Issue
Your app will be upgraded to include a third availability zone and you need to configure your VPC Allow List to include the new subnets
Resolution
Heroku customers using any of the following configurations will need to make certain required changes (described below) to ensure that their VPC Peering Setup will continue to function after their spaces have been upgraded to three AZs:
- any customers who have employed the specific type of VPC Peering setup described in Option 2: Add multiple routes to specific Private Space subnets in the Private Space Peering Dev Center Documentation.
Note: if you configured the Peering setup using Option 1: Add one route for entire Private Space CIDR block, then no action is needed on your part.
-
any customers using EC2 Security Groups referencing dyno /20 subnets
-
any customers using Network ACLs referencing dyno /20 subnets
Previously, any of the three setups above required referencing two /20 subnets. After the platform upgrade to a third AZ, however, customers must now add another /20 subnet for that third AZ and for their Peering setup to continue to function. Therefore, for each of your Private Spaces using any of the three setups above, you will need to add the following new setup configuration, with each subnet specific to each Private Space.
NOTE: subnets and app names provided in direct email to customer on May 15, 2023 with subject line: [Action Required] Verify Private Space Peering Configuration to Upgrade to Third Availability Zone
(Note that the heroku spaces:peering:info spaces-peering-example command won't output the new dyno CIDRs until after the upgrade is complete, so please use the information in the email from May 15, 2023 to configure your VPC setup correctly if attempting to configure prior to June 15, 2023)
See the applicable Heroku Dev Center for details on how to configure routes, security groups and network ACLs for the new third dyno CIDR.
You must update your Private Space Peering setup by June 15, 2023.
After June 15, 2023, Heroku will upgrade all Private Space apps on the platform to three availability zones, and VPC Peering Connection setups may not work fully if the above changes have not been made.