Working with Message VPN Bridges

Message Virtual Private Network (VPN) bridges can be used to link two Message VPNs so that messages published to one Message VPN that match the topic subscriptions set for the bridge are also delivered to the linked Message VPN.

A Message VPN bridge allows for the delivery of Direct messages that match an explicit set of topic subscriptions from a remote Message VPN to a local Message VPN. Guaranteed messages can also be delivered over Message VPN bridges when additional parameters are configured for the remote Message VPN (for more information, refer to Avoiding Loss of Guaranteed Messages with VPN Bridges).

The possible scenarios in which Message VPN bridges can be used include:

  • Link two Message VPNs with different names to enable Direct or Guaranteed messages published to one Message VPN to also be delivered to the other Message VPN. The linked Message VPNs can be either on the same router or on two separate routers.
  • Link two Message VPNs with the same names on two separate routers to enable Guaranteed messages published to one Message VPN to also be delivered to the other Message VPN.
  • Link two Message VPNs with the same names on two separate routers to enable Direct messages published to one Message VPN can also be delivered to the other Message VPN.
  • Note:  That this scenario operates differently than multi-node routing, in that Message VPN bridges only transfer those Direct messages that match the topic subscriptions explicitly set on the Message VPN bridge. In addition, Message VPN bridges do not exchange the complete set of topic subscriptions used by the routers and their topology.

A bridge can be uni-directional (messages pass over the bridge in only one direction) or bi-directional (messages pass over the bridge in both directions). The messages that pass in either direction may be different, depending on the remote topic subscriptions that are assigned to the bridge for each local Message VPN.

Controlling Access to Messages

Solace Messaging Platform networks may use Message VPN bridges to control whether messages may pass from one Message VPN to another. As shown in below, when a Message VPN bridge is used to link two Message VPNs, the topic subscriptions assigned to the bridge (or the bridge queue for Guaranteed messages) determines which messages may be delivered from a remote Message VPN to the local Message VPN it is linked to.

Typical Message VPN Bridge Configurations for Controlled Access

Typical Message VPN Bridge Configurations for Controlled Access

The next figure shows a deployment where there are clients across three different Message VPNs and two routers not participating in multiple-node routing that all have subscriptions for the same topic–“quotes/equities/NA”.

Message VPN Bridge Example

Message VPN Bridge Example

The same message is also sent from Message VPN green on router R2 across Message VPN bridge B to Message VPN red to fulfill the topic subscription quotes/>. Note that Message VPN bridge B is a bi-directional bridge, so that messages published to Message VPN red could also be delivered to Message VPN green on router R2 if they match the news/> subscription set for that end of the bridge.

Internetworking

As shown in the figure below, a Message VPN bridge can also be used to link two networks together. In this use case, an entire remote network (rather than just a single remote client) can join to another network to form an extended intranet.

This configuration is useful for companies with offices and private networks located in different physical locations that need to carefully control the message flow over expensive WAN links between sites. For this scenario, each location uses multiple-node routing for fully‑distributed Message VPN connectivity for Direct messages, and Message VPN bridging is used to transfer messages for specific topics over a LAN or MAN.

Bridging Message VPNs for Internetworking

Bridging Message VPNs for Internetworking

As shown in the figure below, a group of routers can be configured as neighbors for multiple-node routing to efficiently route traffic through a network. Edge routers in that in group can then be linked by Message VPN bridges so that messages in the network that match select topics can be delivered to clients connected to routers outside of those groups of neighbors.

In this type of Message VPN bridge application:

  • publishers are typically in the core network with subscribers on the edge of the network
  • Message VPN bridges subscribe to a small subset of the topics in Message VPN blue in the core

Message VPN Bridges with Multi-Node Routing in the Core

Message VPN Bridges with Multi-Node Routing in the Core

Establishing VPN Bridges

To establish a Message VPN bridge, you must create it in a local Message VPN. An internal client is then automatically created for the bridge. This client allows a connection to be established to a remote Message VPN. A Message VPN bridge connection looks like a client connection to the remote router, and its login attempt to the remote router is authenticated in the same manner as other client connections. Through this client, control and data messages are sent between the local and remote Message VPNs.

Once a Message VPN bridge is created, the following parameters must be configured for the bridge before it can be enabled and messages can begin to be transferred:

  • remote Message VPN and router—This is the remote Message VPN and router to receive messages from. The router is specified either by its name or “connect-via” address expressed as an IP address or DNS name. Multiple remote Message VPNs can also be specified in order of preference. These redundant remote Message VPNs provides some protection if the first remote Message VPN the bridge connects to becomes unavailable.
  • Note:  If you want to establish a bridge link to a remote Message VPN that is also on the local router, use an IP address of 127.0.0.1 and do not specify a physical interface. This configuration will establish a loopback Message VPN bridge.

