Manage AWS Private Endpoints Using the Capella UI

Capella App Services

how-to

Configure and manage AWS private endpoints for App Services using the Capella UI.

This guide walks you through setting up AWS private endpoints for App Services using the Capella UI for a streamlined, guided experience.

Prerequisites

Before you set up and connect an AWS private endpoint for an App Service, you need:

A successfully deployed Couchbase Capella cluster and App Service.
Information about your AWS network, including:
- The AWS VPC ID.
- The AWS Subnet ID of each of the subnets.
The AWS Command Line Interface (CLI) installed and configured.
Access to the AWS VPC console.

Configuration Procedure

To configure private endpoints using the UI:

Enable private endpoints
Add a private endpoint
Configure AWS VPC console settings:
Verify the connection

To get started, open the Capella UI, the AWS command line interface, and the AWS VPC console.

Enable Private Endpoints

In Capella, enable Private Endpoints:

Enabling Private Endpoints bills your account hourly for AWS PrivateLink until you turn off this option.

Go to Operational and click the name of your cluster.
Click the name of the App Service where you want to add an AWS PrivateLink connection.
Go to Settings Private Endpoints.
Click Enable Private Endpoint Service.

It can take several minutes for Capella to enable private endpoints. When private endpoints are available, the page shows all the controls you need to manage private endpoints in Capella. You can leave and return to the Private Endpoints page at any time.

Add a Private Endpoint

To add a private endpoint:

Click Add Private Endpoint.
In the Provide Private Endpoint Details section, add the following information:

Field Value

VPC ID

Enter your AWS VPC ID.

Subnet IDs

Enter each Subnet ID and separate them with a comma.
Click Next.

Field	Value
VPC ID	Enter your AWS VPC ID.
Subnet IDs	Enter each Subnet ID and separate them with a comma.

Copy and run the shell script provided by Capella:

In the Run the following script area, click Copy Script.

With AWS CLI installed and signed in, run the copied shell script in your terminal.

This script contains the command to create the private endpoint in your chosen AWS VPC. When successful, the provisioning details output appears as follows:

{
  "VpcEndpoint": {
    "VpcEndpointId": "vpce-06da68c605432752f",
    "VpcEndpointType": "Interface",
    "VpcId": "vpc-08bf9fdbf7174a563",
    "ServiceName": "com.amazonaws.vpce.us-west-2.vpce-svc-015986e75057cc4e6",
    "State": "pendingAcceptance",
    "RouteTableIds": [],
    "SubnetIds": [
      "subnet-05f92391c3bb6b0fd",
      "subnet-0b70e5c9e897f7ef0"
    ],
    "Groups": [
      {
        "GroupId": "sg-01505951c7752141d",
        "GroupName": "default"
      }
    ],
    "PrivateDnsEnabled": false,
    "RequesterManaged": false,
    "NetworkInterfaceIds": [
      "eni-08cb66b65644ac32e",
      "eni-0c824869e81a21fac"
    ],
    "DnsEntries": [
      {
        "DnsName": "vpce-06da68c605432752f-1zrggw92.vpce-svc-015986e75057cc4e6.us-west-2.vpce.amazonaws.com",
        "HostedZoneId": "Z1YSA3EXCYUU9Z"
      },
      {
        "DnsName": "vpce-06da68c605432752f-1zrggw92-us-west-2b.vpce-svc-015986e75057cc4e6.us-west-2.vpce.amazonaws.com",
        "HostedZoneId": "Z1YSA3EXCYUU9Z"
      },
      {
        "DnsName": "vpce-06da68c605432752f-1zrggw92-us-west-2a.vpce-svc-015986e75057cc4e6.us-west-2.vpce.amazonaws.com",
        "HostedZoneId": "Z1YSA3EXCYUU9Z"
      }
    ],
    "CreationTimestamp": "2022-11-15T18:50:45.062000+00:00",
    "OwnerId": "429712224361"
  }
}

In Capella, the new interface endpoint is now shown and has a Pending Acceptance status. Click Accept.
After you accept the connection, validate the connection.

Configure Your AWS VPC Console Settings

These steps are required to complete the private endpoint configuration. Complete these steps in the AWS VPC Console.

In the AWS VPC console, you need to:

Enable private DNS names.
Edit VPC settings.
Add an inbound rule.
Configure inbound and outbound network ACL rules.

Enable Private DNS Names

To enable private DNS names for the new endpoint:

In the navigation pane, click Endpoints.
With your endpoint selected, click Actions Modify private DNS name.
On the Modify private DNS name screen, select Enable for this endpoint.
Click Save changes.

Edit VPC Settings

To edit your VPC settings:

In the navigation pane, click Your VPCs.
With your VPC selected, click Actions Edit VPC settings.
In the Edit VPC settings dialog, select Enable DNS resolution and Enable DNS hostnames.
Click Save.
With the Your VPCs page open, find and record the IPv4 CIDR value for your VPC. You need this for later steps.

Add an Inbound Rule

To add an inbound rule for the private endpoint:

In the navigation pane, click Endpoints.
Select your endpoint.
In the Security groups panel, click the Group ID link. This link is to your default VPC security group.
With the security group open to the Inbound rules panel, click Edit inbound rules.
In the Edit inbound rules dialog, add the VPC IPv4 CIDR you recorded earlier and use the following port ranges:
- 4984-4985
- 4988
Click Save rules.

Configure Inbound and Outbound Network ACL Rules

To configure your network access control list (ACL) with an Inbound and Outbound rule:

In the navigation pane, click Network ACLs.
On the Network ACLs page, select the Network ACL associated with your VPC.

Configure your inbound rule:

Click Actions Edit inbound rules.

On the Edit inbound rules page, specify the following for a new inbound rule:

Field Value

Field	Value
Source	Your VPC IPv4 CIDR. For example: `10.0.0.0/16`
Type	All traffic
Port range	All

Source

Your VPC IPv4 CIDR.
For example: 10.0.0.0/16

Type

All traffic

Port range

All

Before selecting All traffic as an inbound rule, consult with your security team and confirm that your private link meets security standards. For any further questions or concerns, contact Couchbase Support.

Click Save changes.

Configure your outbound rule:
1. Click Actions Edit outbound rules.
2. On the Edit outbound rules page, specify the following for the new outbound rule:
  
  Field Value
  
  Type
  
  Custom TCP
  
  Port ranges
  
  4984-4985; 4988
  
  Destination
  
  Your VPC IPv4 CIDR.
  For example: 10.0.0.0/16
3. Click Save Changes.

Field	Value
Type	Custom TCP
Port ranges	`4984-4985`; `4988`
Destination	Your VPC IPv4 CIDR. For example: `10.0.0.0/16`

Additional Operations

Turn App Services On and Off

The App Services On/Off feature is fully compatible with private endpoints. When an App Service is turned off, any private endpoints will remain in place, although not usable. When the App Service is turned back on, any private endpoints will begin working again. You do not need to re-create any private endpoints.

When an App Service is turned off, a network load balancer remains active in the infrastructure to maintain the private endpoint state. There is some cost associated with this, even though the App Service is turned off. To avoid this cost, you must fully tear down the private endpoint and disable it, before turning off the App Service.

Disable Private Endpoints

To disable private endpoints in the Capella UI:

Go to Operational and click the name of your cluster.
Click the name of the App Service.
Go to Settings Private Endpoints.
Click Disable Private Endpoint Service.

All existing connections are rejected and the private endpoints service is torn down.

For AI agents: