Creating Event Broker Services

You can create event broker services in Cluster Manager. To create a service, your user account must be assigned the Cluster & Mesh Manager Editor or Administrator role. When you create an event broker service, you choose the service class and the broker version. We recommend, when possible, that you use the most recent broker version available to you to ensure that you have the latest security updates and most modern features. You can't change the service class or the event broker version after you've created the service, but you can upscale the service class at a later time. For more information, see Upscaling an Event Broker Service.

The number of services that you can create in your account are based on your service limits. If you require more services or have reached your service limits, see Increasing Your Capacity or Number of Event Broker Services.

The configuration options for your event broker service differ based on these factors:

• whether use Developer or Enterprise service
• whether standalone event broker services have been added to your service limits
• the broker version you select
• the create service options permitted in your account in PubSub+ Cloud

You may need to be aware of in-depth considerations to evaluate when you are creating your event broker service that impact settings such as connectivity and security. For more information, see Considerations When Creating Event Broker Services.

If you don't require an in-depth understanding or just want to learn the basics of creating an event broker service, see the Creating Your First Event Broker Service tutorial.

perform these steps to create an event broker service:

1. Log in to the PubSub+ Cloud Console if you have not done so yet. The URL to access the Cloud Console differs based on your authentication scheme. For more information, see Logging into the PubSub+ Cloud Console.
2. Select Cluster Manager on the navigation bar.
3. On the Services page, click Create Service at the top right corner of the page, or, click the Create Service card.
4. In the Service Name field, enter a unique name to identify the event broker service in the console. The name can be up to 32 characters in length, and may include alphanumeric characters, dashes, or underscores.
5. For Service Type, select Enterprise or Developer.

   If you selected Enterprise, choose the number of Connections you require. For Developer services, only 100 connections are available.

   The number of connections determines the service class chosen. For more information about service classes, see Service Class Options for Event Broker Services.

   • Larger numbers of connections require a higher class of service.
   • If you require a larger message storage, the larger the connections, the larger the message storage. The message storage is the amount of persistent storage, in Gigabytes (GB), that you require for Guaranteed Messaging and other features. Larger message storage requires a higher class of service.
     • Alternatively, depending on the settings in your account, you may be able to enter a number in the Message Storage (GB) box, or change your message spool storage size after an event broker service is created. For more information, see Configuring Message Spool Sizes.
6. If you selected an Enterprise service, select whether the service is a High Availability (HA) Group or a Standalone service (if available). The Standalone option is available when you have at least one standalone service added as part of your Service Limits. For more information about standalone services, see Standalone Broker Service Considerations and High Availability in PubSub+ Cloud.
7. In the Cloud drop-down list, perform one of the following actions:

   • Select one of the following to use a Public Region.

     • Amazon Web Services
     • Google Cloud
     • Microsoft Azure

     If possible, do not use the Amazon Web Services VM-based architecture (Deprecated) or Microsoft Azure Cloud VM-based architecture (Deprecated) options to create your event broker services.

   • Select Private Cloud only if you are using a Customer-Controlled Region or Dedicated Region. This region can have one or more data centers. The event broker service is created in the selected data center.

   After you choose the cloud to use, you choose a region. For more information about choosing a cloud provider, see Choosing the Right Cloud Provider When Creating an Event Broker Service.

8. In Region, click the map and choose the region (or location) to use, and then click OK. For more information, see Choosing the Right Cloud Region When Creating an Event Broker Service.

   If you don't see a region that you require, click Request a Region to contact Solace.

9. (Optional) In the Broker Version drop-down list, select a version. The default is the most recent broker version that PubSub+ Cloud supports. For more information, see Selecting the Broker Version.

10. (Optional) Expand Advanced Connection Options to configure any of the following settings:
    • Customize the Message VPN name. The default is the same value that you entered in the Service Name field but truncated if the name is longer than 26 characters. For more information, see Setting the Message VPN Name.
    • If you have selected Google Cloud or Private Cloud as your Cloud provider, you can set the cluster name to create a DMR cluster. For more information, see Setting the Cluster Name.
    • For Enterprise services only, enable or disable high-availability (HA) mate-link encryption. For more information, see Configuring High-Availability Mate-link Encryption.
    • Configure the messaging and management ports for your service. For more information, see Configuring Client and Management Ports .

