Contents Menu Expand Light mode Dark mode Auto light/dark mode
Light Logo Dark Logo
Aiven.io GitHub
Log in Get started for free
Light Logo Dark Logo
Get started
Light Logo Dark Logo
  • Get started
    • Free plans
    • 30-day trials
    • Set up marketplace subscriptions
      • Set up AWS Marketplace subscriptions
      • Set up Azure Marketplace subscriptions
      • Set up Google Cloud Marketplace subscriptions
    • Aiven Console overview
    • Feature previews
  • Organizations, units, and projects
    • Organization hierarchy and access
    • Create organizations and organizational units
    • Manage projects
    • Project member roles
    • Manage unassigned projects
  • Billing and payments
    • Billing overview
    • Corporate billing
    • Tax information for Aiven services
    • Update your tax status
    • Payment methods
      • Manage payment cards
      • Marketplace subscriptions
        • Move to AWS Marketplace
        • Move to Azure Marketplace
        • Move to Google Cloud Marketplace
    • Billing groups
      • Billing groups overview
      • Create billing groups
      • Manage billing groups
      • Assign projects to billing groups
      • Change billing contacts
    • Payment problems when upgrading
    • Request service custom plans
  • User and access management
    • Manage users in an organization
    • User profiles
      • Edit your user profile
      • Change your email address
    • Authentication methods
      • Add authentication methods
      • Password policy
      • Manage two-factor authentication
      • Authentication tokens
      • Create authentication tokens
      • SAML authentication
        • Set up SAML authentication
        • Set up SAML with Auth0
        • Set up SAML with Microsoft Azure Active Directory
        • Set up SAML with FusionAuth
        • Set up SAML with JumpCloud
        • Set up SAML with Okta
        • Set up SAML with OneLogin
        • Set up SAML with Google
    • Groups
      • Create and manage groups
      • Add groups to projects
      • Create and manage teams
    • Get technical notifications
    • Reactivate suspended projects
  • Service management
    • Choosing a time series database
    • Create a new service
    • Rename a service
    • Tag your Aiven resources
    • Search for services
    • Recover a deleted service
    • Create service users
    • Service forking
    • Fork your service
    • Backups at Aiven
    • Service power cycle
    • Pause or terminate your service
    • Service resources
    • Service memory limits
    • Out of memory conditions
    • Prepare services for high load
    • Scale your service
    • Dynamic Disk Sizing (DDS)
    • Periodic cleanup of powered-off services
    • Add or remove storage
    • Access service logs
    • Access service metrics
    • Migrate service to another cloud or region
    • Migrate a public service to a Virtual Private Cloud (VPC)
    • EOL for major versions of Aiven Services
    • Maintenance window
  • Networking and security
    • List of available cloud regions
    • Availability zones
    • BYOC
      • Bring your own cloud (BYOC)
      • Create custom cloud
      • Assign projects
      • Add customer contacts
      • Rename custom cloud
    • Enhanced compliance environments (ECE)
    • Firewall configuration for service nodes
    • Cloud security
    • Disaster recovery testing scenarios
    • TLS/SSL certificates
    • Download CA certificates
    • Restrict network access to services
    • Enable public access in VPCs
    • Static IP addresses
    • Default service IP address and hostname
    • Manage static IP addresses
    • Handle resolution errors of private IP addresses
    • Attach VPCs to an AWS Transit Gateway
    • Manage Virtual Private Cloud (VPC) peering
    • Set up Virtual Private Cloud (VPC) peering on Google Cloud Platform (GCP)
    • Set up Virtual Private Cloud (VPC) peering on AWS
    • Set up Azure virtual network peering
    • Use AWS PrivateLink with Aiven services
    • Use Azure Private Link with Aiven services
    • Use Google Private Service Connect with Aiven services
  • Monitoring and logs
    • Monitoring services
    • About logging, metrics and alerting
    • Amazon CloudWatch
      • CloudWatch metrics
