not use an AccessKey pair directly as the username and password to connect to ApsaraMQ for RabbitMQ. You must first generate credentials from the AccessKey pair.
Step 2: Check permissions
A connection fails if the connecting user lacks the required permissions. The permissions to check depend on your authentication model.
Verify open source user permissions
Confirm that the custom user has the required permissions on the target resources. For details, see Permission management.
Verify RAM user permissions
Confirm that the RAM user who owns the AccessKey pair has the required permissions.
Basic permissions -- Grant overall AMQP service permissions, such as operation and read-only permissions. See Step 1: (Optional) Grant permissions to a RAM user.
Fine-grained policies -- Restrict operations to specific resources, such as a particular vhost. See Custom policies for ApsaraMQ for RabbitMQ. You can combine multiple policies for more precise access control.
Step 3: Verify the endpoint
Select the correct endpoint type based on your client's network:
| Network | Endpoint type |
|---|---|
| Alibaba Cloud internal network | VPC endpoint |
| External network (such as a local development environment) | Public endpoint |
After you select the correct endpoint, test network connectivity from your client environment:
Test DNS resolution and basic reachability:
ping <endpoint>Test whether the AMQP port is open:
telnet <endpoint> 5672If the connection succeeds, you see output similar to:
Trying <IP>... Connected to <endpoint>. Escape character is '^]'.If the connection is refused or times out, check your network configuration, security group rules, and firewall settings.
Step 4: Check server-side logs
If the endpoint is reachable but connections still fail, check whether requests are reaching the server.
Activate Simple Log Service for your ApsaraMQ for RabbitMQ instance. For details, see Log Management.
After activation, review the logs for connection-related entries. For example, if you connect frequently from a test environment but no corresponding logs appear, the connection requests are not reaching the server.
Logs present -- The request reached the server. Proceed to Step 5 to troubleshoot by error code.
No logs recorded -- The request did not reach the server. Re-examine your client logic and network path.
Step 5: Troubleshoot by error code
If server-side logs confirm that requests reached the server, check the return code in the log to identify the root cause. For a complete list, see Error codes.
| Return code | Error message | Cause | Action |
|---|---|---|---|
| 403 | AccessDeniedByRamPolicy | RAM authorization failure | Check the RAM permissions granted to the user. See Step 2. |
| 311 | MessageBodyLengthExceeded | Message body exceeds the size limit | Reduce the message body size or check the limit for your instance specifications. |
| 404 | ExchangeNotExist or QueueNotExist | The specified exchange or queue does not exist | Check the resource name in the log. Verify that the resource exists in the console, or create it. |
| 530 | denied for too many requests, ExchangeNumExceeded, QueueNumExceeded, or VhostNumExceeded | Throttling or quota limit reached | Upgrade the instance specifications or optimize your usage to stay within limits. |
| 541 | InternalError | Internal error on the broker, usually returned during server upgrades | Check service announcements. If your business is affected, submit a ticket to contact Alibaba Cloud technical support. |
Before you connect
Before establishing a connection, confirm that:
Your ApsaraMQ for RabbitMQ instance is running.
Required resources (such as vhosts) are created in the console.
Your credentials are generated correctly for your authentication model.
The correct endpoint (VPC or public) is specified in your client configuration.