Networking overview
Aiven services can be accessed through different network configurations:Public Access
- Services accessible over public internet
- TLS encryption for all connections
- IP allowlisting for access control
- Simplest setup, no VPC required
VPC Peering
- Direct private connection between networks
- No traffic over public internet
- Lower latency, higher security
- Supported on AWS, GCP, Azure, UpCloud
AWS PrivateLink
- Access without VPC peering
- Simplified network configuration
- Available for select services
- AWS only
Static IPs
- Predictable IP addresses for services
- Useful for firewall rules
- Additional hourly cost
- Available on all cloud providers
Virtual Private Clouds (VPCs)
VPCs provide isolated network environments for your Aiven services with enhanced security and control.VPC benefits
- Isolation - Logical separation from other networks
- Security - Control over network traffic and routing
- Private IPs - Services use private IP addresses
- Customizable - Define your own IP ranges (CIDR blocks)
- Scalability - Expand as your infrastructure grows
VPC types
- Project VPCs
- Organization VPCs
- All services in one project share the VPC
- Simplest option for most use cases
- Managed at project level
Creating VPCs
Choose CIDR block
10.0.0.0/24(256 addresses)10.1.0.0/23(512 addresses)192.168.0.0/24(256 addresses)
Create VPC
- Navigate to project → VPCs
- Click Create VPC
- Select cloud and region
- Enter network CIDR
- Click Create
Deploy services
Set up peering (optional)
VPC Peering
VPC peering creates a private network connection between your Aiven VPC and your own VPC in AWS, GCP, Azure, or UpCloud.Peering benefits
- Private communication - Direct connection using private IPs
- High performance - Low latency by staying on cloud provider’s network
- Security - No exposure to public internet
- Scalability - Support for cross-account and cross-region connections
VPC peering workflow
Create Aiven VPC
Create peering connection
Accept peering in your cloud
Update route tables
Update security groups
Test connectivity
Peering on AWS
Peering on Google Cloud
Peering on Azure
Peering troubleshooting
Peering connection stuck in pending
Peering connection stuck in pending
- Check for pending peering request in your cloud console
- Verify peer account ID, VPC ID, region are correct
- Accept the peering connection
- Wait a few minutes for connection to activate
Cannot connect to service after peering
Cannot connect to service after peering
- Verify route table has route to Aiven VPC CIDR
- Check security groups allow traffic from your network
- Verify service is using private VPC endpoint (not public)
- Test with
nc -zv <service-host> <port>
CIDR blocks overlap
CIDR blocks overlap
- Delete the Aiven VPC (if no services deployed)
- Create new VPC with non-overlapping CIDR
- If services exist, migrate to new VPC
IP filtering and allowlists
Restrict access to services by IP address without VPC peering:Configure IP allowlist
- Aiven Console
- Aiven CLI
- Terraform
Open service
Edit allowlist
Add IP ranges
203.0.113.0/24)Apply changes
IP allowlist best practices
Use CIDR notation
203.0.113.0/24 covers 256 addressesInclude backup access
Document IP ranges
Use VPC for production
Review regularly
Static IP addresses
Static IPs provide predictable IP addresses for services, useful for firewall rules and IP-based tools:When to use static IPs
- Firewall rules - Your firewall requires specific IP addresses
- IP-based tools - Proxies or other tools that use IPs instead of hostnames
- Predictability - Need consistent IPs across service updates
Configuring static IPs
Calculate IPs needed
- Up to 6 nodes: 2 × number of nodes
- 6+ nodes: number of nodes + 6
Create static IPs
Associate with service
Enable on service
Managing static IPs
Public access in VPC
Services in VPCs are private by default, but you can enable public access if needed:AWS Transit Gateway
For complex AWS networking, connect Aiven VPCs to AWS Transit Gateway:Transit Gateway benefits
- Centralized routing - Single point for all VPC connections
- Scalability - Connect many VPCs without mesh peering
- Cross-region - Connect VPCs across AWS regions
- On-premises - Connect to on-premises networks via VPN/Direct Connect
Setting up Transit Gateway
Create Transit Gateway in AWS
Share TGW with Aiven AWS account
Attach Aiven VPC
Accept attachment in AWS
Update route tables
Network security
Encryption
All Aiven connections use TLS encryption:- TLS 1.2+ - Modern encryption standards
- Strong cipher suites - AES-256, ChaCha20
- Certificate validation - Download CA certificates from Console
- Perfect forward secrecy - Keys not compromised if long-term key compromised
Firewall protection
Aiven services are protected by dynamically configured firewalls:- iptables-based - Automatic firewall rules
- Default deny - Only allowed sources can connect
- IP allowlists - User-controlled allowed IPs
- VPC isolation - Private IPs only accessible through peering
DDoS protection
Cloud providers offer DDoS protection:- AWS Shield - Automatic DDoS protection on AWS
- GCP Cloud Armor - DDoS mitigation on Google Cloud
- Azure DDoS Protection - Built-in protection on Azure
Best practices
Use VPC peering for production
Plan CIDR blocks carefully
Use IP filtering as backup
Monitor network metrics
Document network architecture
Test failover scenarios
Use private endpoints
Avoid static IPs when possible