      • CloudWatch Logs
        • Send logs to AWS CloudWatch from Aiven web console
        • Send logs to AWS CloudWatch from Aiven client
    • Datadog
      • Send metrics to Datadog
      • Increase metrics limit setting for Datadog
      • Send logs to Datadog
      • Add custom tags Datadog integration
    • Elasticsearch logs
    • Google Cloud Logging
    • Google BigQuery
    • RSyslog
      • Logtail
      • Loggly
    • Jolokia metrics
    • Prometheus metrics
      • Prometheus system metrics
  • Integrations
    • Service integrations
    • Create service integrations
  • Aiven tools
    • Aiven CLI
      • avn account
        • avn account authentication-method
        • avn account team
      • avn billing-group
      • avn card
      • avn cloud
      • avn credits
      • avn events
      • avn mirrormaker
      • avn project
      • avn service
        • avn service acl
        • avn service connection-info
        • avn service connection-pool
        • avn service connector
        • avn service database
        • avn service es-acl
        • avn service flink
        • avn service integration
        • avn service m3
        • avn service privatelink
        • avn service schema-registry-acl
        • avn service index
        • avn service tags
        • avn service topic
        • avn service user
      • avn ticket
      • avn user
        • avn user access-token
      • avn vpc
    • Aiven API
      • API examples
    • Aiven Provider for Terraform
      • Get started
      • Data sources
      • Enable debug logging
      • Promote PostgreSQL read-only replica to primary
      • Use PostgreSQL Provider with Aiven Provider
      • Upgrade Aiven Provider
        • Upgrade from v1 to v2
        • Upgrade from v2 to v3
        • Upgrade from v3 to v4
        • Upgrade to OpenSearch® with Terraform
        • Update deprecated resources
      • Virtual network peering
        • Set up AWS virtual network peering
        • Set up Azure virtual network peering
        • Set up Google Cloud Platform virtual network peering
      • Troubleshooting
        • Private access error when using VPC
    • Aiven Operator for Kubernetes
  • Apache Kafka
    • Get started
    • Sample data generator
    • Concepts
      • Upgrade procedure
      • Scaling options
      • Access control lists and permission mapping
      • Schema registry authorization
      • Apache Kafka® REST API
      • Compacted topics
      • Partition segments
      • Authentication types
      • NOT_LEADER_FOR_PARTITION errors
      • Configuration backups for Apache Kafka®
      • Monitoring consumer groups in Aiven for Apache Kafka®
      • Quotas
    • HowTo
      • Code samples
        • Connect with Python
        • Connect with Java
        • Connect with Go
        • Connect with command line
        • Connect with NodeJS
      • Tools
        • Configure properties for Apache Kafka® toolbox
        • Use kcat with Aiven for Apache Kafka®
        • Connect to Apache Kafka® with Conduktor
        • Use Kafdrop Web UI with Aiven for Apache Kafka®
        • Use Provectus® UI for Apache Kafka® with Aiven for Apache Kafka®
        • Use Kpow with Aiven for Apache Kafka®
        • Connect Aiven for Apache Kafka® with Klaw
      • Security
        • Configure Java SSL keystore and truststore to access Apache Kafka
        • Manage users and access control lists
        • Monitor and alert logs for denied ACL
        • Use SASL authentication with Aiven for Apache Kafka®
        • Renew and Acknowledge service user SSL certificates
        • Encrypt data using a custom serde
      • Administration tasks
        • Schema registry
          • Use Karapace with Aiven for Apache Kafka®
        • Get the best from Apache Kafka®
        • Manage configurations with Apache Kafka® CLI tools
        • Manage Apache Kafka® parameters
        • View and reset consumer group offsets
        • Configure log cleaner for topic compaction
        • Prevent full disks
        • Set Apache ZooKeeper™ configuration
        • Avoid OutOfMemoryError errors in Aiven for Apache Kafka®
        • Optimizing resource usage
        • Manage quotas
      • Integrations
        • Integration of logs into Apache Kafka® topic
