Manage project virtual private clouds (VPCs) in Aiven

Set up or delete a project-wide VPC in your Aiven organization. Deploy or migrate Aiven-managed services to your project VPC. Access resources within the project VPC from the public internet.

Prerequisites

• Manage project networking permissions
• One of the following tools for operating project VPCs:
  • Aiven Console
  • Aiven CLI
  • Aiven API
  • Aiven Provider for Terraform

Create a project VPC

Create a project VPC using a tool of your choice:

Aiven Console

1. Log in to Aiven Console, go to your project page, and click VPCs in the sidebar.

2. On the Virtual private clouds page, click Create VPC.

3. In the Create VPC window:

   1. Select a cloud provider and region.

   2. Enter the IP range. Use an IP range that does not overlap with any networks that you want to connect via VPC peering.

      For example, if your own networks use the range 11.1.1.0/8, you can set the range for your Aiven project's VPC to 191.161.1.0/24.

      note

      Network prefix length must be between 20 and 24 inclusive.

4. Click Create VPC.

The state of the VPC is shown in the table.

Aiven CLI

Run the avn vpc create command:

avn vpc create                  \
  --cloud CLOUD_PROVIDER_REGION \
  --network-cidr NETWORK_CIDR   \
  --project PROJECT_NAME

Replace the following:

• CLOUD_PROVIDER_REGION with the cloud provider and region to host the VPC, for example aws-eu-west-1
• NETWORK_CIDR with the CIDR block (a range of IP addresses) for the VPC, for example, 10.0.0.0/24
• PROJECT_NAME with the name of your Aiven project where to create the VPC

Aiven API

Make an API call to the VpcCreate endpoint:

curl --request POST \
  --url https://api.aiven.io/v1/project/PROJECT_ID/vpcs \
  --header 'Authorization: Bearer BEARER_TOKEN' \
  --header 'content-type: application/json' \
  --data '
    {
      "cloud_name": "CLOUD_PROVIDER_REGION",
      "network_cidr": "NETWORK_CIDR"
    }
  '

Replace PROJECT_ID, BEARER_TOKEN, CLOUD_PROVIDER_REGION, and NETWORK_CIDR with meaningful data.

Aiven Provider for Terraform

Use the aiven_project_vpc resource.

Create a service in a project VPC

Your project VPC is available as a geolocation (cloud region) for the new service.

note

You can create a service in a project VPC only if it is in the same project where you are creating the service.

Create a service in a project VPC using a tool of your choice:

Aiven Console

Set your project VPC as a cloud region for the new service:

1. From your project, in the Services page, click Create service.

2. From the Select service page, click the service type of your choice.

3. Select the cloud provider and region to host your service on.

   note

   The pricing for the same service can vary between different providers and regions. The service summary shows you the pricing for your selected options.

4. Select a service plan.

   note

   This determines the number of servers and the memory, CPU, and disk resources allocated to your service. See Plans & Pricing.

5. Optional: Add disk storage.

6. Enter a name for your service.

   important

   You cannot change the name after you create the service.

   You can fork the service with a new name instead.

7. Optional: Add tags.

8. Click Create service.

The Overview page of the service opens. It shows the connection parameters for your service, its current status, and the configuration options.

The status of the service is Rebuilding during its creation. When the status becomes Running, you can start using the service. This typically takes couple of minutes and can vary between cloud providers and regions.

Aiven CLI

Run avn service create:

avn service create SERVICE_NAME        \
  --project PROJECT_NAME               \
  --project-vpc-id PROJECT_VPC_ID      \
  --service-type SERVICE_TYPE          \
  --plan SERVICE_PLAN                  \
  --cloud CLOUD_PROVIDER_REGION

Replace the following:

• SERVICE_NAME with the name of the service to be created, for example, pg-vpc-test
• PROJECT_NAME with the name of the project where to create the service, for example, pj-test
• PROJECT_VPC_ID with the ID of your project VPC, for example, 12345678-1a2b-3c4d-5f6g-1a2b3c4d5e6f
• SERVICE_TYPE with the type of the service to be created, for example, pg
• SERVICE_PLAN with the plan of the service to be created, for example, hobbyist
• CLOUD_PROVIDER_REGION with the cloud provider and region to host the service to be created, for example aws-eu-west-1