11. Click Create Service.

Configuration of your event broker service takes a few minutes. When configuration is complete, your event broker service starts. You can view your created service in Cluster Manager on the Services page.

For information about the defaults created for your event broker service, see Considerations When Creating Event Broker Services.

Considerations When Creating Event Broker Services

You may want to evaluate the following general and broker version-specific considerations before you create an event broker service.

Service Creation Default Considerations

Be aware of the following service creation defaults:

• For Enterprise services, the high availability (HA) mate-link encryption is enabled by default. You can configure this at service creation or after service creation time. HA mate-link encryption isn't used for Developer or standalone services. For more information, see Configuring High-Availability Mate-link Encryption.
• The Message VPN is created with these defaults:
  • One Message VPN with the name of your service is created, which is only configurable at service creation time. The Message VPN name cannot be changed. There is only one Message VPN per event broker service in PubSub+ Cloud.
  • A management account with a generated password is created for the service as <message_vpnname>-admin where <message_vpn> is the name of the Message VPN.

• Initially when the event broker service is created, its initial, generated hostname is assigned the Default status indicator as shown below.

  

  The hostname that is set with the Default status becomes the primary URL that is used to access PubSub+ Broker Manager and shown in the URLs to access the service in the PubSub+ Cloud Console

Standalone Broker Service Considerations

For broker versions 10.0 and later, you have the option to deploy the event broker service as a standalone service or as a high availability (HA) group when you create an Enterprise service. Standalone event broker services are available after you have added them as a service class to your Service Limits. To use standalone event broker services, contact Solace or request a limit change.

Standalone event broker services have a lower cost than HA services, and may be preferable to using HA or Developer services in some situations such as:

• The event broker service is part of a non-production environment that mirrors your production environment but does not require the same level of fault tolerance.
• The event broker service is part of a development environment and requires higher service-level limits, such as client connections or larger message sizes for development/testing than available in the Developer service. For example, Developer services are limited to only 100 connections.
• The broker is used by client applications that can tolerate longer downtime and potential message loss during service interruptions. This may be a consideration when you choose to use standalone services as there isn't HA redundancy and as such, an outage of 15-30 minutes occurs during restarts and upgrades.

Standalone event broker services cannot be changed to High-Availability (HA) after they are created. If you require event broker service that have less downtime, consider creating the service with HA. For more information about HA, see High Availability in PubSub+ Cloud.

Event Broker Service Access Considerations

The following default security settings are configured for the event broker service. You can change the settings after the service is created to adhere to your security requirements:

• A client profile named default is created and enabled. This client profile can't be removed, but you can configure it after service creation.
• Basic Authentication is enabled for the event broker service. You can change the configuration after service creation to match your requirements. These settings are configured for you:
  • The default ACL profile and #acl-profile are created with the Allow default action for the Client Connect, Publish, and Subscribe. These cannot be removed, but you can configure them after service creation
  • The following client usernames are created with mappings to
    • #client-username (enabled) with a default client profile and default ACL profile
    • default (disabled) is mapped to the default client and default ACL profile
    • solace-cloud-client (enabled) is mapped to the default client and default ACL profiles

For more information, see the following sections:

• Using Client Profiles and Client Usernames
• Configuring Authentication to Event Broker Services

Port Configuration Considerations

You can configure the protocols and ports to access event broker service. Depending on the broker version, see the following sections for the appropriate considerations:

For Event Broker Services 9.12 and Earlier

For broker versions 9.12 and earlier, you can only configure the ports at service creation time. It is not possible to edit the ports after service creation. In addition, by default:

• The secure protocols and ports for Solace Messaging, Solace Web Messaging, AMQP, MQTT, and REST are all enabled.
• Plain text for all non-secure ports is disabled, while all secure ports are enabled. For more information about editing the ports after service creation time, see Changing the Port Configuration for an Event Broker Service.
• Plain text is disabled for the SEMP (Solace Element Management Protocol, version 2) port. This is the recommended setting but you can change it. For more information, see Enabling SEMP Over the Message Bus.
• The management port for secured broker management, it is enabled and set to port number 943, and CLI access is disabled. Management ports are not configurable.
• Ports 943 or 22 are reserved system ports and can't be used for other protocol ports.
• If there are two connection endpoints, the public endpoint is set with theDefault status. The hostname that is set with the Default status becomes the primary URL that is used to access PubSub+ Broker Manager and shown in the URLs to access the service in the PubSub+ Cloud Console.

