# Deploy EMQX On Amazon Elastic Kubernetes Service

EMQX Operator supports deploying EMQX on Amazon Container Service EKS (Elastic Kubernetes Service). Amazon EKS is a managed Kubernetes service that makes it easy to deploy, manage, and scale containerized applications. EKS provides the Kubernetes control plane and node groups, automatically handling node replacements, upgrades, and patching. It supports AWS services such as Load Balancers, RDS, and IAM, and integrates seamlessly with other Kubernetes ecosystem tools. For details, please see What is Amazon EKS (opens new window)

# Before You Begin

Before you begin, you must have the following:

# Quickly Deploy An EMQX Cluster

The following is the relevant configuration of EMQX custom resources. You can select the corresponding APIVersion according to the EMQX version you want to deploy. For the specific compatibility relationship, please refer to Compatibility list between EMQX and EMQX Operator

# Use MQTT X CLI To Publish/Subscribe Messages

MQTT X CLI (opens new window) is an open source MQTT 5.0 command line client tool, designed to help developers to more Quickly develop and debug MQTT services and applications.

  • Obtain External IP of EMQX cluster

  • Subscribe to news

    $ mqttx sub -t 'hello' -h ${external_ip} -p 1883
    
    [10:00:25] › … Connecting...
    [10:00:25] › ✔ Connected
    [10:00:25] › … Subscribing to hello...
    [10:00:25] › ✔ Subscribed to hello
    
    1
    2
    3
    4
    5
    6
  • create a new terminal window and publish message

    $ mqttx pub -t 'hello' -h ${external_ip} -p 1883 -m 'hello world'
    
    [10:00:58] › … Connecting...
    [10:00:58] › ✔ Connected
    [10:00:58] › … Message Publishing...
    [10:00:58] › ✔ Message published
    
    1
    2
    3
    4
    5
    6
  • View messages received in the subscribed terminal window

    [10:00:58] › payload: hello world
    
    1

# Terminate TLS Encryption With LoadBalancer

In Amazon EKS, you can use the NLB to do TLS termination, which you can do in the following steps:

  1. Import relevant certificates in AWS Console (opens new window), then enter the details page by clicking the certificate ID, Then record the ARN information

    TIP

    For the import format of certificates and keys, please refer to import certificate (opens new window)

  2. Add some annotations in EMQX custom resources' metadata, just as shown below:

    ## Specifies the ARN of one or more certificates managed by the AWS Certificate Manager.
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-west-2:xxxxx:certificate/xxxxxxx
    ## Specifies whether to use TLS for the backend traffic between the load balancer and the kubernetes pods.
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
    ## Specifies a frontend port with a TLS listener. This means that accessing port 1883 through AWS NLB service requires TLS authentication,
    ## but direct access to K8S service port does not require TLS authentication
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "1883"
    
    1
    2
    3
    4
    5
    6
    7

    The value of service.beta.kubernetes.io/aws-load-balancer-ssl-cert is the ARN information we record in step 1.