Restrict network access to services

Restrict access to your Aiven-managed service to a single IP, an address block, or any combination of both.

By default, a connection to an Aiven service can be established from any IP address. To restrict access, you can use the IP filtering capability, which allows you to filter traffic incoming to your services by specifying allowed IP addresses or network ranges.

note

If your service is within a VPC, the VPC configuration filters incoming traffic before the IP filter is applied.

By default, the IP filter is set to 0.0.0.0/0, which allows all inbound connections. If you remove 0.0.0.0/0 without adding networks or addresses used by clients, no client can connect to your service.

tip

To access a non-publicly-accessible service from another service, use a service integration.

Restrict access

1. Log in to the Aiven Console, and select the service to restrict access to.

2. On the Overview page of your service, select Service settings.

3. On the Service settings page, in the Cloud and network section:

   • Set the IP filter for the first time:

     1. Click Actions > Set IP address allowlist.
     2. In the Allowed inbound IP addresses window, remove 0.0.0.0/0 and enter an IP address or address block using the CIDR notation, for example 10.20.0.0/16.

   • Edit the IP filter after the first setup change:

     1. Click Actions > Edit IP address allowlist.
     2. In the Allowed inbound IP addresses window, enter an IP address or address block using the CIDR notation, for example 10.20.0.0/16.

4. To add more IP addresses or ranges, click Add IP address range.

5. Select Save changes.

Now your service can be accessed from the specified IP addresses only.

Alternative method

You can also use the dedicated service update function to create or update the IP filter for your service via the Aiven CLI.

Related pages

For more ways of securing your service, see:

• Networking with VPC peering
• Configure VPC peering.