        • Use Apache Kafka® Streams with Aiven for Apache Kafka®
        • Use Apache Flink® with Aiven for Apache Kafka®
        • Configure Apache Kafka® metrics sent to Datadog
        • Use ksqlDB with Aiven for Apache Kafka
        • Add kafka.producer. and kafka.consumer Datadog metrics
      • Topic/schema management
        • Creating an Apache Kafka® topic
        • Create Apache Kafka® topics automatically
        • Get partition details of an Apache Kafka® topic
        • Use schema registry in Java with Aiven for Apache Kafka®
        • Change data retention period
    • Reference
      • Advanced parameters
      • Metrics available via Prometheus
    • Apache Kafka Connect
      • Getting started
      • Concepts
        • List of available Apache Kafka® Connect connectors
        • JDBC source connector modes
        • Causes of “connector list not currently available”
      • HowTo
        • Administration tasks
          • Get the best from Apache Kafka® Connect
          • Bring your own Apache Kafka® Connect cluster
          • Enable Apache Kafka® Connect on Aiven for Apache Kafka®
          • Enable Apache Kafka® Connect connectors auto restart on failures
          • Manage Kafka Connect logging level
          • Request a new connector
        • Source connectors
          • PostgreSQL to Kafka
          • PostgreSQL to Kafka with Debezium
          • MySQL to Kafka
          • MySQL to Kafka with Debezium
          • SQL Server to Kafka
          • SQL Server to Kafka with Debezium
          • MongoDB to Kafka
          • Handle PostgreSQL® node replacements when using Debezium for change data capture
          • MongoDB to Kafka with Debezium
          • Cassandra to Kafka
          • MQTT to Kafka
          • Google Pub/Sub to Kafka
          • Google Pub/Sub Lite to Kafka
          • Couchbase to Kafka
        • Sink connectors
          • Kafka to another database with JDBC
          • Configure AWS for an S3 sink connector
          • Kafka to S3 (Aiven)
          • Use AWS IAM assume role credentials provider
          • Kafka to S3 (Confluent)
          • Configure GCP for a Google Cloud Storage sink connector
          • Kafka to GCS
          • Configure GCP for a Google BigQuery sink connector
          • Kafka to Big Query
          • Kafka to OpenSearch
          • Kafka to Elasticsearch
          • Configure Snowflake for a sink connector
          • Kakfa to Snowflake
          • Kafka to HTTP
          • Kafka to MongoDB
          • Kafka to MongoDB (by Lenses)
          • Kafka to InfluxDB
          • Kafka to Redis
          • Kafka to Cassandra
          • Kafka to Couchbase
          • Kafka to Google Pub/Sub
          • Kafka to Google Pub/Sub Lite
          • Kafka to Splunk
          • Kafka to MQTT
      • Reference
        • Advanced parameters
        • AWS S3 sink connector naming and data format
          • S3 sink connector by Aiven naming and data formats
          • S3 sink connector by Confluent naming and data formats
        • Google Cloud Storage sink connector naming and data formats
        • Metrics available via Prometheus
    • Apache Kafka MirrorMaker2
      • Getting started
      • Concepts
        • Disaster recovery and migration
          • Active-Active Setup
          • Active-Passive Setup
        • Topics included in a replication flow
        • MirrorMaker 2 common parameters
      • HowTo
        • Integrate an external Apache Kafka® cluster in Aiven
        • Set up an Apache Kafka® MirrorMaker 2 replication flow
        • Setup Apache Kafka® MirrorMaker 2 monitoring
        • Remove topic prefix when replicating with Apache Kafka® MirrorMaker 2
      • Reference
        • List of advanced parameters
        • Known issues
        • Terminology for Aiven for Apache Kafka® MirrorMaker 2
    • Karapace
      • Getting started with Karapace
      • Concepts
        • Karapace schema registry authorization
        • ACLs definition
        • Apache Kafka® REST proxy authorization
      • HowTo
        • Enable Karapace schema registry and REST APIs
        • Enable Karapace schema registry authorization
        • Enable Apache Kafka® REST proxy authorization
        • Manage Karapace schema registry authorization