For Event Broker Services 9.13 and Later

For broker versions 9.13 and later that are deployed in Kubernetes-based regions, you can configure the event broker service to use a set of protocols and ports that permit applications to connect using connection endpoints. A connection endpoint can be public or private IP addresses. The type of connectivity, public or private are referred to as public endpoints and private endpoints, respectively. You can configure a public, private, or both types of endpoints for an event broker service provided the deployment is Kubernetes-based and deployed in a private region that has networking (or networking policies) configured to use public Internet and private IP addresses.

• For Customer-Controlled Regions and Dedicated Regions, a private endpoint to access private IP addresses is created by default. Optionally, you can create a public endpoint or create both a public and private endpoint instead.

• For Public Regions, only event broker services that are deployed on Kubernetes.

• For each public or private endpoint these port configurations are created by default:

  • The secure protocols and ports for Solace Messaging, Solace Web Messaging, AMQP, MQTT, and REST are all enabled.

  • Plain text for all non-secure ports is disabled, while all secure ports are enabled. For more information about editing the ports after service creation time, see Changing the Port Configuration for an Event Broker Service.

  • Plain text is disabled for the SEMP (Solace Element Management Protocol version 2) port. This is the recommended setting but can be changed. For more information, see Enabling SEMP Over the Message Bus.

  • The management for secured broker management is enabled and set to 943. CLI access is disabled by default. Both are configurable.

• Be aware of the following port configuration considerations:
  
  • Port values can range from 0 to 65534.
  • You can use ports 22 and 943 as custom ports. Broker versions 9.12 and earlier reserved ports 22 and 943.
  • If you are using NodePort as part of your deployment for Customer-Controlled Regions, the port numbers are generated and therefore can't be changed. For NodePort deployments, only private endpoints can be used.

Public endpoints are not available for deployments that use NodePort.

Connection Endpoint Considerations

For broker versions 9.13 and later in Kubernetes-based deployments, you can configure connection endpoints of an event broker service. A connection endpoints allows you to have different sets of public or private IP address connections, which are referred to as public endpoints and private endpoints, respectively. For more information about endpoints, see Configuring Connection Endpoints and Ports for Event Broker Services 9.13 and Later.

• Customer-Controlled Regions and Dedicated Regions can have private endpoints, public endpoints, or both (hybrid). For more information, see Configuring Client and Management Ports .

If you have upgraded your event broker service, depending on your deployment and its connectivity, you may only be able to create public or private endpoints. For example, if your deployment previously didn't permit public Internet connectivity, you won't be able create public endpoints.

Using different endpoints for public Internet and private IP address connectivity allows you specify the protocols and ports used to connect to your event broker service to match the security requirements of your organization. In addition, you can configure endpoints to permit use of specific messaging protocols and port numbers between client applications and the event broker service based on whether they connect using public Internet or private IP addresses.

For example, you may want to expose an event broker service so that client applications can only connect from the public Internet using only MQTT ports through port 1122, while clients within your private network using private IP addresses can connect with all other messaging protocols using the default ports. Another example for hybrid connectivity usage is to limit access to the SEMP management port so that only client applications using private IP addresses can connect to your event broker services.