  • remote Message VPN authentication scheme—the authentication scheme that the bridge uses to authenticate with the remote Message VPN. An authentication scheme is required for each remote Message VPN that is configured for the bridge.
    • basic authentication client username—the username used to authenticate with the remote Message VPN, if basic authentication is configured. An optional password can also be specified.
    • client certificate authentication certificate file—the certificate file used to authenticate with the remote Message VPN, if client certificate authentication is configured. If no certificate file is specified, the bridge will present the router’s server certificate for authentication.
  • Note:  By default, remote Message VPN bridge connections are not available to clients—permission must first be configured in the client profile that is assigned to the client username. Permission to create bridge connections can be enabled through the clientsʼ assigned client profile (refer to Allowing Bridge Connections).

  • remote subscription topic—If you want to transfer Direct messages over the Message VPN bridge, configure one or more topic subscriptions for the bridge that will attract Direct messages published to the remote Message VPN. Topics are added to the top level of the bridge and apply across all hosts. The set of topics may be changed while the bridge is enabled.
  • remote message spool queue—If you want to transfer Guaranteed messages over the Message VPN bridge, use this parameter to specify an existing durable queue (with an exclusive access type) on the remote Message VPN to which a consumer flow will connect. Topic subscriptions must be added to the queue to attract messages published to specific topics of interest.

The following parameters can also be configured (if they are not modified, the default values will be used):

  • remote deliver-to-one priority—The deliver-to-one priority given to the subscriptions that are assigned to the bridge. By default, the highest priority is used.
  • remote Message VPN SSL—Sets whether to use TLS/SSL encryption for the remote Message VPN bridge link. This can be configured for each remote Message VPN that is configured for the bridge. If TLS/SSL encryption is used, the port on the router used by the remote Message VPN must also be a TLS/SSL port (port 55443 is the default TLS/SSL port). For information on using TLS/SSL with Message VPN bridges, refer to Managing TLS/SSL Service.
  • remote Message VPN compressed data—Sets whether to use data compression for the remote Message VPN bridge link. This can be configured for each remote Message VPN that is configured for the bridge. If data compression is used, the port on the router used by the remote Message VPN must also be a compression port (port 55003 is the default compression port).
  • remote Message VPN connect order—Configures the order in which the bridge attempts to connect to configured redundant remote Message VPN hosts. This is configured per host (that is, for each remote Message VPN that is configured for the bridge).
  • SSL parameters—Sets the cipher suites to be used for TLS/SSL encryption as well as the list of trusted common names used to verify the identity of remote server certificates. For information on using TLS/SSL encryption with Message VPN bridges, refer to Managing TLS/SSL Service.
  • remote Message VPN message spool window size—Sets the requested transport window size for the consumer Flow that is bound to the remote queue. This determines how many outstanding Guaranteed messages can be delivered from the remote queue over the Message VPN connection before an acknowledgment must be received by the remote queue. Modifying the window size can be helpful for bridges that go across high-latency links.

VPN Bridging and Fault Tolerance

For details on how to establish Message VPN bridge connections to remote routers when those remote routers have been deployed in high-availability (HA) redundant router pairs for fault tolerance, refer to Bridging With Appliances Using Active/Standby Redundancy.

Guaranteed Messaging Over VPN Bridges

To use a Message VPN bridge to transfer Guaranteed messages from a remote Message VPN to a local Message VPN, there must first be:

  • a durable queue provisioned on the remote Message VPN
  • a durable topic subscription added to that durable queue so that messages with a topic match can be spooled to the queue

Then, when you create the bridge on the local Message VPN, you must specify the following:

  • the remote Message VPN to connect the bridge to
  • the provisioned queue on that remote Message VPN

When the bridge is established, a consumer flow is bound to the queue. Then messages published to the remote Message VPN with matching topics can be transported over the bridge to the consuming router using the bound flow.

For clients to receive these messages, topic subscriptions must be added to the local Message VPN:

  • For the Guaranteed messages received from the bridge to remain as Guaranteed messages (that is, retain their non-persistent or persistent delivery modes), a durable queue that has been assigned a matching topic subscription is required. In this case, the received messages are persisted because they are saved to the message spool.
  • If the Guaranteed messages received from the bridge only match client topic subscriptions on the local Message VPN, the messages are converted to Direct messages and are not persisted.
  • If there are no matching subscriptions on the local Message VPN, the router discards the messages.

In the example shown in the figure below, the Message VPN bridge on Router 1 is configured to establish a Guaranteed message flow to the durable queue named BlueQueue. That queue is configured through the CLI or SolAdmin on Router 2, along with a list of topics which are to be mapped to BlueQueue (in this example ibm/price/> and apple/price/>). Any messages published to these topics are written to BlueQueue, and then transported through the Guaranteed message flow over the bridge to Router 1. Upon reaching Router 1, the messages are delivered to all queues and topic endpoints with matching subscriptions.