        • Manage Apache Kafka® REST proxy authorization
  • Apache Flink
    • Overview
      • Architecture overview
      • Aiven for Apache Flink features
      • Managed service features
      • Plans and pricing
      • Limitations
    • Quickstart
    • Concepts
      • Aiven Flink applications
      • Built-in SQL editor
      • Flink tables
      • Checkpoints
      • Savepoints
      • Event and processing times
      • Watermarks
      • Windows
      • Standard and upsert connectors
      • Settings for Apache Kafka® connectors
    • HowTo
      • Get started
      • Integrate service
        • Data service integrations
        • Integrate with Apache Kafka
        • Integrate with Google BigQuery
      • Aiven for Apache Flink applications
        • Create Apache Flink applications
        • Manage Apache Flink applications
      • Apache Flink tables
        • Manage Apache Flink tables
        • Create Apache Flink tables with data sources
          • Apache Kafka-based Apache Flink table
          • Confluent Avro-based Apache Flink table
          • PostgreSQL-based Apache Flink table
          • OpenSearch-based Apache Flink table
          • PostgreSQL CDC connector-based Apache Flink table
          • Slack-based Apache Flink table
          • DataGen-based Apache Flink table
      • Manage cluster
      • Advanced topics
        • Define OpenSearch® timestamp data in SQL pipeline
    • Reference
      • Advanced parameters
  • Apache Cassandra
    • Overview
    • Quickstart
    • Concepts
      • Tombstones
      • Cross-cluster replication
    • HowTo
      • Get started
      • Connect to service
        • Connect with cqlsh
        • Connect with Python
        • Connect with Go
      • Manage service
        • Manage data with DSBULK
        • Stress test with nosqlbench
        • Migrate to Aiven
      • Manage cluster
      • Cross-cluster replication
        • Enable CCR
        • Manage CCR
        • Disable CCR
    • Reference
      • Advanced parameters
  • ClickHouse
    • Overview
      • Features overview
      • Architecture overview
      • Plans and pricing
      • Limits and limitations
    • Quickstart
    • Concepts
      • Online analytical processing
      • ClickHouse® as a columnar database
      • Indexing and data processing in ClickHouse®
      • Disaster recovery
      • Strings
      • Federated queries
      • Tiered storage
    • HowTo
      • Get started
        • Load data
        • Secure a service
      • Connect to service
        • Connect with the ClickHouse client
        • Connect with Go
        • Connect with Python
        • Connect with Node.js
        • Connect with PHP
        • Connect with Java
      • Manage service
        • Manage users and roles
        • Manage databases and tables
        • Query databases
        • Create materialized views
        • Monitor performance
        • Read and write data across shards
        • Copy data across ClickHouse servers
        • Fetch query statistics
        • Run federated queries
      • Manage cluster
      • Integrate service
        • Connect to Grafana
        • Connect to Apache Kafka
        • Connect to PostgreSQL
        • Connect a service as a data source (Apache Kafka and PostgreSQL)
        • Connect services via integration databases
        • Connect to external DBs with JDBC
      • Tiered storage
        • Enable tiered storage
        • Configure tiered storage
        • Check tiered storage status
        • Transfer data in tiered storage
    • Reference
      • Supported table engines
      • ClickHouse metrics in Grafana
      • Formats for ClickHouse-Kafka data exchange
      • Advanced parameters
  • Grafana
    • Overview
      • Features overview
      • Plans and pricing
    • Quickstart
    • HowTo
      • User access
        • Log in to Aiven for Grafana
        • Update Grafana® service credentials
        • OAuth configuration
      • Manage dashboards
        • Dashboard previews
        • Replace strings in Grafana® dashboards
      • Alerts and notifcations
      • Manage cluster
      • Point-in-time recovery process
    • Reference
      • Advanced parameters
      • Plugins
  • InfluxDB
    • Get started
    • Concepts
      • Continuous queries
