Skip to main content
Aiven provides multiple networking options to securely connect your applications to Aiven services. From public internet access with IP filtering to private VPC peering connections, you can configure networking to match your security and performance requirements.

Networking overview

Aiven services can be accessed through different network configurations:

Public Access

Internet-based connectivity
  • Services accessible over public internet
  • TLS encryption for all connections
  • IP allowlisting for access control
  • Simplest setup, no VPC required

VPC Peering

Private network connectivity
  • Direct private connection between networks
  • No traffic over public internet
  • Lower latency, higher security
  • Supported on AWS, GCP, Azure, UpCloud

AWS PrivateLink

AWS-specific private connectivity
  • Access without VPC peering
  • Simplified network configuration
  • Available for select services
  • AWS only

Static IPs

Fixed IP addresses
  • Predictable IP addresses for services
  • Useful for firewall rules
  • Additional hourly cost
  • Available on all cloud providers
All Aiven connections are encrypted with TLS regardless of network configuration. Private connectivity adds an additional layer of security by keeping traffic off the public internet.

Virtual Private Clouds (VPCs)

VPCs provide isolated network environments for your Aiven services with enhanced security and control.

VPC benefits

  • Isolation - Logical separation from other networks
  • Security - Control over network traffic and routing
  • Private IPs - Services use private IP addresses
  • Customizable - Define your own IP ranges (CIDR blocks)
  • Scalability - Expand as your infrastructure grows

VPC types

Scope: Single Aiven project
  • All services in one project share the VPC
  • Simplest option for most use cases
  • Managed at project level
# Create project VPC
avn vpc create \
  --project my-project \
  --cloud aws-us-east-1 \
  --network-cidr 10.0.0.0/24

# List project VPCs
avn vpc list --project my-project

Creating VPCs

1

Choose CIDR block

Select an IP range that doesn’t conflict with your existing networks:Common choices:
  • 10.0.0.0/24 (256 addresses)
  • 10.1.0.0/23 (512 addresses)
  • 192.168.0.0/24 (256 addresses)
2

Create VPC

Using Aiven Console:
  1. Navigate to project → VPCs
  2. Click Create VPC
  3. Select cloud and region
  4. Enter network CIDR
  5. Click Create
3

Deploy services

New services in the project can now use the VPC
4

Set up peering (optional)

Create peering connection to connect with your infrastructure
Choose your CIDR block carefully. It cannot be changed after creation, and it must not overlap with networks you want to peer with.

VPC Peering

VPC peering creates a private network connection between your Aiven VPC and your own VPC in AWS, GCP, Azure, or UpCloud.

Peering benefits

  • Private communication - Direct connection using private IPs
  • High performance - Low latency by staying on cloud provider’s network
  • Security - No exposure to public internet
  • Scalability - Support for cross-account and cross-region connections

VPC peering workflow

1

Create Aiven VPC

Create a VPC in your Aiven project with non-overlapping CIDR
2

Create peering connection

Initiate peering from Aiven Console or CLI
3

Accept peering in your cloud

Accept the peering request in your AWS/GCP/Azure console
4

Update route tables

Configure routing to allow traffic between VPCs
5

Update security groups

Allow inbound traffic from Aiven VPC CIDR
6

Test connectivity

Verify services are accessible from your VPC

Peering on AWS

# Create VPC in Aiven
avn vpc create \
  --project my-project \
  --cloud aws-us-east-1 \
  --network-cidr 10.0.0.0/24

# Note the VPC ID from output

Peering on Google Cloud

avn vpc create \
  --project my-project \
  --cloud google-us-central1 \
  --network-cidr 10.0.0.0/24

Peering on Azure

avn vpc create \
  --project my-project \
  --cloud azure-eastus \
  --network-cidr 10.0.0.0/24

Peering troubleshooting

Cause: Peering not accepted in your cloud accountSolution:
  1. Check for pending peering request in your cloud console
  2. Verify peer account ID, VPC ID, region are correct
  3. Accept the peering connection
  4. Wait a few minutes for connection to activate
Cause: Missing routes or security group rulesSolution:
  1. Verify route table has route to Aiven VPC CIDR
  2. Check security groups allow traffic from your network
  3. Verify service is using private VPC endpoint (not public)
  4. Test with nc -zv <service-host> <port>
Cause: Aiven VPC CIDR overlaps with your VPCSolution:
  1. Delete the Aiven VPC (if no services deployed)
  2. Create new VPC with non-overlapping CIDR
  3. If services exist, migrate to new VPC

IP filtering and allowlists

Restrict access to services by IP address without VPC peering:

Configure IP allowlist

1

Open service

Navigate to service → Overview
2

Edit allowlist

Scroll to Allowed IP AddressesAdd entry
3

Add IP ranges

Enter CIDR blocks (e.g., 203.0.113.0/24)
4

Apply changes

Click Save
Be careful when setting IP filters. If you lock yourself out, contact Aiven support or use the API from an allowed IP to remove the filter.