You can configure a public endpoint, a private endpoint, or both at the same time for an event broker service. Both endpoints can only be configured when event broker services are deployed in Kubernetes and in a private region that has networking configured to use public Internet and private IP addresses. These are some key considerations:

• You must have at least one endpoint and have a maximum of one public and one private endpoint per event broker service.
• One endpoint must have the Secured SMF port enabled, which is required for messaging with client applications and for inter-broker communication in an event mesh.
• One endpoint must have the Secured Broker Management Host (SEMP) port; the SEMP port is required to manage your event broker service.
• If you have both private and public endpoints, you don't need to enable the Secured SMF and SEMP ports on the same endpoint, but we recommend that you choose the private endpoint for the SEMP port.
• When you have both public and private endpoints configured, PubSub+ Broker Manager defaults to use the public endpoint. If only a private endpoint is available, you must have connectivity to the same private network as where your event broker services are deployed to connect to PubSub+ Broker Manager from the PubSub+ Cloud Console. For more information about PubSub+ Broker Manager, see Using PubSub+ Broker Manager.

Selecting the Broker Version

You can select the broker version in Cluster Manager when you create an event broker service. The versions available correspond to the same PubSub+ software event broker versions that Solace releases. We recommend that you use the most recent broker version available, but you can choose to use an earlier broker version for various reasons that can include:

• Your business requirements need specific behaviors from an earlier release, or you prefer to use earlier releases rather than the most recent broker versions.
• You have existing event broker services, on-premises installations of PubSub+ appliances, or PubSub+ software event brokers that use an earlier release and you prefer to be have the same broker versions in your deployment for configuration or administrative reasons.

You can't change the broker version after the event broker service is created. However, you can upgrade your event broker service at a later time. For more information, see Upgrading Event Broker Services in PubSub+ Cloud.

When you create an event broker service, perform these steps to select the broker version:

• When you create your event broker service, select a broker version from the Broker Version drop-down list.

  To learn more about the available versions, see the PubSub+ Cloud release notes.

  Broker version availability varies based on the cloud provider and the deployment option. You may see different versions available in your account based on the cloud provider and deployment environment you've chosen.

Setting the Message VPN Name

You can configure the Message VPN name when you create the event broker service. The Message VPN name that you specify is also used to create an internal administrator account for the service. The Message VPN name cannot be changed after you create the service. You can see the name on the Status tab when you view your service in Cluster Manager.

When you create your event broker service, perform these steps to edit the system-generated VPN name:

1. When you create your event broker service, expand Advanced Connection Options.
2. Click Edit beside the Message VPN Name field and then enter a valid name. The name can be up to 26 characters and can include alphanumeric characters, dashes, and underscores.

Setting the Cluster Name

If you want to create a DMR cluster with multiple event broker services in it, the cluster name for each service must have the same cluster name. Within a DMR cluster, each event broker service is aware of all the others in the cluster because they are connected via DMR internal links. The DMR cluster allows every event published to it be seamlessly routed to the consuming applications connected to any event broker services in the same cluster. For more information, see Horizontal Scaling. Note that in PubSub+ Cloud, each event broker service has only one Message VPN.

By default, an event broker service is created with a generated cluster name and each event broker service is in its own cluster. You can set the same cluster name for multiple event broker services so that they belong to the same DMR cluster. For best practices to organize your DMR cluster, see DMR Best Practices.

Use these steps to set the cluster name:

1. When you create your event broker service, expand Advanced Connection Options.
2. Click the Cluster Name drop-down list, and do one of the following:
   • Select an existing cluster from the drop-down. Note that if you start typing the first few letters of the cluster name, the list filters the existing cluster names.
   •  Type a new cluster name and then click Select to create a new cluster name. Ensure that your cluster name is 1 to 64 characters in length, and includes only alphanumeric characters, dashes, or underscores.

     

After you have configured your event broker services with the appropriate cluster names and you're ready to create your DMR cluster, contact Solace for assistance. The ability to create the DMR cluster in the PubSub+ Cloud Console is not yet available.

Configuring High-Availability Mate-link Encryption

Enterprise event broker services in a high availability (HA) group encrypt the mate-links between the services in the HA group. The HA mate-link is encrypted by default. You can disable encryption so that the communication is in plain text between the primary and backup event brokers.

To configure whether to use HA mate-link encryption when you create an Enterprise event broker service, perform these steps:

1. When you create your event broker service, expand Advanced Connection Options.
2. Select or clear the Enable mate-link encryption check box.

For more information about HA, see High Availability in PubSub+ Cloud

Configuring Client and Management Ports

You can configure the client and management ports used to connect to your event broker services.