      • InfluxDB® retention policies
    • HowTo
      • Migrate data from self-hosted InfluxDB® to Aiven
    • Reference
      • Advanced parameters for Aiven for InfluxDB®
  • M3DB
    • Get started
    • Concepts
      • Aiven for M3 components
      • About M3DB namespaces and aggregation
      • About scaling M3
    • HowTo
      • Visualize M3DB data with Grafana®
      • Monitor Aiven services with M3DB
      • Use M3DB as remote storage for Prometheus
      • Write to M3 from Telegraf
      • Telegraf to M3 to Grafana® Example
      • Write data to M3DB with Go
      • Write data to M3DB with PHP
      • Write data to M3DB with Python
    • Reference
      • Terminology
      • Advanced parameters
      • Advanced parameters M3Aggregator
  • MySQL
    • Overview
    • Quickstart
    • Concepts
      • max_connections
      • Backups
      • Memory usage
      • Replication
      • Tuning for concurrency
    • HowTo
      • Get started
      • Connect to a service
        • Connect to Aiven for MySQL® from the command line
        • Connect to Aiven for MySQL® with Python
        • Connect to Aiven for MySQL® using MySQLx with Python
        • Connect to Aiven for MySQL® with Java
        • Connect to Aiven for MySQL® with PHP
        • Connect to Aiven for MySQL® with MySQL Workbench
      • Database management
        • Create a database
        • Create remote replicas
        • Backup and restore with mysqldump
        • Disable foreign key checks
        • Enable slow query logging
        • Create new tables without primary keys
        • Create missing primary keys
      • Data migration
        • Run pre-migration checks
        • Migrate to Aiven with CLI
        • Migrate to Aiven via console
      • Disk space management
        • Prevent running out of disk space
        • Reclaim disk space
        • Identify disk usage issues
      • Cluster management
    • Reference
      • Advanced parameters
      • Resource capability per plan
  • OpenSearch
    • Quickstart
      • Sample dataset: recipes
    • Overview
      • Service overview
      • Plans and pricing
    • Concepts
      • Access control
        • Understanding access control in Aiven for OpenSearch®
      • OpenSearch Security
        • Key considerations
      • OpenSearch backups
      • Indices
      • Aggregations
      • High availability in Aiven for OpenSearch®
      • OpenSearch® vs Elasticsearch
      • Optimal number of shards
      • When to create a new index
      • OpenSearch® cross-cluster replication
    • HowTo
      • Manage access control
        • Manage users and access control in Aiven for OpenSearch®
      • Connect with service
        • Connect with cURL
        • Connect with NodeJS
        • Connect with Python
      • Data management
        • Copy data from OpenSearch to Aiven for OpenSearch® using elasticsearch-dump
        • Copy data from Aiven for OpenSearch® to AWS S3 using elasticsearch-dump
        • Migrate Elasticsearch data
      • Search and aggregation
        • Search with Python
        • Search with NodeJS
        • Aggregation with NodeJS
      • Manage OpenSearch Security
        • Enable OpenSearch Security management
        • SAML authentication
        • OpenID Connect
        • Audit logs
        • OpenSearch Dashboard multi-tenancy
      • Manage service
        • Restore an OpenSearch® backup
        • Set index retention patterns
        • Create alerts with OpenSearch® API
        • Handle low disk space
        • Manage large shards
        • Cross-cluster replication
      • Integrate service
        • Manage OpenSearch® log integration
        • Integrate with Grafana®
      • Upgrade to OpenSearch
        • Upgrade to OpenSearch®
        • Upgrade Elasticsearch clients to OpenSearch®
    • OpenSearch Dashboards
      • Getting started
      • HowTo
        • Getting started with Dev tools
        • Create alerts with OpenSearch® Dashboards
    • Reference
      • Plugins
      • Advanced parameters
      • Automatic adjustment of replication factors
      • REST API endpoint access
      • Low disk space watermarks
    • Troubleshooting
      • Troubleshoot OpenSearch® Dashboards
  • PostgreSQL
    • Overview
    • Quickstart
    • Concepts
