Skip to main content

Use Azure Private Link with Aiven services Limited availabilty

Azure Private Link lets you bring your Aiven services into your virtual network (VNet) over a private endpoint. The endpoint creates a network interface into one of the VNet subnets, and receives a private IP address from its IP range. The private endpoint is routed to your Aiven service.

Azure Private Link is supported for the following services:

  • Aiven for Apache Kafka®
  • Aiven for Apache Kafka Connect®
  • Aiven for ClickHouse®
  • Aiven for Grafana®
  • Aiven for InfluxDB®
  • Aiven for MySQL®
  • Aiven for OpenSearch®
  • Aiven for PostgreSQL®
  • Aiven for Redis®*

Prerequisites

  • This feature is in limited availability. Contact the sales team to enable it.

  • Aiven CLI is installed.

  • The Aiven service is in a project VPC. This ensures the service is not accessible from the public internet.

    note

    If you are not using regular VNet peerings, any private IP range can be used for the VPC. There is no network routing between your Azure subscription and the Aiven VPC, so overlapping IP ranges are not an issue.

  • The Aiven service is using static IP addresses.

    note

    Even though services in a VPC only communicate using private IP addresses, Azure load balancers require standard SKU IP addresses for target virtual machines. Azure sends TCP health probes to load balancer target ports from a public IP address.

Variables

VariableDescription
SUBSCRIPTION_IDAzure subscription ID
AIVEN_SERVICEName of your Aiven service

There are three steps to setting up an Azure Private Link with your Aiven service:

  1. Create a Private Link service
  2. Create a private endpoint
  3. Enable Private Link access service components

  1. In the Aiven CLI, create a Private Link resource on your Aiven service:

    avn service privatelink azure create AIVEN_SERVICE --user-subscription-id SUBSCRIPTION_ID

    This creates an Azure Standard Internal Load Balancer dedicated to your Aiven service and attaches it to an Azure Private Link service. Connections from other subscriptions are automatically rejected.

  2. Check the status of the Private Link service:

    avn service privatelink azure get AIVEN_SERVICE

    The service is in the creating state until Azure provisions a load balancer and Private Link service.

  3. When the state changes to active, note the azure_service_alias and azure_service_id:

    avn service privatelink azure get AIVEN_SERVICE

Step 1. Create a private endpoint

Azure resources in the Aiven service are now ready to be connected to your Azure subscription and virtual network.

  1. In the Azure web console or Azure CLI, create a private endpoint. If you are using the console, select Connect to an Azure resource by resource ID or alias and enter the azure_service_alias or azure_service_id.

  2. Refresh the Aiven Private Link service:

    avn service privatelink azure refresh AIVEN_SERVICE
    note

    Azure does not provide notifications about endpoint connections and the Aiven API will not be aware of new endpoints until it's refreshed.

  3. In the Aiven CLI, check that the endpoint is connected to the service:

    avn service privatelink azure connection list AIVEN_SERVICE

    The output will look similar to this:

    PRIVATELINK_CONNECTION_ID  PRIVATE_ENDPOINT_ID                                                                                                                                         STATE                  USER_IP_ADDRESS
    =========================  ==========================================================================================================================================================  =====================  ===============
    plc35843e8051.             /subscriptions/8eefec94-5d63-40c9-983c-03ab083b411d/resourceGroups/test-privatelink/providers/Microsoft.Network/privateEndpoints/my-endpoint                pending-user-approval  null

  4. Check that the endpoint ID matches the one created in your subscription and approve it:

    avn service privatelink azure connection approve AIVEN_SERVICE PRIVATELINK_CONNECTION_ID

    The endpoint in your Azure subscription is now connected to the Private Link service in the Aiven service. The state of the endpoint is pending.

  5. In the Azure web console, go to the private endpoint and select Network interface. Copy the private IP address.

  6. In the Aiven CLI, add the endpoint's IP address you copied to the connection:

    avn service privatelink azure connection update \
       --endpoint-ip-address IP_ADDRESS             \
       AIVEN_SERVICE PRIVATELINK_CONNECTION_ID

Once the endpoint IP address is added, the connection's status changes to active. A DNS name for the service is registered pointing to that IP address.

Finally, enable Private Link access on your Aiven services using either the Aiven CLI or Aiven Console.

Aiven CLI

To enable Private Link access for your service in the Aiven CLI, set user_config.privatelink_access.<service component> to true for the components you want to enable. For example, for PostgreSQL the command is:

avn service update -c privatelink_access.pg=true AIVEN_SERVICE

Aiven Console

To enable Private Link access in Aiven Console:

  1. On the Overview page of your service, select Service settings from the sidebar.
  2. On the Service settings page, in the Cloud and network section, click Actions > More network configurations.
  3. In the Network configuration window, take the following actions:
    1. Select Add configuration options.
    2. In the search field, enter privatelink_access.
    3. From the displayed component names, select the names of the components that you want to enable (privatelink_access.<service component>).
    4. Select the toggle switches for the selected components to enable them.
    5. Select Save configuration.
tip

Each service component can be controlled separately. For example, you can enable Private Link access for your Aiven for Apache Kafka® service, while allowing Kafka® Connect to only be connected via VNet peering.

After toggling the values, your Private Link resource will be rebuilt with load balancer rules added for the service component's ports.

note

For Aiven for Apache Kafka® services, the security group for the VPC endpoint must allow ingress in the port range 10000-31000. This is to accommodate the pool of Kafka broker ports used in the Private Link implementation.

Acquire connection information

If you have one private endpoint connected to your Aiven service, you can preview the connection information (URI, hostname, or port required to access the service through the private endpoint) in Aiven Console > the service's Overview page > the Connection information section, where you'll also find the switch for the privatelink access route. privatelink-access-route values for host and port differ from those for the dynamic access route used by default to connect to the service.

Use CLI to acquire connection information for more than one AWS PrivateLink connection.

Each endpoint (connection) has PRIVATELINK_CONNECTION_ID, which you can check using the avn service privatelink azure connection list SERVICE_NAME command.

To acquire connection information for your service component using Azure Private Link, run the avn service connection-info command.

  • For SSL connection information for your service component using Azure Private Link, run the following command:

    avn service connection-info UTILITY_NAME SERVICE_NAME -p PRIVATELINK_CONNECTION_ID

Where:

  • UTILITY_NAME is kcat, for example

  • SERVICE_NAME is kafka-12a3b4c5, for example

  • PRIVATELINK_CONNECTION_ID is plc39413abcdef, for example

  • For SASL connection information for Aiven for Apache Kafka® service components using Azure Private Link, run the following command:

    avn service connection-info UTILITY_NAME SERVICE_NAME -p PRIVATELINK_CONNECTION_ID -a sasl

Where:

  • UTILITY_NAME is kcat, for example
  • SERVICE_NAME is kafka-12a3b4c5, for example
  • PRIVATELINK_CONNECTION_ID is plc39413abcdef, for example
note

SSL certificates and SASL credentials are the same for all the connections.

Update subscription list

In the Aiven CLI, you can update the list of Azure subscriptions that have access to Aiven service endpoints:

avn service privatelink azure update AIVEN_SERVICE SUBSCRIPTION_ID

Use the Aiven CLI to delete the Azure Load Balancer and Private Link service:

avn service privatelink azure delete AIVEN_SERVICE