Apache ActiveMQ Brokers Should Use Active/Standby Mode
Overview
This check verifies that your Amazon MQ Apache ActiveMQ brokers are configured in active/standby deployment mode across multiple Availability Zones. This configuration provides high availability and automatic failover if one broker instance becomes unavailable.
A single-instance broker has no backup. If it fails, your messaging stops until you manually recover. Active/standby mode keeps a standby broker ready to take over automatically.
Risk
Without active/standby configuration, your broker is a single point of failure:
- Service outages - If the broker fails, all message processing stops
- Data loss - Messages in transit may be lost during failures
- Delayed recovery - Manual intervention is required to restore service
- Downstream impact - Applications that depend on the broker will fail
Remediation Steps
Prerequisites
You will need:
- Access to the AWS Console with permissions to create Amazon MQ brokers
- A VPC with two subnets in different Availability Zones
- A security group for the broker
Checking your subnet configuration
Before creating an active/standby broker, verify you have subnets in at least two different Availability Zones:
- Go to VPC > Subnets in the AWS Console
- Note the Availability Zone column for each subnet
- Select two subnets that are in different Availability Zones
- Record the Subnet IDs for use when creating the broker
Important: You Cannot Modify Existing Brokers
Amazon MQ does not allow changing the deployment mode of an existing broker. To remediate this finding, you must:
- Create a new broker with active/standby mode
- Migrate your applications to use the new broker endpoints
- Delete the old single-instance broker
AWS Console Method
- Open the Amazon MQ Console
- Click Create broker
- Select Apache ActiveMQ as the engine type and click Next
- For Deployment mode, select Active/standby broker
- Enter a Broker name (e.g.,
my-activemq-broker) - Select an Instance type (e.g.,
mq.m5.large) - Under Network and security:
- Select your VPC
- Choose two subnets in different Availability Zones
- Select a Security group
- Under ActiveMQ access:
- Create a username and password for broker access
- Click Create broker
The broker will take several minutes to create. Once running, update your applications to use the new broker endpoints.
AWS CLI
Create an active/standby broker:
aws mq create-broker \
--broker-name my-activemq-broker \
--deployment-mode ACTIVE_STANDBY_MULTI_AZ \
--engine-type ACTIVEMQ \
--engine-version "5.18" \
--host-instance-type mq.m5.large \
--no-publicly-accessible \
--auto-minor-version-upgrade \
--subnet-ids "subnet-xxxxxxxxxxxxxxxxx" "subnet-yyyyyyyyyyyyyyyyy" \
--security-groups "sg-zzzzzzzzzzzzzzzzz" \
--users '[{"Username":"admin","Password":"YourSecurePassword123!","ConsoleAccess":true}]' \
--region us-east-1
Replace the placeholder values:
subnet-xxxxxxxxxxxxxxxxxandsubnet-yyyyyyyyyyyyyyyyy- Your two subnet IDs (must be in different AZs)sg-zzzzzzzzzzzzzzzzz- Your security group IDYourSecurePassword123!- A secure password meeting Amazon MQ requirements
List existing brokers and check their deployment mode:
aws mq list-brokers --region us-east-1
Get details for a specific broker:
aws mq describe-broker \
--broker-id <your-broker-id> \
--region us-east-1 \
--query 'DeploymentMode'
CloudFormation
AWSTemplateFormatVersion: '2010-09-09'
Description: Amazon MQ ActiveMQ broker in active/standby mode
Parameters:
BrokerName:
Type: String
Description: Name of the Amazon MQ broker
BrokerUsername:
Type: String
Description: Username for broker access
BrokerPassword:
Type: String
NoEcho: true
Description: Password for broker access
SubnetId1:
Type: AWS::EC2::Subnet::Id
Description: First subnet ID (Availability Zone 1)
SubnetId2:
Type: AWS::EC2::Subnet::Id
Description: Second subnet ID (Availability Zone 2)
SecurityGroupId:
Type: AWS::EC2::SecurityGroup::Id