Aiven API

Make an API call to the ServiceCreate endpoint endpoint:

curl --request POST \
  --url https://api.aiven.io/v1/project/PROJECT_NAME/service \
  --header 'Authorization: Bearer BEARER_TOKEN' \
  --header 'content-type: application/json' \
  --data-raw '
    {
      "service_name": "SERVICE_NAME",
      "cloud": "CLOUD_PROVIDER_REGION",
      "plan": "SERVICE_PLAN",
      "service_type": "SERVICE_TYPE",
      "disk_space_mb": DISK_SIZE,
      "project_vpc_id":"PROJECT_VPC_ID"
    }
  '

Replace the following placeholders with meaningful data:

• PROJECT_NAME, for example org-vpc-test
• BEARER_TOKEN
• SERVICE_NAME, for example org-vpc-test-project
• CLOUD_PROVIDER_REGION, for example google-europe-west10
• SERVICE_PLAN, for example startup-4
• SERVICE_TYPE, for example pg
• DISK_SIZE in MiB, for example 81920
• PROJECT_VPC_ID

Migrate a service to a project VPC

Your project VPC is available as a geolocation (cloud region) for your service.

note

You can migrate a service to a project VPC only if the project VPC is in the same project running your service.

Migrate a service to a project VPC using a tool of your choice:

Aiven Console

1. In Aiven Console, open your service page and click Service settings.
2. In the Cloud and network section, click Actions > Change cloud or region.
3. In the Region section, go to the VPCs tab, select your project VPC and click Migrate.

Aiven CLI

Run avn service update:

avn service update SERVICE_NAME \
  --project-vpc-id PROJECT_VPC_ID

Replace the following:

• SERVICE_NAME with the name of the service to be migrated, for example, pg-test
• PROJECT_VPC_ID with the ID of your project VPC where to migrate the service, for example, 12345678-1a2b-3c4d-5f6g-1a2b3c4d5e6f

Aiven API

Call the ServiceUpdte endpoint to set project_vpc_id of the service to the ID of your project VPC:

curl --request PUT \
  --url https://api.aiven.io/v1/project/PROJECT_NAME/service/SERVICE_NAME \
  -H 'Authorization: Bearer BEARER_TOKEN' \
  -H 'content-type: application/json' \
  --data '{"project_vpc_id": "PROJECT_VPC_ID"}'

Replace the following placeholders with meaningful data:

• PROJECT_NAME, for example org-vpc-test
• SERVICE_NAME, for example org-vpc-service
• BEARER_TOKEN
• PROJECT_VPC_ID

Delete a project VPC

important

Remove all services from your VCP before you delete it. To remove the services from the VCP, either migrate them out of the VCP or delete them. Deleting the VPC terminates its peering connections, if any.

Delete a project VPC using a tool of your choice:

Aiven Console

1. Log in to Aiven Console, and go to your project.
2. Click VPCs in the sidebar.
3. On the Virtual private clouds page, find a VPC to be deleted and click Actions > Delete.
4. In the Confirmation window, click Delete VPC.

Aiven CLI

Run the avn vpc delete command:

avn vpc delete                    \
  --project-vpc-id PROJECT_VPC_ID

Replace PROJECT_VPC_ID with the ID of your Aiven project VPC, for example, 12345678-1a2b-3c4d-5f6g-1a2b3c4d5e6f.

Aiven API

Make an API call to the VpcDelete endpoint:

curl --request DELETE \
  --url https://api.aiven.io/v1/project/PROJECT_ID/vpcs/PROJECT_VPC_ID \
  --header 'Authorization: Bearer BEARER_TOKEN' \

Replace the following placeholders with meaningful data:

• PROJECT_ID (Aiven project name)
• PROJECT_VPC_ID (Aiven project VPC ID)
• BEARER_TOKEN

Access project VPC services from the public internet

When you move your service to a VPC, access from public networks is blocked by default. If you switch to public access, a separate endpoint is created with a public prefix. You can enable public internet access for your services by following the Enable public access in a VPC instructions.

IP filtering is available for a service deployed to a VPC. It's recommended to use IP filtering when your VPC service is also exposed to the public internet.

note

If your service is within a VPC, the VPC configuration filters incoming traffic before the IP filter is applied.

Safelisting applies to both internal and external traffic. If you safelist an external IP address and want to keep traffic flowing with the internal (peered) connections, safelist the CIDR blocks of the peered networks as well to avoid disruptions to the service.