Manage a service in a VPC

Manage your Aiven services in a VPC, including setup, migration, and accessing resources securely within your project VPC.

Prerequisites

You can manage services either in a project VPC or in an organization VPC.

Project VPC

• Manage project networking permissions
• Tool for operating services in VPCs:
  • Aiven Console
  • Aiven CLI
  • Aiven API
  • Aiven Provider for Terraform

Organization VPC

• Manage organization networking permissions
• Tool for operating services in VPCs:
  • Aiven Console
  • Aiven CLI
  • Aiven API
  • Aiven Provider for Terraform

Create a service in a VPC

You can create a service either in a project VPC or in an organization VPC.

Project VPC

Your project VPC is available as a geolocation (cloud region) for the new service.

note

You can create a service in a project VPC only if it is in the same project where you are creating the service.

Create a service in a project VPC using a tool of your choice:

Aiven Console

Set your project VPC as a cloud region for the new service:

1. From your project, in the Services page, click Create service.

2. From the Select service page, click the service type of your choice.

3. Select the cloud provider and region to host your service on.

   note

   The pricing for the same service can vary between different providers and regions. The service summary shows you the pricing for your selected options.

4. Select a service plan.

   note

   This determines the number of servers and the memory, CPU, and disk resources allocated to your service. See Plans & Pricing.

5. Optional: Add disk storage.

6. Enter a name for your service.

   important

   You cannot change the name after you create the service.

   You can fork the service with a new name instead.

7. Optional: Add tags.

8. Click Create service.

The Overview page of the service opens. It shows the connection parameters for your service, its current status, and the configuration options.

The status of the service is Rebuilding during its creation. When the status becomes Running, you can start using the service. This typically takes couple of minutes and can vary between cloud providers and regions.

CLI

Run avn service create:

avn service create SERVICE_NAME        \
  --project PROJECT_NAME               \
  --project-vpc-id PROJECT_VPC_ID      \
  --service-type SERVICE_TYPE          \
  --plan SERVICE_PLAN                  \
  --cloud CLOUD_PROVIDER_REGION

Replace the following:

• SERVICE_NAME with the name of the service to be created, for example, pg-vpc-test
• PROJECT_NAME with the name of the project where to create the service, for example, pj-test
• PROJECT_VPC_ID with the ID of your project VPC, for example, 12345678-1a2b-3c4d-5f6g-1a2b3c4d5e6f
• SERVICE_TYPE with the type of the service to be created, for example, pg
• SERVICE_PLAN with the plan of the service to be created, for example, hobbyist
• CLOUD_PROVIDER_REGION with the cloud provider and region to host the service to be created, for example aws-eu-west-1

API

Make an API call to the ServiceCreate endpoint endpoint:

curl --request POST \
  --url https://api.aiven.io/v1/project/PROJECT_NAME/service \
  --header 'Authorization: Bearer BEARER_TOKEN' \
  --header 'content-type: application/json' \
  --data-raw '
    {
      "service_name": "SERVICE_NAME",
      "cloud": "CLOUD_PROVIDER_REGION",
      "plan": "SERVICE_PLAN",
      "service_type": "SERVICE_TYPE",
      "disk_space_mb": DISK_SIZE,
      "project_vpc_id":"PROJECT_VPC_ID"
    }
  '

Replace the following placeholders with meaningful data:

• PROJECT_NAME, for example org-vpc-test
• BEARER_TOKEN
• SERVICE_NAME, for example org-vpc-test-project
• CLOUD_PROVIDER_REGION, for example google-europe-west10
• SERVICE_PLAN, for example startup-4
• SERVICE_TYPE, for example pg
• DISK_SIZE in MiB, for example 81920
• PROJECT_VPC_ID

Organization VPC

Your organization VPC is available as a geolocation (cloud region) for the new service.

note

You can create a service in an organization VPC only if:

• The organization VPC is in the same organization where you are creating the service.
• For the service to be created, you use the cloud provider and region that hosts the organization VPC.

Create a service in an organization VPC using a tool of your choice:

Console

Set your organization VPC as a cloud region for the new service:

1. From your project, in the Services page, click Create service.

2. From the Select service page, click the service type of your choice.

3. Select the cloud provider and region to host your service on.

   note

   The pricing for the same service can vary between different providers and regions. The service summary shows you the pricing for your selected options.

4. Select a service plan.

   note

   This determines the number of servers and the memory, CPU, and disk resources allocated to your service. See Plans & Pricing.

5. Optional: Add disk storage.

6. Enter a name for your service.

   important

   You cannot change the name after you create the service.

   You can fork the service with a new name instead.

7. Optional: Add tags.

8. Click Create service.

The Overview page of the service opens. It shows the connection parameters for your service, its current status, and the configuration options.

The status of the service is Rebuilding during its creation. When the status becomes Running, you can start using the service. This typically takes couple of minutes and can vary between cloud providers and regions.

CLI

Run avn service create:

avn service create SERVICE_NAME        \
  --project PROJECT_NAME               \
  --project-vpc-id ORGANIZATION_VPC_ID \
  --service-type SERVICE_TYPE          \
  --plan SERVICE_PLAN                  \
  --cloud CLOUD_PROVIDER_REGION

Replace the following:

• SERVICE_NAME with the name of the service to be created, for example, pg-vpc-test
• PROJECT_NAME with the name of the project where to create the service, for example, pj-test
• ORGANIZATION_VPC_ID with the ID of your organization VPC, for example, 12345678-1a2b-3c4d-5f6g-1a2b3c4d5e6f
• SERVICE_TYPE with the type of the service to be created, for example, pg
• SERVICE_PLAN with the plan of the service to be created, for example, hobbyist
• CLOUD_PROVIDER_REGION with the cloud provider and region to host the organization VPC, for example aws-eu-west-1

