From 6d1be5a3120ca6a78c99df02dbe7148978894373 Mon Sep 17 00:00:00 2001
From: Dorota Wojcik <dorota.wojcik@aiven.io>
Date: Tue, 3 Dec 2024 17:19:44 +0100
Subject: [PATCH] manage org vpcs

---
 docs/platform/concepts/vpc-peering.md         |   5 +-
 docs/platform/concepts/vpcs.md                |   5 +-
 .../platform/howto/manage-organization-vpc.md | 156 ++++++++++++++++++
 docs/platform/howto/manage-project-vpc.md     |   1 -
 sidebars.ts                                   |   1 +
 src/components/ConsoleIcons/index.tsx         |  13 ++
 6 files changed, 174 insertions(+), 7 deletions(-)
 create mode 100644 docs/platform/howto/manage-organization-vpc.md

diff --git a/docs/platform/concepts/vpc-peering.md b/docs/platform/concepts/vpc-peering.md
index 0de3d405..5e1d6bc6 100644
--- a/docs/platform/concepts/vpc-peering.md
+++ b/docs/platform/concepts/vpc-peering.md
@@ -3,7 +3,7 @@ title: Virtual private cloud (VPC) peering in Aiven
 sidebar_label: VPC peering
 ---
 
-VPC peering supported on the Aiven Platform improves network connectivity and security. It simplifies architecture, helps reduce network latency, and enhances resource sharing while maintaining isolation and control.
+The VPC peering capability supported on the Aiven Platform improves network connectivity and security. It simplifies architecture, helps reduce network latency, and enhances resource sharing while maintaining isolation and control.
 
 [VPC](/docs/platform/concepts/vpcs) peering is a networking connection between two VPCs.
 It allows private and direct communication between the VPCs with no traffic routing over
@@ -38,8 +38,7 @@ Aiven allows you to set up project VPC peerings with the following cloud provide
 
 ## Learn more
 
-There are the following cloud-provider-specific articles you might want to read to have a
-full picture:
+For information on VPC peering supported by a particular cloud provider, see the following:
 
 - AWS: [VPC peering process, lifecycle, and limitations](https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-basics.html)
 - Google Cloud: [VPC Network Peering](https://cloud.google.com/vpc/docs/vpc-peering)
diff --git a/docs/platform/concepts/vpcs.md b/docs/platform/concepts/vpcs.md
index eb6bf097..a548251c 100644
--- a/docs/platform/concepts/vpcs.md
+++ b/docs/platform/concepts/vpcs.md
@@ -67,12 +67,11 @@ organization. An organization-wide VPC allows different projects to share a cent
 network infrastructure while maintaining isolation and control.
 
 Learn how to
-[create and manage organization VPCs in Aiven](/docs/platform/howto/manage-project-vpc).
+[create and manage organization VPCs in Aiven](/docs/platform/howto/manage-organization-vpc).
 
 ## Learn more
 
-There are the following cloud-provider-specific articles you might want to read to have a
-full picture:
+For information on VPCs supported by particular cloud providers, see the following:
 
