All Products
Search

This Product

    ApsaraMQ for RabbitMQ:Accessing via PrivateLink endpoints

    Document Center

    ApsaraMQ for RabbitMQ:Accessing via PrivateLink endpoints

    Last Updated:Mar 07, 2026

    After you create a PrivateLink endpoint, you can send and receive messages to and from ApsaraMQ for RabbitMQ resources over a private connection within your specified virtual private cloud (VPC).

    Scenarios

    You can use a PrivateLink endpoint to access ApsaraMQ for RabbitMQ from a specified VPC in the following scenarios:

    • Instance-based products require network link fencing for network access.

    • To build cloud networks and cross-region networks using Cloud Enterprise Network (CEN).

    • Routing rules cannot be used to access cloud products in a CEN network.

    After you create a PrivateLink endpoint, the original VPC endpoint can still be used to access the ApsaraMQ for RabbitMQ service.

    Billing

    ApsaraMQ for RabbitMQ creates and hosts the PrivateLink endpoint for you. ApsaraMQ for RabbitMQ does not charge for this service. However, the PrivateLink service charges fees for its usage. These fees are billed hourly to the Alibaba Cloud account ID that enabled the service and include instance fees and data transfer fees. For more information, see Billing.

    The lifecycle of a PrivateLink endpoint is tied to its associated RabbitMQ instance. You cannot manually delete the endpoint in the PrivateLink console. When the RabbitMQ instance expires or is manually deleted, the ApsaraMQ for RabbitMQ service automatically deletes the PrivateLink endpoint.

    Region availability

    You can use this feature in the following regions after your account is added to the whitelist: China (Hangzhou), China (Shanghai), China (Beijing), China (Zhangjiakou), China (Shenzhen), China (Guangzhou), China (Chengdu), China (Ulanqab), Singapore, Germany (Frankfurt), US (Silicon Valley), Indonesia (Jakarta), Malaysia (Kuala Lumpur), China (Hong Kong), SAU (Riyadh - Partner Region), Philippines (Manila), and Thailand (Bangkok). For other regions, submit a ticket to request access.

    Prerequisites

    You have submitted a ticket to add your account to the whitelist for PrivateLink endpoints. In the ticket, you must provide the Alibaba Cloud account ID that was used to purchase the instance and the instance region.

    Procedure

    1. Log on to the ApsaraMQ for RabbitMQ console. In the left-side navigation pane, click Instances.

    2. In the top navigation bar of the Instances page, select the region where the instance that you want to manage resides. Then, in the instance list, click the name of the instance that you want to manage.

    3. On the Instances page, click the Endpoint Information tab. In the Terminal Endpoint section, find the Endpoint column and click Activate.

      Note

      The Private Endpoint section is visible only after your account is added to the whitelist.

    4. In the Create PrivateLink Endpoint panel, perform the following steps.

      1. Read the description at the top of the panel.

      2. Create a service-linked role. For more information, see Service-linked Role.

      3. Enable the PrivateLink service.

      4. Configure the following parameters. Then, click OK.

        Important

        After a PrivateLink endpoint is created, it cannot be modified or deleted. Ensure that you enter the correct information.

        Parameter

        Description

        Example

        VPC ID

        Select a VPC ID. The VPC must be in the Available state.

        vpc-degu45gufksifgiuf****

        VSwitch ID

        Select vSwitch IDs. To ensure high availability, select vSwitches in at least two zones.

        Note

        • When you select zones, make sure that Network Load Balancer (NLB) instances can be created in the selected zones. You can query the supported zones or check the supported zones in the NLB console.

        • The vSwitches must be in the Available state and have more than 20 available IP addresses.

        vsw-bewhf9uiagudie****

        vsw-feuo8evyidochhe****

        Security Group

        Select a security group. The security group must meet the following requirements:

        • An inbound rule is added to allow access over TCP on port 5672 or 5671.

        • Managed security groups are not supported.

        sg-uoefguo8fvyeif****

        After the instance is created, you can view the endpoint details on the Endpoint Information tab of the Instance Details page.

    5. After you obtain the PrivateLink endpoint, configure it in your software development kit (SDK) code to send and receive messages over the private connection. For more information, see Step 3: Use an SDK to send and receive messages.

    Service-linked Role

    • The first time you use a PrivateLink endpoint, you must create the service-linked role AliyunServiceRoleForAmqpNetwork. Before you create the role, you must grant the required permissions to your account. You can attach the AliyunAMQPFullAccess system policy. If you use a custom policy, grant the following permissions. In the policy, replace ${accountid} with your Alibaba Cloud account ID.

      {
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:${accountid}:role/*",
            "Effect": "Allow",
            "Condition": {
              "StringEquals": {
              "ram:ServiceName": [
                "network.amqp.aliyuncs.com"
              ]
              }
            }
        }
    ],
    "Version": "1"
}

    • Policy name: AliyunServiceRolePolicyForAmqpNetwork

    • Permission description: Allows ApsaraMQ for RabbitMQ to use this role to access your PrivateLink service and perform VPC-related operations.

    • For more information, see Service-linked roles.

    References

    For more information about PrivateLink, see What is PrivateLink?.