Manage a service in a VPC
Manage your Aiven services in a VPC, including setup, migration, and accessing resources securely within your project VPC.
Prerequisites
You can manage services either in a project VPC or in an organization VPC.
- Project VPC
- Organization VPC
- Manage project networking permissions
- Tool for operating services in VPCs:
- Manage organization networking permissions
- Tool for operating services in VPCs:
Create a service in a VPC
You can create a service either in a project VPC or in an organization VPC.
- Project VPC
- Organization VPC
Your project VPC is available as a geolocation (cloud region) for the new service.
You can create a service in a project VPC only if it is in the same project where you are creating the service.
Create a service in a project VPC using a tool of your choice:
- Aiven Console
- CLI
- API
Set your project VPC as a cloud region for the new service:
-
From your project, in the Services page, click Create service.
-
From the Select service page, click the service type of your choice.
-
Select the cloud provider and region to host your service on.
noteThe pricing for the same service can vary between different providers and regions. The service summary shows you the pricing for your selected options.
-
Select a service plan.
noteThis determines the number of servers and the memory, CPU, and disk resources allocated to your service. See Plans & Pricing.
-
Optional: Add disk storage.
-
Enter a name for your service.
importantYou cannot change the name after you create the service.
You can fork the service with a new name instead.
-
Optional: Add tags.
-
Click Create service.
The Overview page of the service opens. It shows the connection parameters for your service, its current status, and the configuration options.
The status of the service is Rebuilding during its creation. When the status becomes Running, you can start using the service. This typically takes couple of minutes and can vary between cloud providers and regions.
Run avn service create:
avn service create SERVICE_NAME \
--project PROJECT_NAME \
--project-vpc-id PROJECT_VPC_ID \
--service-type SERVICE_TYPE \
--plan SERVICE_PLAN \
--cloud CLOUD_PROVIDER_REGION
Replace the following:
SERVICE_NAME
with the name of the service to be created, for example,pg-vpc-test
PROJECT_NAME
with the name of the project where to create the service, for example,pj-test
PROJECT_VPC_ID
with the ID of your project VPC, for example,12345678-1a2b-3c4d-5f6g-1a2b3c4d5e6f
SERVICE_TYPE
with the type of the service to be created, for example,pg
SERVICE_PLAN
with the plan of the service to be created, for example,hobbyist
CLOUD_PROVIDER_REGION
with the cloud provider and region to host the service to be created, for exampleaws-eu-west-1
Make an API call to the ServiceCreate endpoint endpoint:
curl --request POST \
--url https://api.aiven.io/v1/project/PROJECT_NAME/service \
--header 'Authorization: Bearer BEARER_TOKEN' \
--header 'content-type: application/json' \
--data-raw '
{
"service_name": "SERVICE_NAME",
"cloud": "CLOUD_PROVIDER_REGION",
"plan": "SERVICE_PLAN",
"service_type": "SERVICE_TYPE",
"disk_space_mb": DISK_SIZE,
"project_vpc_id":"PROJECT_VPC_ID"
}
'
Replace the following placeholders with meaningful data:
PROJECT_NAME
, for exampleorg-vpc-test
BEARER_TOKEN
SERVICE_NAME
, for exampleorg-vpc-test-project
CLOUD_PROVIDER_REGION
, for examplegoogle-europe-west10
SERVICE_PLAN
, for examplestartup-4
SERVICE_TYPE
, for examplepg
DISK_SIZE
in MiB, for example81920
PROJECT_VPC_ID
Your organization VPC is available as a geolocation (cloud region) for the new service.
You can create a service in an organization VPC only if:
- The organization VPC is in the same organization where you are creating the service.
- For the service to be created, you use the cloud provider and region that hosts the organization VPC.
Create a service in an organization VPC using a tool of your choice:
- Console
- CLI
- API
Set your organization VPC as a cloud region for the new service:
-
From your project, in the Services page, click Create service.
-
From the Select service page, click the service type of your choice.
-
Select the cloud provider and region to host your service on.
noteThe pricing for the same service can vary between different providers and regions. The service summary shows you the pricing for your selected options.
-
Select a service plan.
noteThis determines the number of servers and the memory, CPU, and disk resources allocated to your service. See Plans & Pricing.
-
Optional: Add disk storage.
-
Enter a name for your service.
importantYou cannot change the name after you create the service.
You can fork the service with a new name instead.
-
Optional: Add tags.
-
Click Create service.
The Overview page of the service opens. It shows the connection parameters for your service, its current status, and the configuration options.
The status of the service is Rebuilding during its creation. When the status becomes Running, you can start using the service. This typically takes couple of minutes and can vary between cloud providers and regions.