API

Make an API call to the ServiceCreate endpoint:

curl --request POST \
  --url https://api.aiven.io/v1/project/PROJECT_NAME/service \
  --header 'Authorization: Bearer BEARER_TOKEN' \
  --header 'content-type: application/json' \
  --data-raw '
    {
      "service_name": "SERVICE_NAME",
      "cloud": "CLOUD_PROVIDER_REGION",
      "plan": "SERVICE_PLAN",
      "service_type": "SERVICE_TYPE",
      "disk_space_mb": DISK_SIZE,
      "project_vpc_id":"ORGANIZATION_VPC_ID"
    }
  '

Replace the following placeholders with meaningful data:

• PROJECT_NAME, for example org-vpc-test
• BEARER_TOKEN
• SERVICE_NAME, for example org-vpc-test-project
• CLOUD_PROVIDER_REGION, for example google-europe-west10
• SERVICE_PLAN, for example startup-4
• SERVICE_TYPE, for example pg
• DISK_SIZE in MiB, for example 81920
• ORGANIZATION_VPC_ID

Migrate a service to a VPC

You can migrate a service either to a project VPC or to an organization VPC.

Project VPC

Your project VPC is available as a geolocation (cloud region) for your service.

note

You can migrate a service to a project VPC only if the project VPC is in the same project running your service.

Migrate a service to a project VPC using a tool of your choice:

Console

1. In the Aiven Console, open your service page and click Service settings.
2. In the Cloud and network section, click Actions > Change cloud or region.
3. In the Region section, go to the VPCs tab, select your project VPC and click Migrate.

CLI

Run avn service update:

avn service update SERVICE_NAME \
  --project-vpc-id PROJECT_VPC_ID

Replace the following:

• SERVICE_NAME with the name of the service to be migrated, for example, pg-test
• PROJECT_VPC_ID with the ID of your project VPC where to migrate the service, for example, 12345678-1a2b-3c4d-5f6g-1a2b3c4d5e6f

API

Call the ServiceUpdate endpoint to set project_vpc_id of the service to the ID of your project VPC:

curl --request PUT \
  --url https://api.aiven.io/v1/project/PROJECT_NAME/service/SERVICE_NAME \
  -H 'Authorization: Bearer BEARER_TOKEN' \
  -H 'content-type: application/json' \
  --data '{"project_vpc_id": "PROJECT_VPC_ID"}'

Replace the following placeholders with meaningful data:

• PROJECT_NAME, for example org-vpc-test
• SERVICE_NAME, for example org-vpc-service
• BEARER_TOKEN
• PROJECT_VPC_ID

Organization VPC

Your organization VPC is available as a geolocation (cloud region) for your service.

note

You can only migrate a service to an organization VPC if:

• The organization VPC is in the same organization where the service runs.
• The service and the organization VPC are hosted using the same cloud provider and region.

Migrate a service to an organization VPC using a tool of your choice:

Console

1. In the Aiven Console, open your service and click Service settings.
2. In the Cloud and network section, click Actions > Change cloud or region.
3. In the Region section, go to the VPCs tab, select your organization VPC and click Migrate.

CLI

Run avn service update:

avn service update SERVICE_NAME        \
  --project-vpc-id ORGANIZATION_VPC_ID \
  --project PROJECT_NAME

Replace the following:

• SERVICE_NAME with the name of the service to be migrated, for example, pg-test
• ORGANIZATION_VPC_ID with the ID of your organization VPC where to migrate the service, for example, 12345678-1a2b-3c4d-5f6g-1a2b3c4d5e6f
• PROJECT_NAME with the name of the project where your service resides, for example, pj-test

API

Call the ServiceUpdate endpoint to set vpc_id of the service to the ID of your organization VPC:

curl --request PUT \
  --url https://api.aiven.io/v1/project/PROJECT_NAME/service/SERVICE_NAME \
  -H 'Authorization: Bearer BEARER_TOKEN' \
  -H 'content-type: application/json' \
  --data '{"project_vpc_id": "ORGANIZATION_VPC_ID"}'

Replace the following placeholders with meaningful data:

• PROJECT_NAME, for example org-vpc-test
• SERVICE_NAME, for example org-vpc-service
• BEARER_TOKEN
• ORGANIZATION_VPC_ID

Migrate a service deployed in a VPC to another cloud

Aiven doesn't natively support automatic migration of a service from a VPC in one cloud provider to another. The migration is possible manually by following these generic instructions, which may need to be adapted to meet specific security or compliance requirements:

1. Create a new service in the destination cloud/VPC.
2. Set up replication or export/import, depending on the service:
   1. Aiven for PostgreSQL®, Aiven for MySQL® or similar: Use pg_dump, pg_restore, logical replication, or Aiven’s replication features.
   2. Aiven for Apache Kafka®: Use Aiven for Apache Kafka® MirrorMaker 2 or Confluent Replicator.
3. Sync data and test the new setup.
4. Cut over traffic to the new service.
5. Decommission the old service.

note

Reach out to your account team if you need more migration guidance or best practices.

Access a service deployed in a VPC from the public internet

When you move your service to a VPC, access from public networks is blocked by default. If you switch to public access, a separate endpoint is created with a public prefix. You can enable public internet access for your services by following the Enable public access in a VPC instructions.

IP filtering is available for a service deployed to a VPC. It's recommended to use IP filtering when your VPC service is also exposed to the public internet.

note

If your service is within a VPC, the VPC configuration filters incoming traffic before the IP filter is applied.

Safelisting applies to both internal and external traffic. If you safelist an external IP address and want to keep traffic flowing with the internal (peered) connections, safelist the CIDR blocks of the peered networks as well to avoid disruptions to the service.