Message Virtual Private Networks (VPNs) are managed objects on Solace PubSub+ message brokers that allow for the segregation of topic space and clients. Message VPNs also group clients connecting to a network of message brokers, such that messages published within a particular group are only visible to clients that belong to that group. Each client connection is associated with a single Message VPN.
As shown in the figure below, Message VPNs can be used to effectively separate which clients can receive messages from which publishers. In this example, clients in different Message VPNs are permitted to subscribe to identical topics, and two clients in different Message VPNs are permitted to publish messages to topics that matches those client subscriptions. Yet due to Message VPN membership, only the clients that are connected to the same Message VPN as the publisher receive the messages from that publisher.
Note: Published messages cannot cross Message VPN boundaries, even in the presence of identical subscriptions in each Message VPN. For messages published to one Message VPN to be transferred to another Message VPN, a Message VPN bridge must be explicitly configured between them.
In this example, all the subscriber clients have subscribed to the same topic: “quotes/equities/NA”. However, because the clients are connected to separate Message VPNs, when
Publisher 1 publishes a message to topic “quotes/equities/NA”, the message is only delivered to
Subscriber 1 and
Subscriber 2. Similarly, if
Publisher 2 publishes a message to topic “quotes/equities/NA”, the message is only delivered to
Subscriber 3 and
Message VPN Publishing and Subscribing Example
Each Message VPN can be administratively enabled and disabled through the shutdown Message VPN CONFIG command. When disabled, all client connections belonging to that Message VPN are disconnected and new client connections to it are rejected. Message VPNs are disabled by default (that is, not running) on message brokers. Each client must identify the Message VPN which the client wishes to connect to. If the client username is not configured within the requested Message VPN, then the client connection is denied.
Each client connection is associated with a single Message VPN. When a client sends its initial login connection request to a message broker, the client typically includes a Message VPN name parameter in the login request. The message broker then verifies that the client username has been configured in the requested Message VPN and that the client username is authorized to connect to the requested Message VPN. A global, per-Message VPN, and per‑client statistic is incremented for every denied connection attempt.
Note: A client connection cannot change its assigned Message VPN once it has been established by the initial login request without disconnecting from the message broker first.
However, if the client does not provide the name of a Message VPN name to connect to, the default Message VPN named
default (when enabled) is automatically assigned to the client.
Each message broker has a Message VPN named
default. The Message VPN named
default cannot be deleted, but it can be configured like any other Message VPN object on the message broker.