Manage a service in a VPC
Manage your Aiven services in a VPC, including setup, migration, and accessing resources securely within your project VPC.
When you set a custom domain for a service deployed in a VPC, the service certificate is only created for the public-* hostname and the custom domain. Certificate verification will fail for the private-* hostname and the dynamic service name.
To avoid certificate verification issues, ensure your applications connect using either the public-* hostname or the custom domain when accessing VPC-deployed services.
Prerequisites
You can manage services either in a project VPC or in an organization VPC.
- Project VPC
- Organization VPC
- Manage project networking permissions
- Tool for operating services in VPCs:
- Manage organization networking permissions
- Tool for operating services in VPCs:
Create a service in a VPC
You can create a service either in a project VPC or in an organization VPC.
- Project VPC
- Organization VPC
Your project VPC is available as a geolocation (cloud region) for the new service.
You can create a service in a project VPC only if it is in the same project where you are creating the service.
Create a service in a project VPC using a tool of your choice:
- Aiven Console
- CLI
- API
When you create a service in the Aiven Console, select your project VPC as the cloud region.
Run avn service create:
avn service create SERVICE_NAME \
--project PROJECT_NAME \
--project-vpc-id PROJECT_VPC_ID \
--service-type SERVICE_TYPE \
--plan SERVICE_PLAN \
--cloud CLOUD_PROVIDER_REGION
Replace the following:
SERVICE_NAMEwith the name of the service to be created, for example,pg-vpc-testPROJECT_NAMEwith the name of the project where to create the service, for example,pj-testPROJECT_VPC_IDwith the ID of your project VPC, for example,12345678-1a2b-3c4d-5f6g-1a2b3c4d5e6fSERVICE_TYPEwith the type of the service to be created, for example,pgSERVICE_PLANwith the plan of the service to be created, for example,hobbyistCLOUD_PROVIDER_REGIONwith the cloud provider and region to host the service to be created, for exampleaws-eu-west-1
Make an API call to the ServiceCreate endpoint endpoint:
curl --request POST \
--url https://api.aiven.io/v1/project/PROJECT_NAME/service \
--header 'Authorization: Bearer BEARER_TOKEN' \
--header 'content-type: application/json' \
--data-raw '
{
"service_name": "SERVICE_NAME",
"cloud": "CLOUD_PROVIDER_REGION",
"plan": "SERVICE_PLAN",
"service_type": "SERVICE_TYPE",
"disk_space_mb": DISK_SIZE,
"project_vpc_id":"PROJECT_VPC_ID"
}
'
Replace the following placeholders with meaningful data:
PROJECT_NAME, for exampleorg-vpc-testBEARER_TOKENSERVICE_NAME, for exampleorg-vpc-test-projectCLOUD_PROVIDER_REGION, for examplegoogle-europe-west10SERVICE_PLAN, for examplestartup-4SERVICE_TYPE, for examplepgDISK_SIZEin MiB, for example81920PROJECT_VPC_ID
Your organization VPC is available as a geolocation (cloud region) for the new service.
You can create a service in an organization VPC only if:
- The organization VPC is in the same organization where you are creating the service.
- For the service to be created, you use the cloud provider and region that hosts the organization VPC.
Create a service in an organization VPC using a tool of your choice:
- Console
- CLI
- API
When you create a service in the Aiven Console, select your organization VPC as the cloud region.
Run avn service create:
avn service create SERVICE_NAME \
--project PROJECT_NAME \
--project-vpc-id ORGANIZATION_VPC_ID \
--service-type SERVICE_TYPE \
--plan SERVICE_PLAN \
--cloud CLOUD_PROVIDER_REGION
Replace the following:
SERVICE_NAMEwith the name of the service to be created, for example,pg-vpc-testPROJECT_NAMEwith the name of the project where to create the service, for example,pj-testORGANIZATION_VPC_IDwith the ID of your organization VPC, for example,12345678-1a2b-3c4d-5f6g-1a2b3c4d5e6fSERVICE_TYPEwith the type of the service to be created, for example,pgSERVICE_PLANwith the plan of the service to be created, for example,hobbyistCLOUD_PROVIDER_REGIONwith the cloud provider and region to host the organization VPC, for exampleaws-eu-west-1
Make an API call to the ServiceCreate endpoint:
curl --request POST \
--url https://api.aiven.io/v1/project/PROJECT_NAME/service \
--header 'Authorization: Bearer BEARER_TOKEN' \
--header 'content-type: application/json' \
--data-raw '
{
"service_name": "SERVICE_NAME",
"cloud": "CLOUD_PROVIDER_REGION",
"plan": "SERVICE_PLAN",
"service_type": "SERVICE_TYPE",
"disk_space_mb": DISK_SIZE,
"project_vpc_id":"ORGANIZATION_VPC_ID"
}
'
Replace the following placeholders with meaningful data:
PROJECT_NAME, for exampleorg-vpc-testBEARER_TOKENSERVICE_NAME, for exampleorg-vpc-test-projectCLOUD_PROVIDER_REGION, for examplegoogle-europe-west10SERVICE_PLAN, for examplestartup-4SERVICE_TYPE, for examplepgDISK_SIZEin MiB, for example81920ORGANIZATION_VPC_ID
Migrate a service to a VPC
You can migrate a service either to a project VPC or to an organization VPC.