Message VPN Bridge Configuration for Guaranteed Messaging

Message VPN Bridge Configuration for Guaranteed Messaging

If multiple consumer flows are going to be established to a remote Message VPN, then a separate durable message queue should be created in the Message VPN for each of the inbound bridges that want to receive Guaranteed messages.

Avoiding Loss of Guaranteed Messages with VPN Bridges

When properly configured, Guaranteed messages will not be lost when sent over a Message VPN bridge. The normal operational behavior is as follows:

  • Guaranteed messages do not unspool from the remote Message VPN of a Message VPN bridge unless they can be spooled by all matching endpoints on the local Message VPN. When a Guaranteed message cannot be successfully spooled to all endpoints with matching subscriptions on the local Message VPN, the router periodically retransmits the message across the Message VPN bridge. Once the Guaranteed message is successfully spooled to all matching endpoints on the local Message VPN, then it is unspooled from the remote Message VPN.
  • If a Guaranteed message is rejected by the local Message VPN when it is retransmitted across the bridge, no other Guaranteed messages can traverse the bridge. This can cause the bridge queue on the remote Message VPN to fill up. If the bridge queue reaches its quota, it will reject Guaranteed messages just published to the remote Message VPN. Direct messages, however, including those that are promoted on the local Message VPN, continue to traverse the bridge while in this state.
  • Once the condition that prevents the Guaranteed messages to be spooled by the endpoints on the local Message VPN is cleared, Guaranteed messages begin to traverse the Message VPN bridge again. Once the bridge queue has dropped below quota, it starts accepting newly published Guaranteed messages again.

The correct configuration for this behavior requires the reject‑msg‑to‑sender‑on‑discard option to be enabled on the durable endpoints and for a matching durable subscription to be configured on the local Message VPN. By default, the reject-msg-to-sender-on-discard option is enabled on queues but is disabled on topic endpoints.

Although the reject-msg-to-sender-on-discard option only needs to be enabled on one matching endpoint in the local Message VPN to get the desired behavior, it is recommended that it be enabled on all endpoints in the local Message VPN. For more information on this feature, refer to Message VPN-Level Guaranteed Messaging Configuration.

The local Message VPN must also have a matching durable subscription for the Guaranteed message. If there are no endpoints with matching subscriptions, then the message is discarded as “No Eligible Destination” on the local Message VPN and the message is unspooled from the bridge queue on the remote Message VPN. This prevents the bridge consumer flow from being blocked by messages that have no destination on the local Message VPN.

Note:  If the Guaranteed messages received from the bridge match client topic subscriptions on the local Message VPN, the messages are converted to Direct messages and are not persisted.

Uni-Directional Versus Bi-Directional VPN Bridges

Subscriptions must be statically configured on a Message VPN bridge to attract Direct messages from a remote Message VPN. The figure below shows a uni‑directional bridge that has been configured on Router 1 so that messages from that remote Message VPN with matching topics can be transferred over the bridge from Router 2 to Router 1 using a single TCP connection.

Uni-Directional Message VPN Bridge

Uni-Directional Message VPN Bridge

It is possible to extend the configuration shown above to create a bi-directional bridge between the two Message VPNs. A bi-directional bridge essentially creates a bridge link in the opposite direction of an existing uni-directional bridge; where the local Message VPN of the uni-directional bridge is the remote Message VPN that the new bridge links to, and the remote Message VPN that the uni-directional bridge links to is the local Message VPN of the new bridge link.

As shown in the figure below, by adding a bridge configuration on Router 2 from Message VPN yellow to Message VPN blue on Router 1, a bi-directional bridge is established, and a single TCP connection is used to transport all messages between the two Message VPNs.

The No Local Delivery property is automatically enabled for Message VPN bridges to prevent forwarding loops. This means that messages transferred across a Message VPN bridge to a remote Message VPN cannot then be sent back to the local Message VPN they originally came from to fulfill matching topic subscriptions again.

Bi-Directional Message VPN Bridge

Bi-Directional Message VPN Bridge

Establishing Bi-Directional Bridge Links

Two uni-directional bridges cannot be established between the same two Message VPNs—a bi-directional bridge must be used. Therefore, before a local router attempts to establish a bridge to a remote router, it inspects the existing incoming bridges to see if there is a compatible bridge already established from the remote router that can be used. To be compatible, an existing bridge from the remote router must pass the following tests:

  • the remote router name from the peer router must match the local router name
  • the router name of the peer must match the specified remote router name
  • the remote Message VPN of the peer must match the local Message VPN
  • the Message VPN of the peer must match the specified remote Message VPN
  • if TLS/SSL encryption is to be used, then TLS/SSL must be configured on both bridges (that is, an TLS/SSL bridge is not compatible with a non-TLS/SSL bridge)

If there is a compatible incoming bridge, then no new Message VPN bridge connection is required and an existing uni‑directional Message VPN bridge is transformed into a bi-directional Message VPN bridge. The login is performed with the existing connection.