Use Google Private Service Connect with Aiven services Early availability
Enable Google Private Service Connect and use it with your Aiven-managed services.
- Google Private Service Connect is not supported for BYOC-hosted services.
- To activate Google Private Service Connect for Aiven for PostgreSQL®, contact us.
Private Service Connect lets you bring your Aiven services into your networks (virtual private clouds) over a private endpoint. The endpoint receives a private IP address from a range that you assign. Next, connectivity over the private endpoint is routed to your Aiven service.
For consistency, Google Private Service Connect is called privatelink in Aiven tools. This applies to all clouds, including Google Cloud.
Prerequisites
- Google Private Service Connect is an early availability feature.
- Your Aiven service needs to be hosted in a project virtual private cloud (VPC) in the region where the connecting endpoint will be created.
- Aiven CLI
- Access to the Google Cloud console
- Access to the Aiven Console
Private Service Connect endpoints are service specific. For each service to connect to, create a separate endpoint.
Set up a Private Service Connect connection
Step 1: Enable Private Service Connect for an Aiven service
Using the Aiven CLI, enable a Private Service Connect for your Aiven service:
avn service privatelink google create SERVICE_NAME
For publishing a service over Private Service Connect, a dedicated address range needs to be allocated at the publishing / Aiven end. Aiven reserves network 172.24.0.0/16 for this purpose and forbids creating project VPCs in Google Cloud overlapping with this range.
Creating a privatelink usually takes a minute or two. You can use the following command to see the current state:
avn service privatelink google get SERVICE_NAME
When the state has changed from creating
to active
, resources at
Aiven end have been allocated, and it's possible to create connections.
When the privatelink has been successfully created, you can expect an output similar to the following:
GOOGLE_SERVICE_ATTACHMENT STATE
==================================================================================== ======
projects/aivenprod/regions/europe-west1/serviceAttachments/privatelink-s3fd836dfc60 active
The GOOGLE_SERVICE_ATTACHMENT
value is used to connect an endpoint on the client side to
the Aiven service.
Step 2: Create a connection in Google Cloud
Create a Private Service Connect endpoint and connection to your Aiven service:
- Go to the Google Cloud console (Networking > Network services > Private Service Connect > CONNECT ENDPOINT).
- Select Published service as Target, and enter the
GOOGLE_SERVICE_ATTACHMENT
value into the Target service field. - Specify the endpoint name.
- Select an existing subnet hosting your side of the endpoint.
- Click ADD ENDPOINT.
After the endpoint is created, initially it's status is pending
. To allow connections via
the endpoint, it needs to be accepted at the service publisher (Aiven) end.
If you use an automatically assigned IP address, note the IP address associated with the endpoint to use it later.
Step 3: Approve the connection in Aiven
-
Update the state of Private Service Connect connections for your Aiven service by running:
avn service privatelink google refresh SERVICE_NAME
-
Retry the following command until it returns the
pending-user-approval
status:avn service privatelink google connection list SERVICE_NAME
PRIVATELINK_CONNECTION_ID PSC_CONNECTION_ID STATE USER_IP_ADDRESS
========================= ================= ===================== ===============
plc3fd852bec98 12870921937223780 pending-user-approval nullnotePSC_CONNECTION_ID
comes from Google Cloud and can help you verify that the connection matches your Private Service Connect endpoint.PRIVATELINK_CONNECTION_ID
comes from Aiven, and you need it for the final connection approval.
-
To enable the connection, approve it.
noteBy approving the connection, you provide the IP address assigned to your Private Service Connect endpoint - whether automatically assigned or static. Aiven uses this IP address for pointing the service DNS records necessary for the clients to reach the Aiven service through the Private Service Connect connection.
