Manage an organization VPC peering with Microsoft Azure
Set up a peering connection between your Aiven organization VPC and a Microsoft Azure virtual network.
Establishing a peering connection between an Aiven organization VPC and an Azure VNet requires creating the peering both from the VPC in Aiven and from the VNet in Azure.
To establish the peering from Aiven to Azure, the Aiven Platform's Active Directory application object needs permissions in your Azure subscription. Because the peering is between different AD tenants (the Aiven AD tenant and your Azure AD tenant), your Azure AD tenant needs another application object. Once granted permissions, this object allows peering from Azure to Aiven.
Prerequisites
- Manage organization networking permissions for the Aiven Platform
- Azure account with at least the application administrator role
- Azure CLI and, optionally, the Microsoft Azure portal
- Access to the Aiven Console
- Aiven CLI installed
- Two VPCs to be peered: an organization VPC in Aiven and a VNet in your Azure account
Set up permissions in Azure
Azure app object permissions
-
Log in with an Azure admin account using the Azure CLI:
az account clear
az loginThis should open a window in your browser prompting to choose an Azure account to log in with.
tipIf you manage multiple Azure subscriptions, also configure the Azure CLI to default to the correct subscription for the subsequent commands. This is not needed if there's only one subscription:
az account set --subscription SUBSCRIPTION_NAME_OR_ID
-
Create an application object in your AD tenant using the Azure CLI:
az ad app create \
--display-name "NAME_OF_YOUR_CHOICE" \
--sign-in-audience AzureADMultipleOrgs \
--key-type PasswordThis creates an application object in Azure AD that can be used to log into multiple AD tenants (
--sign-in-audience AzureADMultipleOrgs
), but only the home tenant (the tenant the app was created in) has the credentials to authenticate the app.noteSave the
appId
field from the output. It will be referred to asUSER_APP_ID
. -
Create a service principal for your app object in the Azure subscription where the VNet to be peered is located in:
az ad sp create --id USER_APP_ID
This creates a service principal in your subscription, which can be assigned permissions to peer your VNet.
noteSave the
id
field from the JSON output. It will be referred to asUSER_SP_ID
. -
Set a password for your app object:
az ad app credential reset --id USER_APP_ID
noteSave the
password
field from the output. It will be referred to asUSER_APP_SECRET
. -
Find properties of your virtual network:
-
Resource ID
-
In the Azure portal: Virtual networks > name of your network > JSON View > Resource ID
-
Using the Azure CLI:
az network vnet list
noteThe
id
field should have format/subscriptions/USER_SUBSCRIPTION_ID/ resourceGroups/USER_RESOURCE_GROUP/providers/Microsoft.Network/virtualNetworks/USER_VNET_NAME
. It will be referred to asUSER_VNET_ID
. -
-
Azure Subscription ID (the VNet page in the Azure portal > Essentials > Subscription ID) or the part after
/subscriptions/
in the resource ID. It will be referred to asUSER_SUBSCRIPTION_ID
. -
Resource group name (the VNet page in the Azure portal > Essentials > Resource group) or the
resourceGroup
field in the output. This will be referred to asUSER_RESOURCE_GROUP
. -
VNet name (title of the VNet page), or the
name
field from the output. It will be referred to asUSER_VNET_NAME
.
noteSave all the properties for later.
-
-
Grant your service principal permissions to peer.
The service principal needs to be assigned a role that includes the
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write
permission at the scope of your VNet. To limit the permissions granted to the application object and the service principal, you can create a custom role with only this permission. The built-in Network Contributor role also includes this permission.-
Find the id of the role with the required permission:
az role definition list --name "Network Contributor"
The
id
field in the output is referred to asNETWORK_CONTRIBUTOR_ROLE_ID
. -
Assign the service principal the network contributor role using
NETWORK_CONTRIBUTOR_ROLE_ID
:az role assignment create \
--role NETWORK_CONTRIBUTOR_ROLE_ID \
--assignee-object-id USER_SP_ID \
--scope USER_VNET_IDThis allows your application object to manage the network within the specified
--scope
. Since you control the application object, you can also grant it permissions at the scope of an entire resource group or the whole subscription. This enables creating other peerings later without assigning the role to each VNet separately.
-
Aiven app object permissions
-
Create a service principal for the Aiven application object.
The Aiven AD tenant contains an application object that the Aiven Platform uses to create a peering from the Aiven organization VPC to the Azure VNet. For this, the Aiven application object needs a service principal in your Azure subscription. To create it, run:
az ad sp create --id 55f300d4-fc50-4c5e-9222-e90a6e2187fb
The argument to
--id
field is a fixed value that represents the ID of the Aiven application object.noteSave the
id
field from the JSON output. It will be referred to asAIVEN_SP_ID
.importantThe command might fail for the following reasons:
When using this permission, the backing application of the service principal being created must in the local tenant
, which means your account doesn't have the required permissions. See Prerequisites.The service principal cannot be created, updated, or restored because the service principal name 55f300d4-fc50-4c5e-9222-e90a6e2187fb is already in use
, in which case runaz ad sp show --id 55f300d4-fc50-4c5e-9222-e90a6e2187fb
and findid
in the output.
