- Service operations - VPC
- Create a new VPC in Timescale Cloud
- Create a peering connection in Timescale Cloud
- Complete the VPC connection in AWS
- Completing the VPC connection in AWS
- Set up security groups in AWS
- Create a Timescale Cloud service with VPC attachment
- Migrating a VPC service between networks
- Migrating Timescale Cloud services to or between VPCs
Service operations - VPC
Timescale Cloud allows you to create a virtual private cloud (VPC) network between an external cloud provider and your Timescale Cloud services. This allows you to isolate your Timescale Cloud services so that they are only accessible using your external cloud account, and is useful if you need to improve security through a reduction in the potential attack vector surface.
When you have VPC peering set up in your external cloud provider, you can create and configure your VPC peering connections in the Timescale Cloud console. Timescale Cloud provides controls for adding and removing VPC peering connections, migrating services to and from VPCs, and creating new services with VPC peering attachments.
To use Timescale Cloud VPC peering, you need your own cloud VPC, where your applications and infrastructure are already running. This section covers how to get your VPC peering set up in Amazon Web Services (AWS). You can peer your VPC from any AWS region, though the Timescale Cloud VPC itself must be within one of the Cloud-supported regions.
You need to have these permissions on your cloud provider account to set up VPC peering:
- Accept VPC peering requests
- Configure route table rules
- Configure security group and firewall rules
By default, Timescale Cloud allows you to have three VPCs in each project. If you need more VPCs, contact our support team to ask for a quota increase.
warning
When you have attached your Timescale Cloud service to a VPC, it is no longer accessible using the public internet. It is only accessible using your peered AWS VPC.
Sign up for Timescale Cloud
Create a new VPC in Timescale Cloud
To begin, you need to create a new VPC in the Timescale Cloud console.
Creating a new VPC in Timescale Cloud
note
You can create a VPC during your Timescale Cloud trial for free, but you need to enter a valid payment method. You are not charged for the service until your trial has finished.
- Log in to your Timescale Cloud account and navigate to the
VPC
section. - Click
Create VPC
. - In the
Create a VPC
dialog:- Type a name for your new VPC and select the region that matches the region of the service you want to attach it to.
- Provide an IPv4 CIDR block. Make sure that your VPC CIDR block has its mask in the range between 16 and 28 and that the CIDR block you choose for your Timescale Cloud VPC does not overlap with the CIDR block used by your AWS VPC peer. If the CIDR blocks overlap, the peering process fails. You can find the CIDR block of your AWS VPC from the AWS console. This example uses the
10.0.0.0/16
CIDR block.
Create a peering connection in Timescale Cloud
When you have created a Timescale Cloud VPC, you can create a peering connection between your Timescale Cloud VPC and your AWS VPC.
Creating a peering connection in Timescale Cloud
- Log in to your Timescale Cloud account and navigate to the
VPC
section. Click the name of the VPC you want to modify. - In the
VPC Peering
column, clickAdd
. - Provide the AWS account ID, the VPC ID, and the AWS VPC region for the new peering connection.
- Click
Add peering connection
to begin the peering process.
Complete the VPC connection in AWS
When you create a peering connection in Timescale Cloud, the peering request is sent to your AWS account for you to accept. When you have accepted the request, you need to edit the routing table so that network traffic can flow between the AWS VPC, and your Timescale Cloud services.
warning
The request acceptance process is an important safety mechanism. Do not accept a peering connection from an unknown account.
Completing the VPC connection in AWS
- Log in to your AWS dashboard, and navigate to
Peering Connections
to accept the new peering connection request sent from Timescale Cloud. - Take a note of the peering connection ID, which starts with
pcx-
. - Navigate to the
Route Tables
section, and select the route table corresponding to your VPC. - In the
Detail
menu, select theRoutes
tab, and clickEdit routes
. - Click
Add route
, and complete these details:- In the
Destination
column, type the CIDR block of the Timescale Cloud VPC you set up earlier. - In the
Target
column, type the peering connection ID from the incoming peering connection, which starts withpcx-
.
- In the
- Click
Save routes
.
Set up security groups in AWS
You need to create a security group within AWS that allows you to connect to any of your Timescale Cloud services from the peered VPC. These instructions show you how to create a new security group for your VPC, but you can also use an existing security group if you already have one.
Setting up security groups in AWS
- Log in to your AWS dashboard, and navigate to
Security Groups
. - Click
Create security group
, and complete these details:- In the
Security group name
field, type a name for your security group. - In the
VPC
field, select the VPC that is peered with your Timescale Cloud VPC. - Leave the
Inbound rules
section empty. - In the
Outbound rules
section, selectCustom TCP
for the rule type,TCP
for the protocol, and5432
for the port. SelectCustom
for the destination, and type the CIDR block of your Timescale Cloud VPC.
- In the
- Click
Add rule
. - Click
Create security group
.
Create a Timescale Cloud service with VPC attachment
Now that your VPC peering connection is set up, you can create a new Timescale Cloud service with the VPC attachment.
Creating a Timescale Cloud service with VPC attachment
- Log in to your Timescale Cloud account and navigate to the
Services
section. ClickCreate service
and select the compute and disk size as required for your database. - In the
Select a VPC
section, expand the dropdown menu, and select the VPC you created earlier. - Click
Create Service
.
Migrating a VPC service between networks
In most cases, when you have connected a service to a VPC, you need to keep it attached to ensure that your applications continue to run without interruption. However, you can migrate Timescale Cloud services between VPCs within a project, or migrate them to and from the public network, if you need to.
warning
Timescale Cloud uses a different DNS name for a Timescale service once it has been attached to a VPC. This means that you need to update your connection string if you are migrating a service between the public internet and a VPC.
Before you begin, ensure you already have your VPC connection set up.
Migrating Timescale Cloud services to or between VPCs
- Log in to your Timescale Cloud account and navigate to the
Services
section. Click the name of the service you want to migrate. - In the
Operations
tab, navigate to theVPC
section, and select the new VPC to attach the service to. The migration can take a few minutes to complete, and your services are not accessible during this time.
important
Migrating your services to a VPC requires a change to the DNS settings for the service. If you receive a DNS error, allow some more time for DNS propagation to complete.