Merge pull request #2160 from aiven/dorota-platform-multiple-privatel…

…ink-connections
aiven · Sep 29, 2023 · 7285908 · 7285908
2 parents eb8bf9a + 69577a1
commit 7285908
Show file tree

Hide file tree

Showing 4 changed files with 141 additions and 17 deletions.
diff --git a/.github/vale/styles/Aiven/capitalization_headings.yml b/.github/vale/styles/Aiven/capitalization_headings.yml
@@ -104,6 +104,7 @@ exceptions:
   - Postman
   - Premium
   - Private Link
+  - PrivateLink
   - Private Service Connect
   - Project
   - Prometheus

diff --git a/docs/platform/howto/use-aws-privatelinks.rst b/docs/platform/howto/use-aws-privatelinks.rst
@@ -142,25 +142,61 @@ currently support AWS PrivateLink.
    successful heartbeats before they transition from the ``initial``
    state to ``healthy`` and are included in the active forwarding rules of the load balancer.
 
-   | **Note:** Currently, you can only create one VPC endpoint for each
-     Aiven service.
-
 .. _h_b6605132ff:
 
-Connection information
-----------------------
+Acquire connection information
+------------------------------
+
+One AWS PrivateLink connection
+''''''''''''''''''''''''''''''
+
+If you have one private endpoint connected to your Aiven service, you can preview the connection information (URI, hostname, or port required to access the service through the private endpoint) in `Aiven Console <https://console.aiven.io/>`_ > the service's **Overview** page > the **Connection information** section, where you'll also find the switch for the ``privatelink`` access route. ``privatelink``-access-route values for ``host`` and ``port`` differ from those for the ``dynamic`` access route used by default to connect to the service.
+
+.. note::
+
+   You can use the same credentials with any access route.
+
+Multiple AWS PrivateLink connections
+''''''''''''''''''''''''''''''''''''
+
+Use CLI to acquire connection information for more than one AWS PrivateLink connection.
+
+Each endpoint (connection) has PRIVATELINK_CONNECTION_ID, which you can check using the :doc:`avn service privatelink aws connection list SERVICE_NAME </docs/tools/cli/service/privatelink>` command.
+
+To acquire connection information for your service component using AWS PrivateLink, run the :doc:`avn service connection-info </docs/tools/cli/service/connection-info>` command.
+
+* For SSL connection information for your service component using AWS PrivateLink, run the following command:
+
+.. code-block:: bash
+
+   avn service connection-info UTILITY_NAME SERVICE_NAME --privatelink-connection-id PRIVATELINK_CONNECTION_ID
+
+.. topic:: Where
+
+  * UTILITY_NAME for Aiven for Apache Kafka®, for example, can be ``kcat``.
+  * SERVICE_NAME for Aiven for Apache Kafka®, for example, can be ``kafka-12a3b4c5``.
+  * PRIVATELINK_CONNECTION_ID can be ``plc39413abcdef``.
+
+* For SASL connection information for Aiven for Apache Kafka® service components using AWS PrivateLink, run the following command:
+
+.. code-block:: bash
+
+   avn service connection-info UTILITY_NAME SERVICE_NAME --privatelink-connection-id PRIVATELINK_CONNECTION_ID -a sasl
+
+.. topic:: Where
+
+  * UTILITY_NAME for Aiven for Apache Kafka®, for example, can be ``kcat``.
+  * SERVICE_NAME for Aiven for Apache Kafka®, for example, can be ``kafka-12a3b4c5``.
+  * PRIVATELINK_CONNECTION_ID can be ``plc39413abcdef``.
+
+.. note::
 
-Once you have enabled PrivateLink access for a service component, a
-switch for the ``privatelink`` access route appears under **Connection
-information** on the **Overview** page in `Aiven Console <https://console.aiven.io>`__. The ``host`` -
-and for some service components such as Kafka, ``port`` - values differ
-from the default ``dynamic`` access route that is used to connect to the
-service. You can use the same credentials with any access route.
+   SSL certificates and SASL credentials are the same for all the connections. You can use the same credentials with any access route.
 
 .. _h_2a1689a687:
 
-Updating the allowed principals list
-------------------------------------
+Update the allowed principals list
+----------------------------------
 
 To change the list of AWS accounts or IAM users or roles that are
 allowed to connect a VPC endpoint:

diff --git a/docs/platform/howto/use-azure-privatelink.rst b/docs/platform/howto/use-azure-privatelink.rst
@@ -161,22 +161,67 @@ To enable Private Link access in `Aiven Console <https://console.aiven.io/>`_:
 
     Each service component can be controlled separately. For example, you can enable Private Link access for your Aiven for Apache Kafka® service, while allowing Kafka® Connect to only be connected via VNet peering.
 
-After toggling the values your Private Link resource will be rebuilt with load balancer rules added for the service component's ports. Connection information like the URI or hostname and port to access the service through the private endpoint is available on the service's **Overview** page in `Aiven Console <https://console.aiven.io/>`_. 
+After toggling the values, your Private Link resource will be rebuilt with load balancer rules added for the service component's ports.
 
 .. note::
 
   For Aiven for Apache Kafka® services, the security group for the VPC endpoint must allow ingress in the port range ``10000-31000``. This is to accommodate the pool of Kafka broker ports used in the Private Link implementation.
 