-
Create a custom role for the Aiven application object.
The Aiven application has a service principal that can be granted permissions. To restrict the service principal's permissions to peering, create a custom role with the peering action only allowed:
az role definition create --role-definition '{
"Name": "NAME_OF_YOUR_CHOICE",
"Description": "Allows creating a peering to vnets in scope (but not from)",
"Actions": [
"Microsoft.Network/virtualNetworks/peer/action"
],
"AssignableScopes": [
"/subscriptions/USER_SUBSCRIPTION_ID"
]
}'AssignableScopes
includes your Azure subscription ID to restrict scopes that a role assignment can use.noteSave the
id
field from the output. It will be referred to asAIVEN_ROLE_ID
. -
Assign the custom role to the Aiven service principal.
To give the Aiven application object's service principal permissions to peer with your VNet, assign the created role to the Aiven service principal with the scope of your VNet:
az role assignment create \
--role AIVEN_ROLE_ID \
--assignee-object-id AIVEN_SP_ID \
--scope USER_VNET_ID -
Find your AD tenant ID:
-
In the Azure portal: Settings > Directories + subscriptions > Directories > Directory ID
-
Using the Azure CLI:
az account list
noteSave the
tenantId
field from the output. It will be referred to asUSER_TENANT_ID
. -
Create the peering in Aiven
- Aiven CLI
- Aiven Console
- Aiven API
- Aiven Provider for Terraform
By creating a peering from the Aiven organization VPC to the VNet in your Azure subscription,
you also create a service principal for the application object
(--peer-azure-app-id USER_APP_ID
) and grant it the permission to peer with the Aiven
organization VPC.
The Aiven application object authenticates with your Azure tenant to grant it access to
the service principal of the Aiven application object
(--peer-azure-tenant-id USER_TENANT_ID
).
-
Find your organization ID in the Aiven Console or retrieve your organization ID from the output of the
avn organization list
command.The organization ID will be referred to as
AIVEN_ORG_ID
. -
Find your Aiven organization VPC ID using either the Aiven Console or the Aiven CLI.
- Aiven Console
- Aiven CLI
- Log in to the Aiven Console.
- Go to your organization, and click Admin in the top navigation bar.
- Click VPCs in the sidebar.
- On the Virtual private clouds page, select your organization VPC.
- On the VPC details page, go to the Overview section, and copy ID.
In the Aiven CLI, run the avn organization vpc list command.
The Aiven organization VPC ID will be referred to as
AIVEN_ORGANIZATION_VPC_ID
. -
Run:
avn organization vpc peering-connection create \
--organization-id AIVEN_ORG_ID \
--organization-vpc-id AIVEN_ORGANIZATION_VPC_ID \
--peer-cloud-account USER_SUBSCRIPTION_ID \
--peer-resource-group USER_RESOURCE_GROUP \
--peer-vpc USER_VNET_NAME \
--peer-azure-app-id USER_APP_ID \
--peer-azure-tenant-id USER_TENANT_IDnoteUse lower case for arguments starting with
USER_
. -
Run the following command until the state changes from
APPROVED
toPENDING_PEER
:avn organization vpc peering-connection list \
--organization-id AIVEN_ORG_ID \
--organization-vpc-id AIVEN_ORGANIZATION_VPC_IDtipIf the state is
INVALID_SPECIFICATION
orREJECTED_BY_PEER
, check if the Azure VNet exists and if the Aiven application object has the permission to be peered with. Revise your configuration and recreate the peering connection.Establishing the connection from Aiven to Azure can take a while. When completed, the state changes to
PENDING_PEER
and the output shows details for establishing the peering from your Azure VNet to the Aiven organization VPC.noteSave the following from the output:
to-tenant-id
: It will be referred to asAIVEN_TENANT_ID
.to-network-id
: It will be referred to asAIVEN_VNET_ID
.
- Log in to the Aiven Console, and click Admin in the top navigation bar.
- Click VPCs in the sidebar.
- On the Virtual private clouds page, select an organization VPC to peer.
- On the VPC details page, go to the VPC peering connections section and click Create peering request.
- In the Create peering request window:
-
Enter the following:
- Azure subscription ID
- Resource group
- Network name
- Active Directory tenant ID
- Application object ID
-
Click Create.
This adds a connection with the Pending peer status in the Aiven Console.
-
- While still on the VPC details page, make a note of the ID of your Aiven VPC.