 - AWS: [How Amazon VPC works](https://docs.aws.amazon.com/vpc/latest/userguide/how-it-works.html])
 - Google Cloud: [VPC networks](https://cloud.google.com/vpc/docs/vpc)
diff --git a/docs/platform/howto/manage-organization-vpc.md b/docs/platform/howto/manage-organization-vpc.md
new file mode 100644
index 00000000..4350fcd8
--- /dev/null
+++ b/docs/platform/howto/manage-organization-vpc.md
@@ -0,0 +1,156 @@
+---
+title: Manage organization virtual private clouds (VPCs) in Aiven
+sidebar_label: Manage organization VPCs
+---
+
+import ConsoleLabel from "@site/src/components/ConsoleIcons";
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
+Set up or delete an organization-wide VPC in the Aiven Platform. Enable new Aiven projects in the organization VPC or migrate existing Aiven projects to the organization VPC. Access resources within the organization VPC from the public internet.
+
+## Prerequisites
+
+You need the [super admin role](/docs/platform/howto/make-super-admin) to manage an
+organization VPC.
+
+## Create an organization VPC
+
+Create an organization VPC using a tool of your choice:
+
+<Tabs groupId="group1">
+<TabItem value="console" label="Aiven Console" default>
+
+1. Log in to the [Aiven Console](https://console.aiven.io/), and click **Admin** in the
+   top navigation bar.
+1. Click <ConsoleLabel name="organizationvpcs"/> in the sidebar and **Create VPC** on the
+   **Organization VPCs** page.
+1. In the **Create VPC** window:
+   1. Select a cloud provider.
+   1. Select a cloud region.
+   1. Specify an IP range.
+
+      - Use an IP range that does not overlap with any networks to be connected via VPC
+        peering. For example, if your own networks use the range `11.1.1.0/8`, you can set
+        the range for your Aiven project's VPC to `191.161.1.0/24`.
+      - Use a network prefix that is 20-24 character long.
+
+   1. Click **Create VPC**.
+
+Your new organization VPC is ready to use as soon as its status visible on the
+**Organization VPCs** page changes to **Active**.
+
+</TabItem>
+<TabItem value="cli" label="Aiven CLI">
+
+</TabItem>
+<TabItem value="api" label="Aiven API">
+
+</TabItem>
+</Tabs>
+
+<!--
+## Enable new projects in an organization VPC
+
+When you create a service, your peered VPC is available as a new
+geolocation on the **VPC** tab under **Select service region**. It can
+take a few minutes for a newly created VPC to appear for service
+deployments.
+
+:::note
+The service nodes use firewall rules to allow only connections from
+private IP ranges that originate from networks on the other end of VPC
+peering connections. You can only deploy services to a VPC if they
+belong to the project where that specific VPC was created.
+:::
+-->
+
+<!--
+## Migrate existing projects to an organization VPC
+
+You can migrate any Aiven service to a different VPC:
+
+1. In [Aiven Console](https://console.aiven.io/), open your service and click <ConsoleLabel name="Service settings"/>.
+1. In the **Cloud and
+   network** section, click <ConsoleLabel name="actions"/> >  **Change cloud or region**.
+1. In the **Region** section, select the **VPCs** tab, select the VPC and click **Migrate**.
+-->
+
+<!--
+## Access organization VPC resources from the public internet
+
+When you move your service to a VPC, access from public networks is
+blocked by default. If you switch to public access, a separate endpoint
+is created with a public prefix. You can enable public internet access
+for your services by following the
+[Enable public access in a VPC](/docs/platform/howto/public-access-in-vpc) instructions.
+
+IP filtering is available for a service deployed to a VPC. It's recommended to
+[use IP filtering](/docs/platform/howto/restrict-access#restrict-access) when your VPC
+service is also exposed to the public internet.
+
+:::note
+If your service is within a VPC, the VPC configuration filters incoming traffic before the
+IP filter is applied.
+:::
+
+Safelisting applies to both internal and external traffic. If you
+safelist an external IP address and want to keep traffic flowing with
+the internal (peered) connections, safelist the CIDR blocks of the peered networks as well
+to avoid disruptions to the service.
+-->
+
+## Delete an organization VPC
+
+:::important
+
+- Before deleting an organization VPC, move all services out of this VPC.
+- Once an organization VPC is deleted, the cloud-provider side of the peering connections
+  becomes `inactive` or `deleted`.
+
+:::
+
+Delete an organization VPC using a tool of your choice:
+
+<Tabs groupId="group1">
+<TabItem value="console" label="Aiven Console" default>
+
+1. Log in to the [Aiven Console](https://console.aiven.io/), and click **Admin** in the
+   top navigation bar.
+1. Click <ConsoleLabel name="organizationvpcs"/> in the sidebar.
+1. On the **Organization VPCs** page, find a VPC to be deleted and click
+   <ConsoleLabel name="actions"/> > <ConsoleLabel name="delete"/>.
+1. In the **Confirmation** window, click **Delete VPC**.
+
+</TabItem>
+<TabItem value="cli" label="Aiven CLI">
+
+</TabItem>
+<TabItem value="api" label="Aiven API">
+
+</TabItem>
+</Tabs>
+
+<!--
+## Troubleshoot VPC connection issues
+
+Any network changes to VPC peered hosts external from Aiven can cause
+issues with routing to your Aiven services hosted in a VPC. In such
+case, try to refresh your VPC connections.
+
+:::note
+Changes to your VPCs (such as adding a new subnet) can take up to 24
+hours to take effect so wait at least 24 hours before refreshing your VPC
+connections.
+:::
+
+To refresh your VCP connections:
+
+1. In [Aiven Console](https://console.aiven.io/), select <ConsoleLabel name="vpcs"/>.
+1. Find the ID of the affected VPC and select it from the **Internal
+   ID** column.
+1. Select **Refresh VPC connections**.
+
+The platform checks the VPC peering connection and rebuilds the peering
+connection state if there are any changes detected.
+-->
diff --git a/docs/platform/howto/manage-project-vpc.md b/docs/platform/howto/manage-project-vpc.md
index bb437ea7..37f36d79 100644
--- a/docs/platform/howto/manage-project-vpc.md
+++ b/docs/platform/howto/manage-project-vpc.md
@@ -7,7 +7,6 @@ import ConsoleLabel from "@site/src/components/ConsoleIcons"
 
 Set up or delete a project-wide VPC in your Aiven organization. Deploy or migrate Aiven-managed services to your project VPC. Access resources within the project VPC from the public internet.
 
-
 <!--
 Virtual Private Cloud (VPC) peering is a method of connecting separate AWS, Google Cloud,
 or Azure private networks with each other. It allows virtual machines in the different
diff --git a/sidebars.ts b/sidebars.ts
index d86be0df..5dab5458 100644
--- a/sidebars.ts
+++ b/sidebars.ts
@@ -258,6 +258,7 @@ const sidebars: SidebarsConfig = {
               items: [
                 'platform/concepts/vpc-peering',
                 'platform/howto/manage-project-vpc',
+                'platform/howto/manage-organization-vpc',
                 'platform/howto/public-access-in-vpc',
                 'platform/howto/vpc-peering-gcp',
                 'platform/howto/vpc-peering-aws',
diff --git a/src/components/ConsoleIcons/index.tsx b/src/components/ConsoleIcons/index.tsx
index bc893d78..cf7a73f4 100644
--- a/src/components/ConsoleIcons/index.tsx
+++ b/src/components/ConsoleIcons/index.tsx
@@ -189,6 +189,13 @@ export default function ConsoleLabel({name}): ReactElement {
           <b>Bring your own cloud</b>
         </>
       );
+      case 'organizationvpcs':
+        return (
+          <>
+            <ConsoleIconWrapper icon={ConsoleIcons.cloud} />{' '}
+            <b>Organization VPCs</b>
+          </>
+        );
     case 'eventlog':
       return (
         <>
@@ -395,6 +402,12 @@ export default function ConsoleLabel({name}): ReactElement {
           <ConsoleIconWrapper icon={ConsoleIcons.trash} /> <b>Delete user</b>
         </>
       );
+      case 'delete':
+        return (
+          <>
+            <ConsoleIconWrapper icon={ConsoleIcons.trash} /> <b>Delete</b>
+          </>
+        );
     case 'addconfigoptions':
       return (
         <>