Working with Message VPNs

Message Virtual Private Networks (VPNs) are managed objects on Solace routers that allow for the segregation of topic space and clients. Message VPNs also group clients connecting to a network of Solace routers, such that messages published within a particular group are only visible to clients that belong to that group. Each client connection is associated with a single Message VPN.

As shown in the figure below, Message VPNs can be used to effectively separate which clients can receive messages from which publishers. In this example, clients in different Message VPNs are permitted to subscribe to identical topics, and two clients in different Message VPNs are permitted to publish messages to topics that matches those client subscriptions. Yet due to Message VPN membership, only the clients that are connected to the same Message VPN as the publisher receive the messages from that publisher.

Note:  Published messages cannot cross Message VPN boundaries, even in the presence of identical subscriptions in each Message VPN. For messages published to one Message VPN to be transferred to another Message VPN, a Message VPN bridge must be explicitly configured between them.

In this example, all the subscriber clients have subscribed to the same topic: “quotes/equities/NA”. However, because the clients are connected to separate Message VPNs, when Publisher 1 publishes a message to topic “quotes/equities/NA”, the message is only delivered to Subscriber 1 and Subscriber 2. Similarly, if Publisher 2 publishes a message to topic “quotes/equities/NA”, the message is only delivered to Subscriber 3 and Subscriber 4.

Message VPN Publishing and Subscribing Example

Message VPN Publishing and Subscribing Example

Each Message VPN can be administratively enabled and disabled through the shutdown Message VPN CONFIG command. When disabled, all client connections belonging to that Message VPN are disconnected and new client connections to it are rejected. Message VPNs are disabled by default (that is, not running) on Solace routers. Each client must identify the Message VPN which the client wishes to connect to. If the client username is not configured within the requested Message VPN, then the client connection is denied.

Connecting to Message VPNs

Each client connection is associated with a single Message VPN. When a client sends its initial login connection request to a Solace router, the client typically includes a Message VPN name parameter in the login request. The router then verifies that the client username has been configured in the requested Message VPN and that the client username is authorized to connect to the requested Message VPN. A global, per-Message VPN, and per‑client statistic is incremented for every denied connection attempt.

Note:  A client connection cannot change its assigned Message VPN once it has been established by the initial login request without disconnecting from the router first.

However, if the client does not provide the name of a Message VPN name to connect to, the default Message VPN named default (when enabled) is automatically assigned to the client.

Each Solace router has a Message VPN named default. The Message VPN named default cannot be deleted, but it can be configured like any other Message VPN object on the router.