Message VPNs

A Message VPN is a managed object on a PubSub+ event broker that allows for the segregation of topic space and clients. Message VPNs also group clients connecting to a network of event brokers, such that messages published within a particular group are only visible to that group's clients.

PubSub+ Cloudevent broker services have only a single message VPN. Because PubSub+ Cloud allows you to quickly create multiple event broker services, you can use separate services to segregate topics and clients instead of using multiple message VPNs on the same software event broker or appliance.

Publishing and Subscribing Via Message VPNs

Message VPNs can define which clients can receive messages from which publishers.

Clients in different Message VPNs can subscribe to identical topics, and clients in different Message VPNs can publish messages to topics that match those client subscriptions. However, based on Message VPN membership, only clients connected to the same Message VPN as a particular publisher receive messages from that publisher.

Illustration depicting the concepts described in the surrounding text.

In this example, all of the subscriber clients subscribe to the topic quotes/equities/NA. Publisher A, Subscriber 1, and Subscriber 2 are all connected to the same message VPN. Publisher B, Subscriber 3, and Subscriber 4 are connected to a separate Message VPN on the same event broker. Because the clients are connected to separate Message VPNs, when Publisher A publishes a message to topic quotes/equities/NA, the message is delivered only to Subscriber 1 and Subscriber 2. Similarly, if Publisher B publishes a message to the topic quotes/equities/NA, the message is delivered only to Subscriber 3 and Subscriber 4.

Message VPN Bridges

If you need to allow published messages to cross Message VPN boundaries, you can configure a Message VPN bridge to link two Message VPNs so that messages published to one Message VPN that match the topic subscriptions set for the bridge are also delivered to the linked Message VPN. A bridge can be uni-directional (messages pass over the bridge in only one direction) or bi-directional (messages pass over the bridge in both directions). Message VPN bridges can be are useful in the following circumstances:

  • Linking two Message VPNs with different names to enable Direct or Guaranteed messages published to one Message VPN to be delivered to the other Message VPN. The linked Message VPNs can be on the same event broker or two separate event brokers.
  • Linking two Message VPNs with the same names on two separate event brokers to enable Direct or Guaranteed messages published to one Message VPN to be delivered to the other Message VPN.

Illustration depicting the concepts described in the surrounding text.

For more information, see Message VPN Bridges.

Connecting to Message VPNs

Each client connection is associated with a single Message VPN. When a client sends its initial login connection request to an event broker, the client typically includes a Message VPN name parameter. The event broker then verifies that for the specified Message VPN the client username has been configured and is authorized to connect. A global, per-Message-VPN and per-client statistic is incremented for every denied connection attempt.

A client connection can't change its assigned Message VPN once it has been established by the initial login request without first disconnecting from the event broker.

Default Message VPN

Each software event broker event broker and appliance has a Message VPN named default. It can't be deleted, but it can be configured like any other Message VPN object on the event broker. If a client doesn't provide the name of a Message VPN name to connect to, the default is automatically assigned to the client.

PubSub+ Cloudevent broker services also have a single default Message VPN, which is named based on the event broker service name, using all lowercase letters and replacing spaces with hyphens. For example, an event broker service named "My Service" would have a message VPN named "my-service". You can rename the Message VPN for an event broker service.

To learn more, see Message VPNs.

Now that we've covered the basics of how event brokers get event data from the publishing application to the clients that want to know about it, learn more about how an event mesh can expand this functionality for enterprises in Understanding Event Meshes.