Run avn service create:
avn service create SERVICE_NAME \
--project PROJECT_NAME \
--project-vpc-id ORGANIZATION_VPC_ID \
--service-type SERVICE_TYPE \
--plan SERVICE_PLAN \
--cloud CLOUD_PROVIDER_REGION
Replace the following:
SERVICE_NAME
with the name of the service to be created, for example,pg-vpc-test
PROJECT_NAME
with the name of the project where to create the service, for example,pj-test
ORGANIZATION_VPC_ID
with the ID of your organization VPC, for example,12345678-1a2b-3c4d-5f6g-1a2b3c4d5e6f
SERVICE_TYPE
with the type of the service to be created, for example,pg
SERVICE_PLAN
with the plan of the service to be created, for example,hobbyist
CLOUD_PROVIDER_REGION
with the cloud provider and region to host the organization VPC, for exampleaws-eu-west-1
Make an API call to the ServiceCreate endpoint:
curl --request POST \
--url https://api.aiven.io/v1/project/PROJECT_NAME/service \
--header 'Authorization: Bearer BEARER_TOKEN' \
--header 'content-type: application/json' \
--data-raw '
{
"service_name": "SERVICE_NAME",
"cloud": "CLOUD_PROVIDER_REGION",
"plan": "SERVICE_PLAN",
"service_type": "SERVICE_TYPE",
"disk_space_mb": DISK_SIZE,
"project_vpc_id":"ORGANIZATION_VPC_ID"
}
'
Replace the following placeholders with meaningful data:
PROJECT_NAME
, for exampleorg-vpc-test
BEARER_TOKEN
SERVICE_NAME
, for exampleorg-vpc-test-project
CLOUD_PROVIDER_REGION
, for examplegoogle-europe-west10
SERVICE_PLAN
, for examplestartup-4
SERVICE_TYPE
, for examplepg
DISK_SIZE
in MiB, for example81920
ORGANIZATION_VPC_ID
Migrate a service to a VPC
You can migrate a service either to a project VPC or to an organization VPC.
- Project VPC
- Organization VPC
Your project VPC is available as a geolocation (cloud region) for your service.
You can migrate a service to a project VPC only if the project VPC is in the same project running your service.
Migrate a service to a project VPC using a tool of your choice:
- Console
- CLI
- API
- In the Aiven Console, open your service page and click Service settings.
- In the Cloud and network section, click Actions > Change cloud or region.
- In the Region section, go to the VPCs tab, select your project VPC and click Migrate.
Run avn service update:
avn service update SERVICE_NAME \
--project-vpc-id PROJECT_VPC_ID
Replace the following:
SERVICE_NAME
with the name of the service to be migrated, for example,pg-test
PROJECT_VPC_ID
with the ID of your project VPC where to migrate the service, for example,12345678-1a2b-3c4d-5f6g-1a2b3c4d5e6f
Call the ServiceUpdate endpoint
to set project_vpc_id
of the service to the ID of your project VPC:
curl --request PUT \
--url https://api.aiven.io/v1/project/PROJECT_NAME/service/SERVICE_NAME \
-H 'Authorization: Bearer BEARER_TOKEN' \
-H 'content-type: application/json' \
--data '{"project_vpc_id": "PROJECT_VPC_ID"}'
Replace the following placeholders with meaningful data:
PROJECT_NAME
, for exampleorg-vpc-test
SERVICE_NAME
, for exampleorg-vpc-service
BEARER_TOKEN
PROJECT_VPC_ID
Your organization VPC is available as a geolocation (cloud region) for your service.
You can only migrate a service to an organization VPC if:
- The organization VPC is in the same organization where the service runs.
- The service and the organization VPC are hosted using the same cloud provider and region.
Migrate a service to an organization VPC using a tool of your choice:
- Console
- CLI
- API
- In the Aiven Console, open your service and click Service settings.
- In the Cloud and network section, click Actions > Change cloud or region.
- In the Region section, go to the VPCs tab, select your organization VPC and click Migrate.
Run avn service update:
avn service update SERVICE_NAME \
--project-vpc-id ORGANIZATION_VPC_ID \
--project PROJECT_NAME
Replace the following:
SERVICE_NAME
with the name of the service to be migrated, for example,pg-test
ORGANIZATION_VPC_ID
with the ID of your organization VPC where to migrate the service, for example,12345678-1a2b-3c4d-5f6g-1a2b3c4d5e6f
PROJECT_NAME
with the name of the project where your service resides, for example,pj-test
Call the ServiceUpdate
endpoint to set vpc_id
of the service to the ID of your organization VPC:
curl --request PUT \
--url https://api.aiven.io/v1/project/PROJECT_NAME/service/SERVICE_NAME \
-H 'Authorization: Bearer BEARER_TOKEN' \
-H 'content-type: application/json' \
--data '{"project_vpc_id": "ORGANIZATION_VPC_ID"}'
Replace the following placeholders with meaningful data:
PROJECT_NAME
, for exampleorg-vpc-test
SERVICE_NAME
, for exampleorg-vpc-service
BEARER_TOKEN
ORGANIZATION_VPC_ID
Migrate a service deployed in a VPC to another cloud
Aiven doesn't natively support automatic migration of a service from a VPC in one cloud provider to another. The migration is possible manually by following these generic instructions, which may need to be adapted to meet specific security or compliance requirements:
- Create a new service in the destination cloud/VPC.
- Set up replication or export/import, depending on the service:
- Aiven for PostgreSQL®, Aiven for MySQL® or similar: Use
pg_dump
,pg_restore
, logical replication, or Aiven’s replication features. - Aiven for Apache Kafka®: Use Aiven for Apache Kafka® MirrorMaker 2 or Confluent Replicator.
- Aiven for PostgreSQL®, Aiven for MySQL® or similar: Use
- Sync data and test the new setup.
- Cut over traffic to the new service.
- Decommission the old service.
Reach out to your account team if you need more migration guidance or best practices.
Access a service deployed in a VPC from the public internet
When you move your service to a VPC, access from public networks is blocked by default. If you switch to public access, a separate endpoint is created with a public prefix. You can enable public internet access for your services by following the Enable public access in a VPC instructions.
IP filtering is available for a service deployed to a VPC. It's recommended to use IP filtering when your VPC service is also exposed to the public internet.
If your service is within a VPC, the VPC configuration filters incoming traffic before the IP filter is applied.
Safelisting applies to both internal and external traffic. If you safelist an external IP address and want to keep traffic flowing with the internal (peered) connections, safelist the CIDR blocks of the peered networks as well to avoid disruptions to the service.