Virtual Private Cloud (VPC) peering is a method of connecting separate AWS, Google Cloud, or Azure private networks with each other. This makes it possible for the virtual machines in the different private networks to talk to each other directly without going through the public internet.
Configure VPC peering
In Aiven, VPC peering is configured as a project and region-specific setting. This means that all services created and running use the same VPC peering connection. If necessary, you can use different connections for VPC peering across multiple projects.
To set up VPC peering for your Aiven project:
Log in to Aiven Console, and select VPCs from the sidebar on the Services page.
Click Create VPC.note
Admin and operator user roles can create a VPC. For more information about Aiven project members and roles, refer to Organizations, projects, and managing access permissions.
In the Create a VPC for this project window:
Select a cloud provider and region from the dropdown list.
Enter the IP range that you want to use for the VPC connection. Use an IP range that does not overlap with any networks that you want to connect via VPC peering.
For example, if your own networks use the range
188.8.131.52/8, you can set the range for your Aiven project's VPC to
Click Create VPC.
The state of the VPC is shown in the table.
Cloud-specific VPC peering instructions
- Set up VPC peering on Amazon Web Services (AWS)
- Set up VPC peering on Google Cloud Platform (GCP)
- Set up VNet (VPC) peering on Microsoft Azure
Depending on the cloud provider that you selected for the VPC connection, you also have to accept a VPC peering connection request or set up a corresponding VPC peering connection to Aiven.
Deploy new services to a VPC
When you create a new service, your peered VPC is available as a new geolocation on the VPC tab under Select service region. It can take a few minutes for a newly created VPC to appear for service deployments.
The service nodes use firewall rules to allow only connections from private IP ranges that originate from networks on the other end of VPC peering connections. You can only deploy services to a VPC if they belong to the project where that specific VPC was created.
Delete an existing VPC and VPC peering
Before deleting an existing VPC from Aiven Console, you should move out any active services from that VPC. To delete a VPC, navigate to Aiven Console > VPCs. Find your VPC and select Delete from the meatballs menu for this VPC. Once the VPC is deleted, the cloud provider side of the peering connection will go to an inactive or deleted state.
Migrate a public service to a VPC
You can migrate any Aiven service to a different VPC:
- In Aiven Console, go to your service.
- On the Overview page of your service, select Service settings from the sidebar.
- On the Service settings page, in the Cloud and network section, click Actions > Change cloud or region.
- In the Migrate service to another cloud window > the Region section, select the VPCs tab, select the VPC that you want to use, and select Migrate.
Access VPC services from the public internet
When you move your service to a VPC, access from public networks is blocked by default. If you switch to public access, a separate endpoint is created with a public prefix. You can enable public Internet access for your services by following the Enable public access in a VPC instructions.
IP filtering is available for a service deployed to a VPC where both public and private access are allowed. We recommend that you use IP filtering when your VPC service is also exposed to the public internet.
Public IP filters are restricted via VPC. IP filters apply to publicly accessible endpoints only.
Safelisting applies to both internal and external traffic. If you safelist an external IP address and want to keep traffic flowing with the internal (peered) connections, make sure that you safelist the CIDR blocks of the peered networks as well to avoid disruptions to the service.
To edit a service IP filtering:
- Open the Service settings page.
- Click Cloud and network > Actions > Set public IP filters.
Troubleshoot VPC connection issues
Any network changes to VPC peered hosts external from Aiven can cause issues with routing to your Aiven services hosted in a VPC. In such case, try to refresh your VPC connections.
Changes to your VPCs (such as adding a new subnet) can take up to 24 hours to take effect so wait at least 24 hours before refreshing your VPC connections.
To refresh your VCP connections:
- In Aiven Console, select VPCs.
- Find the ID of the affected VPC and select it from the Internal ID column.
- Select Refresh VPC connections.
The platform checks the VPC peering connection and rebuilds the peering connection state if there are any changes detected.