IP allowlist best practices

1

Use CIDR notation

Specify ranges instead of individual IPs: 203.0.113.0/24 covers 256 addresses
2

Include backup access

Add your VPN or management network in case primary access fails
3

Document IP ranges

Maintain list of which CIDR blocks represent which offices/networks
4

Use VPC for production

IP filtering is good for development, but VPC peering is more secure for production
5

Review regularly

Audit and update IP allowlists quarterly as infrastructure changes

Static IP addresses

Static IPs provide predictable IP addresses for services, useful for firewall rules and IP-based tools:

When to use static IPs

  • Firewall rules - Your firewall requires specific IP addresses
  • IP-based tools - Proxies or other tools that use IPs instead of hostnames
  • Predictability - Need consistent IPs across service updates
Static IPs incur a small additional hourly cost. Most use cases are better served by hostnames or VPC peering.

Configuring static IPs

1

Calculate IPs needed

Services need multiple static IPs for high availability:
  • Up to 6 nodes: 2 × number of nodes
  • 6+ nodes: number of nodes + 6
Example: 3-node service needs 6 static IPs
2

Create static IPs

# Create static IP addresses
avn static-ip create \
  --project my-project \
  --cloud aws-us-east-1

# Repeat 6 times for 3-node service
3

Associate with service

# List static IPs to get IDs
avn static-ip list --project my-project

# Associate each IP with service
avn static-ip associate \
  --project my-project \
  --service postgres-1 \
  <STATIC_IP_ID>
4

Enable on service

# Enable static IPs
avn service update \
  --project my-project \
  --service postgres-1 \
  -c static_ips=true
This triggers a rolling restart of service nodes.

Managing static IPs

# List static IPs and their states
avn static-ip list --project my-project

# States:
# - created: IP reserved but not associated
# - available: IP associated with service
# - assigned: IP actively in use by service node

# Dissociate IP from service
avn static-ip dissociate <STATIC_IP_ID>

# Delete static IP (must be dissociated first)
avn static-ip delete <STATIC_IP_ID>

Public access in VPC

Services in VPCs are private by default, but you can enable public access if needed: 
# Enable public access for service in VPC
avn service update \
  --project my-project \
  --service postgres-1 \
  -c public_access.pg=true

# Enable Prometheus metrics endpoint
avn service update \
  --project my-project \
  --service postgres-1 \
  -c public_access.prometheus=true
Enabling public access reduces security benefits of VPC. Use IP filtering if public access is required.

AWS Transit Gateway

For complex AWS networking, connect Aiven VPCs to AWS Transit Gateway:

Transit Gateway benefits

  • Centralized routing - Single point for all VPC connections
  • Scalability - Connect many VPCs without mesh peering
  • Cross-region - Connect VPCs across AWS regions
  • On-premises - Connect to on-premises networks via VPN/Direct Connect

Setting up Transit Gateway

1

Create Transit Gateway in AWS

aws ec2 create-transit-gateway \
  --description "Aiven services TGW"
2

Share TGW with Aiven AWS account

Use AWS Resource Access Manager to share TGW with Aiven’s AWS account
3

Attach Aiven VPC

avn vpc transit-gateway-attachment create \
  --project my-project \
  --vpc-id <AIVEN_VPC_ID> \
  --peer-cloud-account <AWS_ACCOUNT_ID> \
  --peer-resource-id <TGW_ID> \
  --peer-region us-east-1 \
  --user-peer-network-cidrs "10.1.0.0/16,10.2.0.0/16"
4

Accept attachment in AWS

Accept the Transit Gateway attachment request in AWS Console
5

Update route tables

Configure TGW route tables to route traffic to Aiven VPC

Network security

Encryption

All Aiven connections use TLS encryption:
  • TLS 1.2+ - Modern encryption standards
  • Strong cipher suites - AES-256, ChaCha20
  • Certificate validation - Download CA certificates from Console
  • Perfect forward secrecy - Keys not compromised if long-term key compromised
# Download CA certificate
avn project ca-get \
  --project my-project \
  --target-filepath ca.pem

# Connect with CA validation (PostgreSQL example)  
psql "postgres://user:pass@host:port/db?sslmode=verify-ca&sslrootcert=ca.pem"

Firewall protection

Aiven services are protected by dynamically configured firewalls:
  • iptables-based - Automatic firewall rules
  • Default deny - Only allowed sources can connect
  • IP allowlists - User-controlled allowed IPs
  • VPC isolation - Private IPs only accessible through peering

DDoS protection

Cloud providers offer DDoS protection:
  • AWS Shield - Automatic DDoS protection on AWS
  • GCP Cloud Armor - DDoS mitigation on Google Cloud
  • Azure DDoS Protection - Built-in protection on Azure

Best practices

1

Use VPC peering for production

VPC peering provides better security and performance than public access
2

Plan CIDR blocks carefully

Ensure Aiven VPC CIDRs don’t overlap with your networks or future expansion plans
3

Use IP filtering as backup

Even with VPC peering, add IP filtering as defense in depth
4

Monitor network metrics

Track latency, throughput, and connection counts
5

Document network architecture

Maintain diagrams of VPC peering connections and IP ranges
6

Test failover scenarios

Verify connectivity during service updates and failures
7

Use private endpoints

Prefer private VPC endpoints over public even when both are available
8

Avoid static IPs when possible

Use hostnames or VPC peering instead of static IPs to reduce costs

Next steps

Security

Learn about Aiven’s security architecture

Service Integrations

Connect services using private networking

Monitoring & Logs

Monitor network metrics and connection logs

Organizations

Manage VPC permissions at org level

Build docs developers (and LLMs) love

Get started for freeTalk to us