Description: Security group for the broker
Resources:
ActiveMQBroker:
Type: AWS::AmazonMQ::Broker
Properties:
BrokerName: !Ref BrokerName
DeploymentMode: ACTIVE_STANDBY_MULTI_AZ
EngineType: ACTIVEMQ
EngineVersion: '5.18'
HostInstanceType: mq.m5.large
PubliclyAccessible: false
AutoMinorVersionUpgrade: true
SubnetIds:
- !Ref SubnetId1
- !Ref SubnetId2
SecurityGroups:
- !Ref SecurityGroupId
Users:
- Username: !Ref BrokerUsername
Password: !Ref BrokerPassword
ConsoleAccess: true
Outputs:
BrokerId:
Description: ID of the created broker
Value: !Ref ActiveMQBroker
BrokerArn:
Description: ARN of the created broker
Value: !GetAtt ActiveMQBroker.Arn
Deploy the stack:
aws cloudformation create-stack \
--stack-name activemq-ha-broker \
--template-body file://template.yaml \
--parameters \
ParameterKey=BrokerName,ParameterValue=my-activemq-broker \
ParameterKey=BrokerUsername,ParameterValue=admin \
ParameterKey=BrokerPassword,ParameterValue=YourSecurePassword123! \
ParameterKey=SubnetId1,ParameterValue=subnet-xxxxxxxxxxxxxxxxx \
ParameterKey=SubnetId2,ParameterValue=subnet-yyyyyyyyyyyyyyyyy \
ParameterKey=SecurityGroupId,ParameterValue=sg-zzzzzzzzzzzzzzzzz \
--region us-east-1
Terraform
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
variable "broker_name" {
description = "Name of the Amazon MQ broker"
type = string
}
variable "broker_username" {
description = "Username for broker access"
type = string
}
variable "broker_password" {
description = "Password for broker access"
type = string
sensitive = true
}
variable "subnet_ids" {
description = "List of two subnet IDs in different Availability Zones"
type = list(string)
}
variable "security_group_ids" {
description = "List of security group IDs for the broker"
type = list(string)
}
resource "aws_mq_broker" "activemq" {
broker_name = var.broker_name
deployment_mode = "ACTIVE_STANDBY_MULTI_AZ"
engine_type = "ActiveMQ"
engine_version = "5.18"
host_instance_type = "mq.m5.large"
publicly_accessible = false
auto_minor_version_upgrade = true
subnet_ids = var.subnet_ids
security_groups = var.security_group_ids
user {
username = var.broker_username
password = var.broker_password
console_access = true
}
}
output "broker_id" {
description = "ID of the created broker"
value = aws_mq_broker.activemq.id
}
output "broker_arn" {
description = "ARN of the created broker"
value = aws_mq_broker.activemq.arn
}
Deploy with Terraform:
terraform init
terraform apply \
-var="broker_name=my-activemq-broker" \
-var="broker_username=admin" \
-var="broker_password=YourSecurePassword123!" \
-var='subnet_ids=["subnet-xxxxxxxxxxxxxxxxx","subnet-yyyyyyyyyyyyyyyyy"]' \
-var='security_group_ids=["sg-zzzzzzzzzzzzzzzzz"]'
Verification
After creating the broker, verify the deployment mode:
- Open the Amazon MQ Console
- Click on your broker name
- In the Details section, confirm Deployment mode shows Active/standby
CLI verification
aws mq describe-broker \
--broker-id <your-broker-id> \
--region us-east-1 \
--query '{DeploymentMode: DeploymentMode, BrokerState: BrokerState}'
Expected output:
{
"DeploymentMode": "ACTIVE_STANDBY_MULTI_AZ",
"BrokerState": "RUNNING"
}
Additional Resources
- Amazon MQ for ActiveMQ Documentation
- Amazon MQ Broker Architecture
- Active/Standby Broker for High Availability
- Migrating to Amazon MQ
Notes
- Cost impact: Active/standby brokers cost more than single-instance brokers because two broker instances are running. Review Amazon MQ pricing before making changes.
- Migration required: You cannot change an existing broker's deployment mode. Plan for a migration window to move applications to the new broker.
- Failover behavior: During failover, there may be a brief interruption (typically 1-2 minutes). Design your applications with retry logic to handle this gracefully.
- Storage: Active/standby brokers use Amazon EFS for shared storage, which is automatically replicated across Availability Zones.