      • aiven-db-migrate
      • DBA-type tasks
      • High availability
      • Backups
      • Connection pooling
      • Disk usage
      • Shared buffers
      • TimescaleDB
      • Upgrade and failover procedures
      • AI-powered search with pgvector
    • HowTo
      • Get started
        • Load sample dataset
      • Connect to service
        • Connect with Go
        • Connect with Java
        • Connect with NodeJS
        • Connect with PHP
        • Connect with Python
        • Connect with psql
        • Connect with pgAdmin
        • Connect with Rivery
        • Connect with Skyvia
        • Connect with Zapier
      • Administer database
        • Create additional PostgreSQL® databases
        • Perform a PostgreSQL® major version upgrade
        • Install or update an extension
        • Create manual PostgreSQL® backups
        • Restore PostgreSQL® from a backup
        • Claim public schema ownership
        • Manage connection pooling
        • Access PgBouncer statistics
        • Use the PostgreSQL® dblink extension
        • Use the PostgreSQL® pg_repack extension
        • Use the PostgreSQL® pg_cron extension
        • Enable JIT in PostgreSQL®
        • Identify PostgreSQL® slow queries
        • Detect and terminate long-running queries
        • Optimize PostgreSQL® slow queries
        • Check and avoid transaction ID wraparound
        • Prevent PostgreSQL® full disk issues
        • Enable and use pgvector
        • Check size of a database, a table or an index
      • Migrate
        • Migrate to a different cloud provider or region
        • Migrate PostgreSQL databases to Aiven via console
        • Migrate to Aiven for PostgreSQL® with aiven-db-migrate
        • Migrate to Aiven for PostgreSQL® with pg_dump and pg_restore
        • Migrating to Aiven for PostgreSQL® using Bucardo
        • Migrate between PostgreSQL® instances using aiven-db-migrate in Python
      • Replicate
        • Create and use read-only replicas
        • Set up logical replication to Aiven for PostgreSQL®
        • Enable logical replication on Amazon Aurora PostgreSQL®
        • Enable logical replication on Amazon RDS PostgreSQL®
        • Enable logical replication on Google Cloud SQL
      • Manage cluster
      • Integrate
        • Database monitoring with Datadog
        • Visualize PostgreSQL® data with Grafana®
        • Monitor PostgreSQL® metrics with Grafana®
        • Monitor PostgreSQL® metrics with pgwatch2
        • Connect two PostgreSQL® services via datasource integration
        • Report and analyze with Google Data Studio
    • Troubleshooting
      • Connection pooling
      • Repair index
    • Reference
      • Advanced parameters
      • Connection limits per plan
      • Deprecated TLS versions
      • Extensions
      • Keep-alive connections parameters
      • Metrics exposed to Grafana
      • Resource capability per plan
      • Supported log formats
      • Terminology
  • Redis
    • Overview
    • Quickstart
    • Concepts
      • High availablilty
      • Lua scripts
      • Memory management and persistence
    • HowTo
      • Connect to service
        • Connect with redis-cli
        • Connect with Go
        • Connect with NodeJS
        • Connect with PHP
        • Connect with Python
        • Connect with Java
      • Administer database
        • Configure ACL permissions in Aiven for Redis®*
        • Data migration
          • Migrate from Redis®* to Aiven for Redis®* using the CLI
          • Migrate from Redis®* to Aiven for Redis®* using Aiven Console
      • Estimate maximum number of connection
      • Manage SSL connectivity
      • Handle warning overcommit_memory
      • Benchmark performance
    • Reference
      • Advanced parameters
    • Troubleshooting
      • Troubleshoot connection issues
  • Support
    • Get support in the Aiven Console
    • Upgrade your support tier
    • Service level agreement
    • Service and feature releases
  • Community
    • Catch the Bus - Aiven challenge with ClickHouse
    • Rolling - Aiven challenge with Apache Kafka and Apache Flink
  • Tutorials
    • Streaming anomaly detection with Apache Flink, Apache Kafka and PostgreSQL
Get started for free Log in GitHub Aiven.io
Back to top

