Virtual Private Cloud (VPC) peering is a method of connecting separate AWS, Google Cloud, or Azure private networks with each other. It makes it possible for the virtual machines in the different VPC's to talk to each other directly without going through the public internet.
VPC peering setup is a per project and per region setting. This means that all services created and running utilize the same VPC peering connection. If needed, you can have multiple projects that peer with different connections.
Setting it up
In order to set up a VPC peering for your Aiven project, please click on the VPC option in the left menu. Once in the Project VPC, select the Cloud you want to create the VPC for, set the IP range and finally Create VPC.
When creating a new service, you can choose whether the service will be placed in a VPC or not: The "Select Service Cloud Region" now contains a "VPC" tab containing the new Project VPC. The same functionality is available with the "Migrate" feature, allowing moving a service to / from a VPC.
The IP Range should be chosen so that it doesn't overlap with any networks you wish to peer. For example, if your own networks use the 10.0.0.0/8 range, selecting 192.168.0.0/24 for your Aiven project VPC makes it possible to peer the networks.
After the VPC is created it will be automatically set up by Aiven, and the status is updated in the web console's VPC view. Note that you'll need to accept a VPC peering connection request (AWS) or create a corresponding peering from your project to Aiven's (Google). Depending on the cloud provider you selected in the previous step (AWS or Google), follow the examples below to connect VPC's together. See this help article for instructions of how to peer Azure virtual networks.
VPC Peering Connection in AWS
Open your AWS Console and make a note of your AWS Account ID (found under My Account) which will be used in the next steps. Then navigate to VPC service to find the VPC that you would like to connect and copy the AWS VPC ID.
Click on the newly created VPC in Aiven Console, then enter your AWS Account ID and AWS VPC ID, and select the appropriate region for your AWS VPC, and finally Add Peering Connection.
If successful, you will see a new connection in Pending Peer state indicating that you need to accept VPC peering request in your AWS Console. From AWS Console -> VPC, select Peering Connections to find the pending peering connection. Verify that the account ID and the VPC ID are matching the one listed in Aiven console and then select Actions -> Accept Request
Once you accept the request in AWS Console, the peering connection will become active in Aiven console.
VPC Peering Connection in Google Cloud Platform (GCP)
Click on the newly created VPC in Aiven Console and then open your GCP Console and navigate to VPC Networks on the left hand side to find the VPC that you would like to connect. Enter your Project ID (found by clicking on your project name), GCP VPC Network Name (found under GCP VPC Networks), and finally Add Peering Connection.
If successful, you will see a new connection in Pending Peer state indicating that you need to finish creating connection from GCP console. From GCP console -> VPC, select VPC network peering and select Create Connection. Enter the new name for peering connection and then enter the provided project and network name in Aiven console to connect your GCP and Aiven projects.
You can see the name of the Aiven project and the network name by clicking on the blue "Pending peer" -icon.
Once the new connection is created, it will become active both in GCP and Aiven consoles.
Deploying New Services into a VPC
When deploying a new service, you will notice a new "VPC" geolocation that contains your peered VPC. Note: it might take a few minutes for newly created VPC's to be available for service deployments.
Migrating a Public Service into a VPC
Any service can be migrated into or out of a VPC. On the service "Overview" tab, scroll down the the "Cloud and VPC" section.
Notice the "PUBLIC INTERNET" badge. Select "Migrate Cloud." You will notice a new "VPC" geolocation that contains your peered VPC. Note: it might take a few minutes for newly created VPC's to be available for service deployments
Once you complete the modal, your service will be migrated into the private network. Note the "Project VPC" badge.
Please note, that once your service is migrated into an Aiven Project VPC, it is no longer accessible from the public internet. It is now only accessible from clients which are in a VPC that is peered to the Aiven Project VPC. Refer to the last section on how to ensure a smooth migration into a VPC if you have clients connecting to your service from the public internet.
There are firewall rules on the service nodes making sure connections are only allowed from private IP ranges coming from networks on the other end of VPC peering connections. Only services belong to the project in which a VPC was created can be deployed in that VPC.
Accessing the services in a VPC from the public internet
When you move your service to VPC the access from public networks by default is blocked unless you have public access enabled, which generates a separate endpoint with public- prefix that you could use. You can enable public Internet access for your services through the Advanced Configuration section in the service's Overview page, but this option is disabled by default. For example, there is a tutorial on enabling public access for a Kafka service.
IP filtering - (the "Allowed IP Addresses" list in the service overview page) will still be available with a service within a VPC where both public and private access are enabled. It is good to consider using IP filtering as now your service which lives in a VPC is also exposed to the public internet.
Also keep in mind that the whitelisting applies to both the internal and external traffic. If you whitelist an external IP and want to keep traffic flowing with the internal (eg. peered connections) please be sure to whitelist the CIDR -blocks of the peered networks as well, so as to not cause disruptions to the service.