+Acquire connection information
+------------------------------
+
+One Azure Private Link connection
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If you have one private endpoint connected to your Aiven service, you can preview the connection information (URI, hostname, or port required to access the service through the private endpoint) in `Aiven Console <https://console.aiven.io/>`_ > the service's **Overview** page > the **Connection information** section, where you'll also find the switch for the ``privatelink`` access route. ``privatelink``-access-route values for ``host`` and ``port`` differ from those for the ``dynamic`` access route used by default to connect to the service.
+
+Multiple Azure Private Link connections
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Use CLI to acquire connection information for more than one AWS PrivateLink connection.
+
+Each endpoint (connection) has PRIVATELINK_CONNECTION_ID, which you can check using the :doc:`avn service privatelink azure connection list SERVICE_NAME </docs/tools/cli/service/privatelink>` command.
+
+To acquire connection information for your service component using Azure Private Link, run the :doc:`avn service connection-info </docs/tools/cli/service/connection-info>` command.
+
+* For SSL connection information for your service component using Azure Private Link, run the following command:
+
+.. code-block:: bash
+
+   avn service connection-info UTILITY_NAME SERVICE_NAME -p PRIVATELINK_CONNECTION_ID
+
+.. topic:: Where
+
+  * UTILITY_NAME is ``kcat``, for example
+  * SERVICE_NAME is ``kafka-12a3b4c5``, for example
+  * PRIVATELINK_CONNECTION_ID is ``plc39413abcdef``, for example
+
+* For SASL connection information for Aiven for Apache Kafka® service components using Azure Private Link, run the following command:
+
+.. code-block:: bash
+
+   avn service connection-info UTILITY_NAME SERVICE_NAME -p PRIVATELINK_CONNECTION_ID -a sasl
+
+.. topic:: Where
+
+  * UTILITY_NAME is ``kcat``, for example
+  * SERVICE_NAME is ``kafka-12a3b4c5``, for example
+  * PRIVATELINK_CONNECTION_ID is ``plc39413abcdef``, for example
+
+.. note::
+
+   SSL certificates and SASL credentials are the same for all the connections.
+
 Update subscription list
---------------------------
+------------------------
 In the Aiven CLI, you can update the list of Azure subscriptions that have access to Aiven service endpoints:
 
 .. code:: shell
 
     avn service privatelink azure update AIVEN_SERVICE SUBSCRIPTION_ID
 
 Delete a Private Link service
-------------------------------
+-----------------------------
 Use the Aiven CLI to delete the Azure Load Balancer and Private Link service:
 
 .. code:: shell

diff --git a/docs/platform/howto/use-google-private-service-connect.rst b/docs/platform/howto/use-google-private-service-connect.rst
@@ -176,8 +176,50 @@ To enable Private Link access in `Aiven Console <https://console.aiven.io/>`_, t
 
     Each service component can be controlled separately. For example, you can enable Private Service Connect access for your Aiven for Apache Kafka® service while allowing Kafka® Connect to only be connected via VNet peering.
 
+Acquire connection information
+------------------------------
+
+One Private Service Connect connection
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If you have one private endpoint connected to your Aiven service, you can preview the connection information (URI, hostname, or port required to access the service through the private endpoint) in `Aiven Console <https://console.aiven.io/>`_ > the service's **Overview** page > the **Connection information** section, where you'll also find the switch for the ``privatelink`` access route. ``privatelink``-access-route values for ``host`` and ``port`` differ from those for the ``dynamic`` access route used by default to connect to the service.
+
+Multiple Private Service Connect connections
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Use CLI to acquire connection information for more than one Private Service Connect connection.
+
+Each endpoint (connection) has PRIVATELINK_CONNECTION_ID, which you can check using the :doc:`avn service privatelink google connection list SERVICE_NAME </docs/tools/cli/service/privatelink>` command.
+
+To acquire connection information for your service component using Private Service Connect, run the :doc:`avn service connection-info </docs/tools/cli/service/connection-info>` command.
+
+* For SSL connection information for your service component using Private Service Connect, run the following command:
+
+.. code-block:: bash
+
+   avn service connection-info UTILITY_NAME SERVICE_NAME -p PRIVATELINK_CONNECTION_ID
+
+.. topic:: Where
+
+  * UTILITY_NAME is ``kcat``, for example
+  * SERVICE_NAME is ``kafka-12a3b4c5``, for example
+  * PRIVATELINK_CONNECTION_ID is ``plc39413abcdef``, for example
+
+* For SASL connection information for Aiven for Apache Kafka® service components using Private Service Connect, run the following command:
+
+.. code-block:: bash
+
+   avn service connection-info UTILITY_NAME SERVICE_NAME -p PRIVATELINK_CONNECTION_ID -a sasl
+
+.. topic:: Where
+
+  * UTILITY_NAME is ``kcat``, for example
+  * SERVICE_NAME is ``kafka-12a3b4c5``, for example
+  * PRIVATELINK_CONNECTION_ID is ``plc39413abcdef``, for example
+
 .. note::
-   Connection information, such as the service URI or hostname and port to access the service through the private endpoint, is available on the service's **Overview** page in `Aiven Console <https://console.aiven.io/>`_.
+
+   SSL certificates and SASL credentials are the same for all the connections.
 
 Delete a Private Link service
 ------------------------------