Use AWS PrivateLink with Aiven services#

Important

AWS PrivateLink is a limited availability feature, which you can request from the sales team (sales@Aiven.io) or your account manager. During the limited availability stage, you can use the feature at no cost. If you want to continue using AWS PrivateLink after it reaches general availability, you’ll be billed according to the latest applicable price.

AWS PrivateLink brings Aiven services to the selected virtual private cloud (VPC) in your AWS account. In a traditional setup that uses VPC peering, traffic is routed through an AWS VPC peering connection to your Aiven services. With PrivateLink, you can create a VPC endpoint to your own VPC and access an Aiven service from that. The VPC endpoint creates network interfaces (NIC) to the subnets and availability zones that you choose and receives the private IP addresses that belong to the IP range of your VPC. The VPC endpoint is routed to your Aiven service located in one of Aiven’s AWS accounts.

You can enable PrivateLink for Aiven services located in project VPC. Before you can set up AWS PrivateLink, create a VPC and launch the services that you want to connect to that VPC. As there is no network routing between the VPC, you can use any private IP range for the VPC, unless you also want to connect to the project VPC using VPC peering connections. This means that overlaps in the IP range are not an issue.

You can use either the Aiven Console or the Aiven CLI to set up AWS PrivateLink. You also need the AWS CLI to create a VPC endpoint.

Note: Aiven for Apache Cassandra® and Aiven for M3 services do not currently support AWS PrivateLink.

  1. Create an AWS PrivateLink resource on the Aiven service:
    The Amazon Resource Name (ARN) for the principals that are allowed to connect to the VPC endpoint service and the AWS network load balancer requires your Amazon account ID. In addition, you can set the access scope for an entire AWS account, a given user account, or a given role. Only give permissions to roles that you trust, as an allowed role can connect from any VPC.

    • Using the Aiven CLI, run the following command including your AWS account ID, the access scope, and the name of your Aiven service:

      $ avn service privatelink aws create --principal arn:aws:iam::$AWS_account_ID:$access_scope $Aiven_service_name

      For example:

      $ avn service privatelink aws create --principal arn:aws:iam::012345678901:user/mwf my-kafka

    • Using Aiven Console:

      1. Log in to Aiven Console and select the service that you want to use.

      2. On the Overview page of your service, select Network from the sidebar.

      3. On the Network page, select Create Privatelink .

      4. In the Create Privatelink window, enter the Amazon Resource Names (ARN) for the principals that you want to use, and select Create .

    This creates an AWS network load balancer dedicated to your Aiven service and attaches it to an AWS VPC endpoint service that you can later use to connect to your account’s VPC endpoint.
    The PrivateLink resource stays in the initial creating state for up to a few minutes while the load balancer is being launched. After the load balancer and VPC endpoint service have been created, the state changes to active and the aws_service_id and aws_service_name values are set.

  2. In the AWS CLI, run the following command to create a VPC endpoint:

    $ aws ec2 --region eu-west-1 create-vpc-endpoint --vpc-endpoint-type Interface --vpc-id $your_vpc_id --subnet-ids $space_separated_list_of_subnet_ids --security-group-ids $security_group_ids --service-name com.amazonaws.vpce.eu-west-1.vpce-svc-0b16e88f3b706aaf1

    Replace the --service-name value with the value shown next to Network > AWS service name in Aiven Console or by running the following command in the Aiven CLI:
    $ avn service privatelink aws get aws_service_name

    Note that for fault tolerance, you should specify a subnet ID for each availability zone in the region. The security groups determine the instances that are allowed to connect to the endpoint network interfaces created by AWS into the specified subnets.
    Alternatively, you can create the VPC endpoint in Aiven Console under Integration endpoints > Add new endpoint . See the AWS documentation for details.
    Note: For Aiven for Apache Kafka® services, the security group for the VPC endpoint must allow ingress in the port range 10000-31000 to accommodate the pool of Kafka broker ports used in our PrivateLink implementation.
    It takes a while before the endpoint is ready to use as AWS provisions network interfaces to each of the subnets and connects them to the Aiven VPC endpoint service. Once the AWS endpoint state changes to available , the connection is visible in Aiven.
  3. Enable PrivateLink access for Aiven service components:
    You can control each service component separately - for example, you can enable PrivateLink access for Kafka while allowing Kafka Connect to connect via VPC peering connections only.