For all event broker services, no matter the broker version, by default, only secure ports are enabled (non-secure ports are disabled) for both Enterprise and Developer services. You can customize the secure (HTTPS) and non-secure (HTTP) ports for Solace Messaging, Solace Web Messaging, AMQP, MQTT, and REST. Configuring the ports gives you the ability to modify port numbers if the provided default ports are unavailable in your network or to align with your organization's requirements. Some configuration settings depend on the broker version you choose.

For more information about configuring the ports, see the following sections:

• For broker versions 9.12 and earlier, see Configuring Ports for Event Broker Services 9.12 and Earlier.
• For broker versions 9.13 and later, see Configuring Connection Endpoints and Ports for Event Broker Services 9.13 and Later.
• For additional information about port configuration, see Details for Port Configuration.

Configuring Ports for Event Broker Services 9.12 and Earlier

Before you configure the ports, review the considerations about event broker services in Port Configuration Considerations.

Perform the followings steps to configure the ports for event broker services that are 9.12 or earlier:

1. When you create your event broker service, expand Advanced Connection Options.
2. Under the Client Port Connections section, do any of the following tasks to configure the ports:

   • Select the messaging protocol to configure, modify the port numbers, and enable or disable ports as you require.

   • Click Disable Protocol to disable a particular protocol for use with your service. After you disable a protocol, the text is grayed out. If you want to enable a protocol again, click Reset to default and re-select the protocols that you want to disable.

   • For more information about the ports, see Details for Port Configuration

The following example shows the public endpoint being configured in a Public Region for a broker version 9.12 and earlier:

Configuring Connection Endpoints and Ports for Event Broker Services 9.13 and Later

For Kubernetes-based deployments, you can configure whether client applications connect to an event broker service using a connection endpoint. These connection endpoints can use either public or private IP addresses, which are referred to as public endpoints and private endpoints, respectively. You can view a connection endpoint as a set of ports and protocols that you can access based on the type of connection of the client application or user. These endpoints can help you to better manage access. For both private and public endpoints, you can:

• enable/disable messaging connections

• configure the aspects of the messaging protocols that are used (for example secure verses plain-text)

• configure the port numbers that are used for the event broker service

• configure the management port connections.

  At least one endpoint must have the SEMP management port enabled.

You can choose one of the following connection endpoints and port configurations:

Private IP addresses (or private endpoints)

This type of configuration allows connections to the event broker service using private IP addresses that are part of a private region [virtual private cloud or virtual private network (VPC/VNet)]. It creates a private endpoint with management via SEMP to the event broker service. The default name for the private endpoint is private endpoint. This type of configuration is available only when you choose Private Cloud as the cloud type when you create the service. Private Clouds are for Customer-Controlled Regions and Dedicated Regions. You can later choose to add a public endpoint.

Public Internet (or public endpoint)

This type of configuration allows connections to the event broker services from public Internet IP addresses. It creates a public endpoint with management via SEMP to the event broker service using the public Internet. The default name for the public endpoint is public endpoint and it is the only option available in Public Regions.

Hybrid

This type of configuration allows messaging and management connections to the event broker service from both private IP addresses and the public Internet. Both a private and a public endpoint are created by default with management via SEMP to the event broker service enabled. The default names for the private and public endpoints are private endpoint and public endpoint. This type of configuration is available only when you choose Private Cloud as the cloud type when you create the service. Private Clouds are for Customer-Controlled Regions and Dedicated Regions.

• Before you configure the endpoints, protocols, and ports, we recommend that you review the considerations Configuring Connection Endpoints and Ports for Event Broker Services 9.13 and Later and Connection Endpoint Considerations.
• After you create the event broker service, you can change the ports numbers and choose the protocols to enable. For more information, see Changing the Port Configuration for an Event Broker Service.

Perform the following steps to event broker services that are 9.13 and later:

1. When you create your event broker service, click Advanced Connection Options.
2. Under the Client Port Connections section, the options available depend on the how your event broker services are deployed:

   • For Public Regions, public Internet is only available and therefore, you only have the Public Endpoint available.

