Message VPNs

A message Virtual Private Network (VPN) is a managed object on a PubSub+ event broker that allows for the segregation of topic space and clients. Message VPNs also group clients connecting to a network of event brokers, such that messages published within a particular group are only visible to that group's clients.

An Example of Message VPN Publishing and Subscribing

Message VPN Publishing and Subscribing Example

As shown in the figure, Message VPNs can be used to define which clients can receive messages from which publishers.

Clients in different Message VPNs are permitted to subscribe to identical topics, and two clients in different Message VPNs are permitted to publish messages to topics that match those client subscriptions. Yet due to Message VPN membership, only clients connected to the same Message VPN as a particular publisher receive messages from that publisher.

All the subscriber clients have subscribed to the same topic: quotes/equities/NA. However, because the clients are connected to separate Message VPNs, when Publisher 1 publishes a message to topic quotes/equities/NA, the message is only delivered to Subscriber 1 and Subscriber 2. Similarly, if Publisher 2 publishes a message to topic quotes/equities/NA, the message is only delivered to Subscriber 3 and Subscriber 4.

Message VPN bridges

Published messages can't cross Message VPN boundaries, even in the presence of identical subscriptions in each Message VPN. For messages published to one Message VPN to be transferred to another, a Message VPN bridge must be configured between them

Disabling a Message VPN

Each Message VPN can be administratively enabled and disabled through the shutdown Message VPN CONFIG command. When disabled, all client connections belonging to that Message VPN are disconnected, and new client connections to it are rejected. Message VPNs are disabled by default (that is, not running) on event brokers. Each client must identify the Message VPN that the client wishes to connect to. If the client username is not configured within the requested Message VPN, then the client connection is denied.

Connecting to Message VPNs

Each client connection is associated with a single Message VPN. When a client sends its initial login connection request to an event broker, the client typically includes a Message VPN name parameter. The event broker then verifies that for the specified Message VPN the client username has been configured and is authorized to connect. A global, per-Message-VPN and per-client statistic is incremented for every denied connection attempt.

Changing assigned Message VPN

A client connection can't change its assigned Message VPN once it has been established by the initial login request without first disconnecting from the event broker.

Default Message VPN

Each event broker has a Message VPN named default. It can't be deleted, but it can be configured like any other Message VPN object on the event broker.

If a client doesn't provide the name of a Message VPN name to connect to, the default Message VPN named default, when enabled, is automatically assigned to the client.