Run the following approval command:
avn service privatelink google connection approve SERVICE_NAME \
--privatelink-connection-id PRIVATELINK_CONNECTION_ID \
--user-ip-address PSC_ENDPOINT_IP_ADDRESSThe connection initially transitions to the
user-approved
state:avn service privatelink google connection list SERVICE_NAME
PRIVATELINK_CONNECTION_ID PSC_CONNECTION_ID STATE USER_IP_ADDRESS
========================= ================= ============= ===============
plc3fd852bec98 12870921937223780 user-approved 10.0.0.100 -
You may need to run the
avn service privatelink google refresh
command at this point since updates to service attachment accept lists are not immediately reflected in the states of returned connected endpoints:avn service privatelink google refresh SERVICE_NAME
After establishing the connection and populating DNS records, the connection appears as
active
:avn service privatelink google connection list SERVICE_NAME
PRIVATELINK_CONNECTION_ID PSC_CONNECTION_ID STATE USER_IP_ADDRESS
========================= ================= ====== ===============
plc3fd852bec98 12870921937223780 active 10.0.0.100
The state of your Private Service Connect endpoint in Google Cloud should have transitioned
from pending
to accepted
at this point. Private Service Connect connectivity has been
established now.
Step 4: Enable the access for service components
Allow connectivity to your Aiven services using the Private Service Connect endpoint.
- Console
- CLI
In the Aiven Console:
- On the Overview page of your service, click Service settings in the sidebar.
- Go to the Cloud and network section, and click Actions > More network configurations.
- In the Network configuration window:
- Select Add configuration options.
- In the search field, enter
privatelink_access
. - From the displayed component names, select the names of the components to enable
(
privatelink_access.SERVICE_COMPONENT
). - Select the toggle switches for the selected components to enable them.
- Select Save configuration.
In the Aiven CLI, set user_config.privatelink_access.SERVICE_COMPONENT
to true
for the components to enable. Take the following command as an example for Aiven
for Apache Kafka®:
avn service update -c privatelink_access.kafka=true SERVICE_NAME
Each service component can be controlled separately. For example, you can enable Private Service Connect access for your Aiven for Apache Kafka service while allowing Aiven for Apache Kafka Connect to only be connected via VPC peering.
Acquire connection information
One Private Service Connect connection
If you have one private endpoint connected to your Aiven service, preview the connection information (URI, hostname, or port required to access the service through the private endpoint) in the Aiven Console:
- Go to your Aiven project, and click Services in the sidebar.
- Open your service's Overview page, and go to the Connection information section.
- Switch to the
privatelink
access route to preview values forhost
andport
, which differ from those for thedynamic
access route used by default to connect to the service.
Multiple Private Service Connect connections
Use the Aiven CLI to acquire connection information for more than one Private Service Connect connection.
Each endpoint (connection) has PRIVATELINK_CONNECTION_ID
, which you can check using the
avn service privatelink google connection list SERVICE_NAME
command.
To acquire connection information for your service component using Private Service Connect, run the avn service connection-info command.
-
Get SSL connection information for your service component using Private Service Connect:
avn service connection-info UTILITY_NAME SERVICE_NAME -p PRIVATELINK_CONNECTION_ID
Where:
UTILITY_NAME
iskcat
, for exampleSERVICE_NAME
iskafka-12a3b4c5
, for examplePRIVATELINK_CONNECTION_ID
isplc39413abcdef
, for example
-
Get SASL connection information for Aiven for Apache Kafka service components using Private Service Connect:
avn service connection-info UTILITY_NAME SERVICE_NAME -p PRIVATELINK_CONNECTION_ID -a sasl
Where:
UTILITY_NAME
iskcat
, for exampleSERVICE_NAME
iskafka-12a3b4c5
, for examplePRIVATELINK_CONNECTION_ID
isplc39413abcdef
, for example
SSL certificates and SASL credentials are the same for all the connections.
Delete a Private Service Connect connection
Use the Aiven CLI to delete the Private Service Connect connection for your Aiven service:
avn service privatelink google delete SERVICE_NAME