   • For Customer-Controlled Regions or Dedicated Regions, you can select Public Internet, Private Addresses, or Hybrid: Private IP and Public Internet options, which permit you to configure public, private, or both endpoints, respectively.

3. Expand Private Endpoint or Public Endpoint to configure the messaging and management protocols to use as well as the ports. You can configure different settings for the ports and disable different protocols on the endpoints.

   • Select the messaging protocol to configure, modify the port numbers, and enable ports as required.

   • Click Disable Protocol to disable a particular protocol for use with your service. If you want to enable a protocol again, click Reset to default and re-select the protocols that you want to enable.

   • For more information about the protocols and ports, see Details for Port Configuration

The example below shows the public endpoint being configured in a Public Region (only on regions deployed on Kubernetes) for a broker version 9.13 and later:

Details for Port Configuration

You can configure the ports for your event broker service. For broker versions 9.13 and later, you can configure the connections as sets of ports called public and private endpoints, whereas in broker versions 9.12 and earlier, you only had one set of connections that were configurable from Cluster Manager.

Expand the connection categories to configure the specific protocols and optionally change the default port numbers. You can perform one or more of the following actions:

• Click Disable Protocol to prevent a particular messaging protocol from being used with the endpoint. After you disable a protocol, the text is grayed out. If you want to enable a protocol again, click Reset to default and reconfigure the protocol and ports as required.
• All secure protocols use TLS and are enabled by default in each of the connection categories. In each category that follows, you can configure these messaging and management protocols: 
  • Solace Messaging—Use Solace Message Format (SMF) to connect and exchange messages with the event broker service over TCP.
    • Enable SMF Host—Use SMF Host (plain-text) over TCP to connect and exchange messages with the event broker service.
    • Enable Compressed SMF Host—Use SMF (plain-text) in a compressed format over TCP to connect and exchange messages with the event broker service.
    • Enable Secured SMF Host—Use secure SMF using TLS over TCP.
  • Solace Web Messaging—Use SMF over Web Sockets over HTTP to connect and exchange messages with the event broker service.
    • Enable Web Host—Use WebSocket over HTTP (plain-text). Disabled by default.
    • Enable Secured Web Messaging Host—Use WebSocket over secured HTTP. Enabled by default.
  • AMQP—Use Advanced Message Queuing Protocol 1.0 to connect and exchange messages with the event broker service.
    • Enable AMQP Host—Use AMQP (plain-text). Disabled by default.
    • Enable Secured AMQP Host: Use AMQP over a secure TCP connection. Enabled by default.
  • MQTT—Use MQ Telemetry Transport to connect and exchange messages with the event broker service.
    • Enable MQTT Host: Use MQTT (plain-text). Disabled by default.
    • Enable WebSocket MQTT Host—Use MQTT WebSocket (plain-text). Disabled by default.
    • Enable Secured MQTT Host—Use secure MQTT (plain-text). Enabled by default.
    • Enable WebSocket Secured MQTT Host—Use WebSocket secured MQTT. Enabled by default.
  • REST—Use the Solace Messaging REST API and standards-based HTTP exchange patterns to exchange messages over TCP connections with the event broker service.
    • Enable REST Host—Use REST messaging (plain-text).
    • Enable Secured REST Host—Use secure REST messaging. Enabled by default.

  • Management—This configuration is available in event broker services 9.13 and later. Use to enable the secure management connections necessary to manage the event broker service. You can configure these options:

    • Enable Secured Broker Management host (SEMP)—Use the secured management connection, which uses SEMP to manage the event broker. You must always have at least one port enabled on an event broker service. This is enabled by default when an endpoint is created.

    • Enabled Secured CLI Host (SSH)—Use a secure port to connect to the event broker service using the Solace Command Line Interface (CLI). This gives you access to a scope-restricted access to the Message VPN on the event broker service that you may find useful for management and configuration. Typically, this access is not required.

      Enabling CLI access exposes another mechanism to connect and manage your event broker service. This may expose you to unnecessary security risks. Solace recommends that you disable this port where your services have public Internet connectivity to harden access to your event broker services and when CLI access is not in use or required. This advanced access is for users with an in-depth understanding of event broker configuration and management.