Skip to main content

Manage VPC peering

Virtual Private Cloud (VPC) peering is a method of connecting separate AWS, Google Cloud, or Azure private networks with each other. It allows virtual machines in the different private networks to talk to each other directly without going through the public Internet.

Configure VPC peering

In Aiven, VPC peering is configured as a project and region-specific setting. This means that all services created and running use the same VPC peering connection. If necessary, you can use different connections for VPC peering across multiple projects.

To set up VPC peering for your Aiven project:

  1. Log in to Aiven Console, and click Services > VPCs.

  2. Click Create VPC.


    Admin and operator project member roles can create a VPC.

  3. In the Create a VPC for this project window:

    1. Select a cloud provider and region.

    2. Enter the IP range. Use an IP range that does not overlap with any networks that you want to connect via VPC peering.

      For example, if your own networks use the range, you can set the range for your Aiven project's VPC to

  4. Click Create VPC.

The state of the VPC is shown in the table.

Deploy new services to a VPC

When you create a service, your peered VPC is available as a new geolocation on the VPC tab under Select service region. It can take a few minutes for a newly created VPC to appear for service deployments.


The service nodes use firewall rules to allow only connections from private IP ranges that originate from networks on the other end of VPC peering connections. You can only deploy services to a VPC if they belong to the project where that specific VPC was created.

Delete an existing VPC and VPC peering

Before deleting an existing VPC from Aiven Console, you should move out any active services from that VPC. To delete a VPC, go to Aiven Console > VPCs. Find your VPC and select Delete from the meatballs menu for this VPC.

Once the VPC is deleted, the cloud provider side of the peering connection's becomes inactive or deleted.

Migrate a public service to a VPC

You can migrate any Aiven service to a different VPC:

  1. In Aiven Console, open your service and click Service settings.
  2. In the Cloud and network section, click Actions > Change cloud or region.
  3. In the Region section, select the VPCs tab, select the VPC and click Migrate.

Access VPC services from the public internet

When you move your service to a VPC, access from public networks is blocked by default. If you switch to public access, a separate endpoint is created with a public prefix. You can enable public Internet access for your services by following the Enable public access in a VPC instructions.

IP filtering is available for a service deployed to a VPC where both public and private access are allowed. We recommend that you use IP filtering when your VPC service is also exposed to the public internet.


Public IP filters are restricted via VPC. IP filters apply to publicly accessible endpoints only.

Safelisting applies to both internal and external traffic. If you safelist an external IP address and want to keep traffic flowing with the internal (peered) connections, make sure that you safelist the CIDR blocks of the peered networks as well to avoid disruptions to the service.

To edit a service IP filtering:

  1. Open the Service settings page.
  2. Click Cloud and network > Actions > Set public IP filters.

Troubleshoot VPC connection issues

Any network changes to VPC peered hosts external from Aiven can cause issues with routing to your Aiven services hosted in a VPC. In such case, try to refresh your VPC connections.


Changes to your VPCs (such as adding a new subnet) can take up to 24 hours to take effect so wait at least 24 hours before refreshing your VPC connections.

To refresh your VCP connections:

  1. In Aiven Console, select VPCs.
  2. Find the ID of the affected VPC and select it from the Internal ID column.
  3. Select Refresh VPC connections.

The platform checks the VPC peering connection and rebuilds the peering connection state if there are any changes detected.