- Project VPC
- Organization VPC
Your project VPC is available as a geolocation (cloud region) for your service.
You can migrate a service to a project VPC only if the project VPC is in the same project running your service.
Migrate a service to a project VPC using a tool of your choice:
- Console
- CLI
- API
- In your service, click Service settings from the sidebar.
- In the Cloud and network section, click Actions > Change cloud or deployment model.
- In the VPCs tab, select a cloud provider and region, and click Migrate.
Run avn service update:
avn service update SERVICE_NAME \
--project-vpc-id PROJECT_VPC_ID
Replace the following:
SERVICE_NAMEwith the name of the service to be migrated, for example,pg-testPROJECT_VPC_IDwith the ID of your project VPC where to migrate the service, for example,12345678-1a2b-3c4d-5f6g-1a2b3c4d5e6f
Call the ServiceUpdate endpoint
to set project_vpc_id of the service to the ID of your project VPC:
curl --request PUT \
--url https://api.aiven.io/v1/project/PROJECT_NAME/service/SERVICE_NAME \
-H 'Authorization: Bearer BEARER_TOKEN' \
-H 'content-type: application/json' \
--data '{"project_vpc_id": "PROJECT_VPC_ID"}'
Replace the following placeholders with meaningful data:
PROJECT_NAME, for exampleorg-vpc-testSERVICE_NAME, for exampleorg-vpc-serviceBEARER_TOKENPROJECT_VPC_ID
Your organization VPC is available as a geolocation (cloud region) for your service.
You can only migrate a service to an organization VPC if:
- The organization VPC is in the same organization where the service runs.
- The service and the organization VPC are hosted using the same cloud provider and region.
Migrate a service to an organization VPC using a tool of your choice:
- Console
- CLI
- API
- In your service, click Service settings from the sidebar.
- In the Cloud and network section, click Actions > Change cloud or deployment model.
- In the VPCs tab, select a cloud provider and region, and click Migrate.
Run avn service update:
avn service update SERVICE_NAME \
--project-vpc-id ORGANIZATION_VPC_ID \
--project PROJECT_NAME
Replace the following:
SERVICE_NAMEwith the name of the service to be migrated, for example,pg-testORGANIZATION_VPC_IDwith the ID of your organization VPC where to migrate the service, for example,12345678-1a2b-3c4d-5f6g-1a2b3c4d5e6fPROJECT_NAMEwith the name of the project where your service resides, for example,pj-test
Call the ServiceUpdate
endpoint to set vpc_id of the service to the ID of your organization VPC:
curl --request PUT \
--url https://api.aiven.io/v1/project/PROJECT_NAME/service/SERVICE_NAME \
-H 'Authorization: Bearer BEARER_TOKEN' \
-H 'content-type: application/json' \
--data '{"project_vpc_id": "ORGANIZATION_VPC_ID"}'
Replace the following placeholders with meaningful data:
PROJECT_NAME, for exampleorg-vpc-testSERVICE_NAME, for exampleorg-vpc-serviceBEARER_TOKENORGANIZATION_VPC_ID
Migrate a service deployed in a VPC to another cloud
Aiven doesn't natively support automatic migration of a service from a VPC in one cloud provider to another. The migration is possible manually by following these generic instructions, which may need to be adapted to meet specific security or compliance requirements:
- Create a service in the destination cloud/VPC.
- Set up replication or export/import, depending on the service:
- Aiven for PostgreSQL®, Aiven for MySQL® or similar: Use
pg_dump,pg_restore, logical replication, or Aiven’s replication features. - Aiven for Apache Kafka®: Use Aiven for Apache Kafka® MirrorMaker 2 or Confluent Replicator.
- Aiven for PostgreSQL®, Aiven for MySQL® or similar: Use
- Sync data and test the new setup.
- Cut over traffic to the new service.
- Decommission the old service.
Reach out to your account team if you need more migration guidance or best practices.
Access a service deployed in a VPC from the public internet
When you move your service to a VPC, access from public networks is blocked by default. If you switch to public access, a separate endpoint is created with a public prefix. You can enable public internet access for your services by following the Enable public access in a VPC instructions.
IP filtering is available for a service deployed to a VPC. It's recommended to use IP filtering when your VPC service is also exposed to the public internet.
If your service is within a VPC, the VPC configuration filters incoming traffic before the IP filter is applied.
Safelisting applies to both internal and external traffic. If you safelist an external IP address and want to keep traffic flowing with the internal (peered) connections, safelist the CIDR blocks of the peered networks as well to avoid disruptions to the service.