Skip to main content

Use Azure Private Link with Aiven services Early availability

Azure Private Link lets you bring your Aiven services into your virtual network (VNet) over a private endpoint. The endpoint creates a network interface into one of the VNet subnets, and receives a private IP address from its IP range. The private endpoint is routed to your Aiven service.

Azure Private Link is supported for the following services:

  • Aiven for Apache Kafka®
  • Aiven for Apache Kafka Connect®
  • Aiven for ClickHouse®
  • Aiven for Grafana®
  • Aiven for InfluxDB®
  • Aiven for MySQL®
  • Aiven for OpenSearch®
  • Aiven for PostgreSQL®
  • Aiven for Caching

Prerequisites

  • This feature is in early availability.

  • Aiven CLI is installed.

  • The Aiven service is in a project VPC. This ensures the service is not accessible from the public internet.

    note

    If you are not using regular VNet peerings, any private IP range can be used for the VPC. There is no network routing between your Azure subscription and the Aiven VPC, so overlapping IP ranges are not an issue.

  • The Aiven service is using static IP addresses.

    note

    Even though services in a VPC only communicate using private IP addresses, Azure load balancers require standard SKU IP addresses for target virtual machines. Azure sends TCP health probes to load balancer target ports from a public IP address.

Variables

VariableDescription
SUBSCRIPTION_IDAzure subscription ID
AIVEN_SERVICEName of your Aiven service

There are three steps to setting up an Azure Private Link with your Aiven service:

  1. Create a Private Link service
  2. Create a private endpoint
  3. Enable Private Link access service components

  1. In the Aiven CLI, create a Private Link resource on your Aiven service:

    avn service privatelink azure create AIVEN_SERVICE --user-subscription-id SUBSCRIPTION_ID

    This creates an Azure Standard Internal Load Balancer dedicated to your Aiven service and attaches it to an Azure Private Link service. Connections from other subscriptions are automatically rejected.

  2. Check the status of the Private Link service:

    avn service privatelink azure get AIVEN_SERVICE

    The service is in the creating state until Azure provisions a load balancer and Private Link service.

  3. When the state changes to active, note the azure_service_alias and azure_service_id:

    avn service privatelink azure get AIVEN_SERVICE

Step 2: Create a private endpoint

Azure resources in the Aiven service are now ready to be connected to your Azure subscription and virtual network.

  1. In the Azure web console or Azure CLI, create a private endpoint. If you are using the console, select Connect to an Azure resource by resource ID or alias and enter the azure_service_alias or azure_service_id.

  2. Refresh the Aiven Private Link service:

    avn service privatelink azure refresh AIVEN_SERVICE
    note

    Azure does not provide notifications about endpoint connections and the Aiven API will not be aware of new endpoints until it's refreshed.

  3. In the Aiven CLI, check that the endpoint is connected to the service:

    avn service privatelink azure connection list AIVEN_SERVICE

    The output will look similar to this:

    PRIVATELINK_CONNECTION_ID  PRIVATE_ENDPOINT_ID                                                                                                                                         STATE                  USER_IP_ADDRESS
    =========================  ==========================================================================================================================================================  =====================  ===============
    plc35843e8051.             /subscriptions/8eefec94-5d63-40c9-983c-03ab083b411d/resourceGroups/test-privatelink/providers/Microsoft.Network/privateEndpoints/my-endpoint                pending-user-approval  null

  4. Check that the endpoint ID matches the one created in your subscription and approve it:

    avn service privatelink azure connection approve AIVEN_SERVICE PRIVATELINK_CONNECTION_ID

    The endpoint in your Azure subscription is now connected to the Private Link service in the Aiven service. The state of the endpoint is pending.

  5. In the Azure web console, go to the private endpoint and select Network interface. Copy the private IP address.

  6. In the Aiven CLI, add the endpoint's IP address you copied to the connection:

    avn service privatelink azure connection update \
       --endpoint-ip-address IP_ADDRESS             \
       AIVEN_SERVICE PRIVATELINK_CONNECTION_ID

Once the endpoint IP address is added, the connection's status changes to active. A DNS name for the service is registered pointing to that IP address.

Enable Private Link access on your Aiven services using either the Aiven CLI or Aiven Console.

To enable Private Link access for your service in the Aiven CLI, set user_config.privatelink_access.<service component> to true for the components to enable. For example, for PostgreSQL the command is:

avn service update -c privatelink_access.pg=true AIVEN_SERVICE

Acquire connection information

If you have one private endpoint connected to your Aiven service, you can preview the connection information (URI, hostname, or port required to access the service through the private endpoint) in Aiven Console > the service's Overview page > the Connection information section, where you'll also find the switch for the privatelink access route. privatelink-access-route values for host and port differ from those for the dynamic access route used by default to connect to the service.

Use CLI to acquire connection information for more than one AWS PrivateLink connection.

Each endpoint (connection) has PRIVATELINK_CONNECTION_ID, which you can check using the avn service privatelink azure connection list SERVICE_NAME command.

To acquire connection information for your service component using Azure Private Link, run the avn service connection-info command.

  • For SSL connection information for your service component using Azure Private Link, run the following command:

    avn service connection-info UTILITY_NAME SERVICE_NAME -p PRIVATELINK_CONNECTION_ID

    Where:

    • UTILITY_NAME is kcat, for example
    • SERVICE_NAME is kafka-12a3b4c5, for example
    • PRIVATELINK_CONNECTION_ID is plc39413abcdef, for example

  • For SASL connection information for Aiven for Apache Kafka® service components using Azure Private Link, run the following command:

    avn service connection-info UTILITY_NAME SERVICE_NAME -p PRIVATELINK_CONNECTION_ID -a sasl

    Where:

    • UTILITY_NAME is kcat, for example
    • SERVICE_NAME is kafka-12a3b4c5, for example
    • PRIVATELINK_CONNECTION_ID is plc39413abcdef, for example
note

SSL certificates and SASL credentials are the same for all the connections.

Update subscription list

In the Aiven CLI, you can update the list of Azure subscriptions that have access to Aiven service endpoints:

avn service privatelink azure update AIVEN_SERVICE --user-subscription-id SUBSCRIPTION_ID

To update a few subscription IDs, repeat the SUBSCRIPTION_ID argument, for example:

avn service privatelink azure update AIVEN_SERVICE --user-subscription-id SUBSCRIPTION_ID_1 --user-subscription-id SUBSCRIPTION_ID_2

Use the Aiven CLI to delete the Azure Load Balancer and Private Link service:

avn service privatelink azure delete AIVEN_SERVICE