Make an API call to the OrganizationVpcPeeringConnectionCreate endpoint:
curl --request POST \
--url https://api.aiven.io/v1/organization/ORGANIZATION_ID/vpcs/ORGANIZATION_VPC_ID/peering-connections \
--header 'Authorization: Bearer BEARER_TOKEN' \
--header 'content-type: application/json' \
--data '
{
"peer_azure_app_id":"USER_APP_ID",
"peer_azure_tenant_id":"USER_TENANT_ID",
"peer_cloud_account":"USER_SUBSCRIPTION_ID",
"peer_resource_group":"USER_RESOURCE_GROUP",
"peer_vpc":"USER_VNET_NAME"
}
'
Replace the following placeholders with meaningful data:
ORGANIZATION_ID
ORGANIZATION_VPC_ID
BEARER_TOKEN
USER_SUBSCRIPTION_ID
USER_RESOURCE_GROUP
USER_VNET_NAME
USER_APP_ID
USER_TENANT_ID
Use the aiven_azure_org_vpc_peering_connection resource.
Create the peering in Azure
Establish the peering connection from your Azure VNet to the Aiven organization VPC:
-
Log out the Azure user you logged in with:
az account clear
-
Log in the Azure application object to your AD tenant using the password:
az login \
--service-principal \
-u USER_APP_ID \
-p USER_APP_SECRET \
--tenant USER_TENANT_ID -
Log in the Azure application object to the Aiven AD tenant:
az login \
--service-principal \
-u USER_APP_ID \
-p USER_APP_SECRET \
--tenant AIVEN_TENANT_IDAt this point, your application object should have an open session with your Azure AD tenant and the Aiven AD tenant.
-
Create a peering from your Azure VNet to the Aiven organization VPC:
az network vnet peering create \
--name PEERING_NAME_OF_YOUR_CHOICE \
--remote-vnet AIVEN_VNET_ID \
--vnet-name USER_VNET_NAME \
--resource-group USER_RESOURCE_GROUP \
--subscription USER_SUBSCRIPTION_ID \
--allow-vnet-accessIf the peering state in the output is
connected
, the peering is created.tipThe command might fail with the following error:
The client 'RANDOM_UUID' with object id 'RANDOM_UUID' does not have authorization to
perform action 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write' over
scope 'USER_VNET_ID'. If access was recently granted, refresh your credentials.for two reasons related to the role assignment:
- Role assignment hasn't taken effect yet, in which case try logging in again and recreating the peering.
- Role assignment is incorrect, in which case try recreating the role assignment.
Wait until the Aiven peering connection is active. The Aiven Platform polls peering connections in state
PENDING_PEER
regularly to see if the peer (your Azure VNet) has created a peering connection to the Aiven organization VPC. Once this is detected, the state changes fromPENDING_PEER
toACTIVE
, at which point Aiven services in the organization VPC can be reached through the peering. -
Check if the status of the peering connection is
ACTIVE
:avn organization vpc get \
--organization-id AIVEN_ORG_ID \
--organization-vpc-id AIVEN_ORGANIZATION_VPC_ID
Delete the peering
Once you delete your VPC peering on the Aiven Platform, the cloud-provider side of the
peering connection becomes inactive
or deleted
, and the traffic between the disconnected
VPCs is terminated.
Delete an organization VPC peering using a tool of your choice:
- Aiven Console
- Aiven CLI
- Aiven API
- Log in to the Aiven Console, and click Admin in the top navigation bar.
- Click VPCs in the sidebar.
- On the Virtual private clouds page, select an organization VPC.
- On the VPC details page, go to the VPC peering connections section, find the peering to be deleted, and click Actions > Delete.
- In the Confirmation window, click Delete VPC peering.
Run the avn organization vpc peering-connection delete
command:
avn organization vpc peering-connection delete \
--organization-id ORGANIZATION_ID \
--organization-vpc-id ORGANIZATION_VPC_ID \
--peering-connection-id ORGANIZATION_VPC_PEERING_ID
Replace the following:
ORGANIZATION_ID
with the ID of your Aiven organization, for example,org1a2b3c4d5e6
ORGANIZATION_VPC_ID
with the ID of your Aiven organization VPC, for example,12345678-1a2b-3c4d-5f6g-1a2b3c4d5e6f
ORGANIZATION_VPC_PEERING_ID
with your Aiven peering connection ID obtainable in the output of the avn organization vpc get command, for example1a2b3c4d-1234-a1b2-c3d4-1a2b3c4d5e6f
Make an API call to the OrganizationVpcPeeringConnectionDelete endpoint:
curl --request DELETE \
--url https://api.aiven.io/v1/organization/ORGANIZATION_ID/vpcs/ORGANIZATION_VPC_ID/peering-connections/PEERING_CONNECTION_ID \
--header 'Authorization: Bearer BEARER_TOKEN'
Replace the following placeholders with meaningful data:
ORGANIZATION_ID
: Aiven organization IDORGANIZATION_VPC_ID
: Aiven organization VPC IDPEERING_CONNECTION_ID
: Aiven peering connection ID obtainable by calling the OrganizationVpcGet endpointBEARER_TOKEN