Enterprises that standardize on AWS still run IBM MQ when applications, banks, or mainframe partners require MQ semantics, mainframe channels, or decades of MQSC investment. AWS MQ integrations is not one product—it is the architecture space where Amazon VPC networking, EKS, Secrets Manager, Lambda, EventBridge, and optionally Amazon MQ meet IBM MQ queue managers on EC2, in containers, in IBM MQ on Cloud, or on prem across a private link. Beginners search AWS Marketplace for IBM MQ, find Amazon MQ, and provision the wrong engine. This tutorial separates Amazon MQ managed brokers from IBM MQ you operate, diagrams hybrid connectivity over Direct Connect and VPN, explains security groups and private subnets for listeners, running the official container on EKS with EBS CSI storage, storing credentials in Secrets Manager, when Lambda fits versus when ECS or EKS workers consume queues, observability with CloudWatch and corporate Prometheus, disaster recovery across regions, and governance when two teams own AWS networking and MQ administration.
| Topic | Amazon MQ | IBM MQ on AWS |
|---|---|---|
| Software engine | ActiveMQ, RabbitMQ, etc. | IBM MQ Advanced |
| Client libraries | JMS for those brokers | MQI, JMS, .NET for IBM MQ |
| Operations | AWS managed patches | You or IBM Cloud manage |
| Mainframe bridge | Not IBM MQ channel | Native MQ channels to z/OS |
Choose Amazon MQ when the workload truly fits those brokers and AWS native management. Choose IBM MQ on AWS when partners send MQMD headers, you need WMQ channel types, or repository compatibility with existing QMGRs matters. Some estates run both—avoid bridging with ad-hoc file drops when licensed MQ channels exist.
Run icr.io/ibm-messaging/mq on EKS worker nodes in private subnets. Use the EBS CSI driver with gp3 volumes for /mnt/mqm PVCs. Install the AWS Load Balancer Controller for internal NLB if corporate clients outside the cluster need TCP 1414. IRSA (IAM Roles for Service Accounts) lets the pod read Secrets Manager without static keys in env. Cluster autoscaler does not help single QM latency—size nodes explicitly. Use the same StatefulSet patterns from earlier tutorials; add AWS-specific storage class annotations for encryption and backup via AWS Backup.
1234567891011# StorageClass snippet — AWS EBS gp3 (illustrative) apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: mq-gp3 provisioner: ebs.csi.aws.com parameters: type: gp3 encrypted: "true" volumeBindingMode: WaitForFirstConsumer allowVolumeExpansion: true
Place consumers and producers in VPC subnets with routes to on-prem CIDR over Direct Connect or Site-to-Site VPN. Configure MQ client channel connection to internal DNS name that resolves to on-prem listener IP. Set MCA heartbeat and disconnect interval for WAN. Test firewall rules both directions—sender channels from on-prem to AWS initiation port need outbound rules on AWS side. Use TLS mutual authentication when crossing trust boundaries. Document latency impact on syncpoint-heavy workloads.
Microservices on EKS call IBM MQ on Cloud public or private endpoints. PrivateLink or VPC endpoints reduce public internet exposure where IBM supports them for your region. Trust stores in pods must include IBM Cloud CA bundles. IAM on AWS side does not replace MQ credentials—handle both layers in runbooks.
AWS is one country with its own delivery trucks (Lambda, SQS). IBM MQ is the postal system your bank mandated. Integration builds a bridge road (VPN) so trucks can hand parcels to MQ post offices, not replace MQ with a different postal service unless regulators agree.
Store MQ channel passwords and keystore passwords in Secrets Manager; mount into pods as files or env from CSI driver. Rotation requires coordinated client and server updates—automate with scripts that ALTER AUTHINFO and reload channels. Never bake secrets into Amazon Machine Images. For ECS tasks, use task execution role to fetch secrets at start.
Some teams install MQ on EC2 when they want VM operations without Kubernetes overhead. Attach encrypted EBS, use Auto Scaling Group with max one for single QM, or manual failover pair. Patch with SS Manager. Backup with AWS Backup. This mirrors traditional data center MQ on Linux with AWS billing.
Ship container logs to CloudWatch Logs with retention policies. Export Prometheus metrics to Amazon Managed Prometheus if corporate standard allows. CloudWatch alarms on PVC utilization via kube-state-metrics. AWS Health events do not replace MQ channel status—monitor both. Tag resources app, env, cost-center for FinOps.
Active-passive QM in second region needs replicated messages or Native HA cross-region where licensed—not manual EBS snapshot copy alone while running. Practice failover drill: update DNS or CCDT to secondary listener, start channels, verify depth. RTO and RPO definitions drive whether you pay for always-on secondary.
Messages may not leave geographic regions—choose AWS region and IBM MQ placement accordingly. Encryption at rest on EBS and in transit TLS satisfy many policies; add KMS keys you control. CloudTrail audits API changes to AWS resources; MQ audit logs still required inside QM.
AWS is a playground where your apps live. IBM MQ is the mailbox system the whole company trusts. Integration is building a safe bridge so playground kids can send letters to the real mailboxes without mixing up two different mail companies.
Draw security group rules for EKS MQ namespace and a Lambda in another subnet.
Write a decision table: when your team picks Amazon MQ vs IBM MQ on EKS.
List three WAN-tuning channel attributes for AWS-to-on-prem links.
1. Amazon MQ often provides:
2. IBM MQ on AWS typically uses:
3. Hybrid needs:
4. Lambda is best for: