Manage AWS Private Endpoints for App Services

  • Capella Operational
  • how-to
    +
    How to configure and manage private endpoints for App Services using Amazon Web Services (AWS).

    To configure and manage AWS private endpoints with App Services, you must use the Capella Operational Management API.

    Examples on this Page

    In the examples on this page:

    • $organizationId is the organization ID.

    • $projectId is the project ID.

    • $clusterId is the cluster ID.

    • $apiKeySecret is the API key secret, used as the Bearer token.

    The endpoints described on this page all have the same base path: /v4/organizations/{organizationId}/projects/{projectId}/clusters/{clusterId}. For clarity, this is not shown in the instructions, but it is included in the examples.

    Prerequisites

    Before you set up and connect an AWS private endpoint for an App Service:

    • You must have successfully deployed the Couchbase Capella cluster and the App Service.

    • You must have installed and configured the AWS Command Line Interface (CLI).

    • You must know the VPC ID and Subnet IDs that you want to connect to.

    Set Up and Connect a Private Endpoint

    To set up and connect an AWS private endpoint for an App Service, follow the steps below.

    Enable Private Endpoints

    Enabling private endpoints for an App Service deploys all of the infrastructure which you need to initiate a connection. This runs as a job in the background, and deploys components such as the network load balancer and DNS configuration.

    To enable private endpoints for a specified App Service:

    1. Use POST /appservices/{appServiceId}/privateEndpointService.

    2. Pass the App Service ID as a path parameter.

    It can take several minutes for Capella to enable private endpoints.

    Example 1. Enable private endpoints for an App Service

    In this example:

    • $appServiceId is the App Service ID.

    Request
    curl -X POST "https://cloudapi.cloud.couchbase.com/v4/organizations/$organizationId/projects/$projectId/clusters/$clusterId/appservices/$appServiceId/privateEndpointService" \
      -H "Authorization: Bearer $apiKeySecret"

    Monitor Private Endpoints

    To view the current status of private endpoints for a specified App Service:

    1. Use GET /appservices/{appServiceId}/privateEndpointService.

    2. Pass the App Service ID as a path parameter.

    The operation returns an object containing the following properties.

    state

    The current state of private endpoints for the specified App Service. Possible values are: enabling, disabling, enabled, disabled, and failed.

    targetState

    The intended state of private endpoints for the specified App Service. Possible states are: enabled and disabled.

    Example 2. Get the status of private endpoints for an App Service

    In this example:

    • $appServiceId is the App Service ID.

    Request
    curl -X GET "https://cloudapi.cloud.couchbase.com/v4/organizations/$organizationId/projects/$projectId/clusters/$clusterId/appservices/$appServiceId/privateEndpointService" \
      -H "Authorization: Bearer $apiKeySecret"
    Output
    {
        "state": "disabled",
        "targetState": "disabled"
    }

    Obtain a Connection Command

    Before you can initiate the private endpoint connection for an App Service, you must obtain the AWS connection command. For this procedure, you need the VPC ID and subnet IDs.

    To obtain the connection command for a specified App Service:

    1. Use POST /appservices/{appServiceId}/privateEndpointService/privateEndpointCommand.

    2. Pass the App Service ID as a path parameter.

    3. Pass the VPC ID as a string in the request body.

    4. Pass the subnet IDs as an array of strings in the request body.

    The return value includes the connection command.

    Example 3. Get the connection command for an App Service

    In this example:

    • $appServiceId is the App Service ID.

    Request
    curl -X POST "https://cloudapi.cloud.couchbase.com/v4/organizations/$organizationId/projects/$projectId/clusters/$clusterId/appservices/$appServiceId/privateEndpointService/privateEndpointCommand" \
      -H "Accept: application/json" \
      -H "Authorization: Bearer $apiKeySecret" \
      -d '{
      "vpcId": "vpc-0e4c66e70f63b51e0",
      "subnetIds": ["subnet-01423b12bd81bb116"]
    }'
    Output
    {
        "command": "aws ec2 create-vpc-endpoint --vpc-id vpc-0e4c66e70f63b51e0 --region us-east-1 --service-name com.amazonaws.vpce.us-east-1.vpce-svc-0823b61a6d8cee231 --vpc-endpoint-type Interface --subnet-ids subnet-01423b12bd81bb116"
    }

    Run the Connection Command

    To initiate the private endpoint connection for an App Service, run the connection command within the AWS CLI.

    The connection command returns a JSON object, giving information about the private endpoint. The most useful information to note is the value of VpcEndpointId.

    The private endpoint connection must be accepted by the App Service before you can use it.
    Example 4. Run the connection command for an App Service

    This example uses the connection command obtained in Example 3.

    Request
    aws ec2 create-vpc-endpoint \
      --vpc-id vpc-0e4c66e70f63b51e0 \
      --region us-east-1 \
      --service-name com.amazonaws.vpce.us-east-1.vpce-svc-0823b61a6d8cee231 \
      --vpc-endpoint-type Interface \
      --subnet-ids subnet-01423b12bd81bb116
    Output
    {
        "VpcEndpoint": {
            "VpcEndpointId": "vpce-067bd56a2df9a130e",
            "VpcEndpointType": "Interface",
            "VpcId": "vpc-0e4c66e70f63b51e0",
            "ServiceName": "com.amazonaws.vpce.us-east-1.vpce-svc-03cf83ff522bf54aa",
            "State": "pendingAcceptance",
            "RouteTableIds": [],
            "SubnetIds": [
                "subnet-01423b12bd81bb116"
            ],
           // ...
        }
    }

    List Connections

    To list connection requests for a specified App Service:

    1. Use GET /appservices/{appServiceId}/privateEndpointService/endpoints.

    2. Pass the App Service ID as a path parameter.

    Example 5. List connection requests for an App Service

    In this example:

    • $appServiceId is the App Service ID.

    Request
    curl -X GET "https://cloudapi.cloud.couchbase.com/v4/organizations/$organizationId/projects/$projectId/clusters/$clusterId/appservices/$appServiceId/privateEndpointService/endpoints" \
      -H "Authorization: Bearer $apiKeySecret"
    Output
    {
        "endpoints": [
            {
                "id": "vpce-067bd56a2df9a130e",
                "status": "pending"
            }
        ]
    }

    In this case, there is a private endpoint connection request in a pending state.

    Accept and Complete Connection

    When you run the connection command, the connection is pending, and not complete. To complete the connection, the App Services network must accept it.

    To accept a connection for a specified private endpoint:

    1. Use POST /appservices/{appServiceId}/privateEndpointService/endpoints/{endpointId}.

    2. Pass the App Service ID and private endpoint ID as path parameters.

    The connection is initiated. It may take a short time to transition to the connected state.

    Example 6. Accept a connection for a private endpoint

    In this example:

    • $appServiceId is the App Service ID.

    • $endpointId is the private endpoint ID.

    Request
    curl -X POST "https://cloudapi.cloud.couchbase.com/v4/organizations/$organizationId/projects/$projectId/clusters/$clusterId/appservices/$appServiceId/privateEndpointService/endpoints/$endpointId" \
      -H "Authorization: Bearer $apiKeySecret"

    To verify the status of the connection, see List Connections.

    Reject Connection

    To reject a connection for a specified private endpoint:

    1. Use DELETE /appservices/{appServiceId}/privateEndpointService/endpoints/{endpointId}.

    2. Pass the App Service ID and private endpoint ID as path parameters.

    If the connection is already made, the connection is severed. If the connection is not yet established, the connection is just listed as rejected. It may take a short period of time to transition to the rejected state.

    Example 7. Reject a connection for a private endpoint

    In this example:

    • $appServiceId is the App Service ID.

    • $endpointId is the private endpoint ID.

    Request
    curl -X DELETE "https://cloudapi.cloud.couchbase.com/v4/organizations/$organizationId/projects/$projectId/clusters/$clusterId/appservices/$appServiceId/privateEndpointService/endpoints/$endpointId" \
      -H "Authorization: Bearer $apiKeySecret"

    To verify the status of the connection, see List Connections.

    Enable Private DNS and Security Group Access

    Follow these tips to ensure the connection is working correctly.

    Private DNS

    You must enable private DNS in the cloud service provider’s endpoint to successfully connect to App Services.

    To enable private DNS in AWS:

    1. In the AWS console, go to Endpoints using the ID obtained earlier.

    2. Choose Actions  Modify private DNS name.

    3. Under Enable private DNS names, select Enable for this endpoint.

    Security Groups

    If your Couchbase Capella security groups do not properly allow through a connection, any attempt to communicate over the connection will hang. If this occurs, modify the security groups to allow the connection through.

    To modify the security groups:

    1. In the AWS VPC console, add an inbound rule for the private endpoint:

      1. With the Your VPCs page open, find and record the IPv4 CIDR value for your VPC, for example 10.0.0.0/16. You need this for later steps.

      2. In the navigation pane, click Endpoints.

      3. Select your endpoint.

      4. In the Security groups panel, click the Group ID link. This link is to your default VPC security group.

      5. With the security group open to the Inbound rules panel, click Edit inbound rules.

      6. In the Edit inbound rules dialog, add the VPC IPv4 CIDR you recorded earlier and use the following port ranges:

        • 4984-4985

        • 4988

      7. Click Save rules.

    2. In the AWS VPC console, configure your network access control list (ACL) with an inbound rule:

      1. In the navigation pane, click Network ACLs.

      2. On the Network ACLs page, select the Network ACL associated with your VPC.

      3. Click Actions  Edit inbound rules.

      4. On the Edit inbound rules page, specify the following for a new inbound rule:

        Field Value

        Source

        Your VPC IPv4 CIDR.
        For example: 10.0.0.0/16

        Type

        All traffic

        Port range

        All

        Before selecting All traffic as an inbound rule, consult with your security team and confirm that your private link meets security standards.

        For any further questions or concerns, contact Couchbase Support.

      5. Click Save changes.

    3. In the AWS VPC console, configure your network ACL with an outbound rule:

      1. In the navigation pane, click Network ACLs.

      2. Select the Network ACL associated with your VPC.

      3. Click Actions  Edit outbound rules.

      4. On the Edit outbound rules page, specify the following for the new outbound rule:

        Field Value

        Type

        Custom TCP

        Port ranges

        4984-4985; 4988

        Destination

        Your VPC IPv4 CIDR.
        For example: 10.0.0.0/16

      5. Click Save Changes.

    For more information, see Add an AWS PrivateLink Connection.

    Validate the Connection

    Connect to an instance within the connected VPC and validate your connection.

    Example 8. Look up the App Services node
    Request
    nslookup a24yjkpxarl3drdb.apps.cloud.couchbase.com
    Output
    Server: 10.0.1.2
    Address: 10.0.1.2#53
    Non-authoritative answer:
    Name: a24yjkpxarl3drdb.apps.cloud.couchbase.com
    Address: 10.0.1.89
    Example 9. Test the App Services node
    Request
    curl https://a24yjkpxarl3drdb.apps.cloud.couchbase.com:4984
    Output
    {
      "couchdb": "Welcome",
      "vendor": {
        "name": "Couchbase Sync Gateway",
        "version":"3.2"
      },
      "version": "Couchbase Sync Gateway/3.2.2(21;3c0abf2) EE",
      "persistent_config": true
    }

    Remove Connections

    Removing connections isn’t usually necessary for most operations using App Services. If you want to remove a connection, there are two options:

    Turn App Services On and Off

    The App Services On/Off feature is fully compatible with private endpoints. When an App Service is turned off, any private endpoints will remain in place, although not usable. When the App Service is turned back on, any private endpoints will begin working again. You do not need to re-create any private endpoints.

    When an App Service is turned off, a network load balancer remains active in the infrastructure to maintain the private endpoint state. There is some cost associated with this, even though the App Service is turned off. To avoid this cost, you must fully tear down the private endpoint and disable it, before turning off the App Service.

    Disable Private Endpoints

    You can disable private endpoints for an App Service without needing to remove or reject any connections first.

    To disable private endpoints for a specified App Service:

    1. Use DELETE /appservices/{appServiceId}/privateEndpointService.

    2. Pass the App Service ID as a path parameter.

    All existing connections are rejected and the private endpoints service is torn down.

    Example 10. Disable private endpoints for an App Service

    In this example:

    • $appServiceId is the App Service ID.

    Request
    curl -X DELETE "https://cloudapi.cloud.couchbase.com/v4/organizations/$organizationId/projects/$projectId/clusters/$clusterId/appservices/$appServiceId/privateEndpointService" \
      -H "Authorization: Bearer $apiKeySecret"

    To monitor the status of private endpoints for an App Service, see Monitor Private Endpoints.