    • In the Aiven CLI, set user_config.privatelink_access.<service component> to true for the components that you want to enable. For example:

      $ avn service update -c privatelink_access.kafka=true $Aiven_service_name
$ avn service update -c privatelink_access.kafka_connect=true $Aiven_service_name
$ avn service update -c privatelink_access.kafka_rest=true $Aiven_service_name
$ avn service update -c privatelink_access.schema_registry=true $Aiven_service_name

    • In Aiven Console:

      1. Go to the Overview page of your service, and scroll down to Advanced configuration.

      2. Select Change, add the components that you want, and switch them on.

        Aiven Console private link configuration

      3. Select Save advanced configuration .

    It takes a couple of minutes before connectivity is available after you enable a service component. This is because AWS requires an AWS load balancer behind each VPC endpoint service, and the target rules on the load balancer for the service nodes need at least two successful heartbeats before they transition from the initial state to healthy and are included in the active forwarding rules of the load balancer.

    Note: Currently, you can only create one VPC endpoint for each Aiven service.

Connection information#

Once you have enabled PrivateLink access for a service component, a switch for the privatelink access route appears under Connection information on the Overview page in Aiven Console. The host - and for some service components such as Kafka, port - values differ from the default dynamic access route that is used to connect to the service. You can use the same credentials with any access route.

Updating the allowed principals list#

To change the list of AWS accounts or IAM users or roles that are allowed to connect a VPC endpoint:

  • Use the update command of the Aiven CLI:

    # avn service privatelink aws update --principal arn:aws:iam::$AWS_account_ID:$access_scope $Aiven_service_name
    Note: When you add an entry, also include the --principal arguments for existing entries.

  • In Aiven Console:

    1. Select your service from the Services page.

    2. Select Network from the sidebar.

    3. In the Network page, select Edit principals.

    4. Enter the principals that you want to include.

    5. Select Save .

Deleting a privatelink connection#

  • Using the Aiven CLI, run the following command:

    $ avn service privatelink aws delete $Aiven_service_name

    AWS_SERVICE_ID             AWS_SERVICE_NAME                                        PRINCIPALS                         STATE
========================== ======================================================= ================================== ========
vpce-svc-0b16e88f3b706aaf1 com.amazonaws.vpce.eu-west-1.vpce-svc-0b16e88f3b

  • Using Aiven Console:

    1. Select Network from the sidebar on your service’s page.

    2. Select the trash can icon on the right of the AWS PrivateLink row.

    3. Select Confirm .

This deletes the AWS load balancer and VPC service endpoint.

Did you find this useful?

Apache, Apache Kafka, Kafka, Apache Flink, Flink, Apache Cassandra, and Cassandra are either registered trademarks or trademarks of the Apache Software Foundation in the United States and/or other countries. M3, M3 Aggregator, M3 Coordinator, OpenSearch, PostgreSQL, MySQL, InfluxDB, Grafana, Terraform, and Kubernetes are trademarks and property of their respective owners. *Redis is a registered trademark of Redis Ltd. Any rights therein are reserved to Redis Ltd. Any use by Aiven is for referential purposes only and does not indicate any sponsorship, endorsement or affiliation between Redis and Aiven. All product and service names used in this website are for identification purposes only and do not imply endorsement.

Copyright © 2023, Aiven Team | Show Source | Last updated: September 2023
Contents
  • Use AWS PrivateLink with Aiven services
    • Connection information
    • Updating the allowed principals list
    • Deleting a privatelink connection