Manage AWS Private Endpoints for App Services
- Capella Operational
- how-to
How to configure and manage private endpoints for App Services using Amazon Web Services (AWS).
To configure and manage AWS private endpoints with App Services, you must use the Capella Operational Management API.
-
For an overview of the Management API, see Manage Deployments with the Management API.
-
To get started with the Management API, see Get Started with the Management API.
-
To make an API call, see Make an API Call with the Management API.
-
For a full reference guide, see Management API Reference.
Examples on this Page
In the examples on this page:
-
$organizationIdis the organization ID. -
$projectIdis the project ID. -
$clusterIdis the cluster ID. -
$apiKeySecretis the API key secret, used as the Bearer token.
The endpoints described on this page all have the same base path: /v4/organizations/{organizationId}/projects/{projectId}/clusters/{clusterId}.
For clarity, this is not shown in the instructions, but it is included in the examples.
Prerequisites
Before you set up and connect an AWS private endpoint for an App Service:
-
You must have successfully deployed the Couchbase Capella cluster and the App Service.
-
You must have installed and configured the AWS Command Line Interface (CLI).
-
You must know the VPC ID and Subnet IDs that you want to connect to.
Set Up and Connect a Private Endpoint
To set up and connect an AWS private endpoint for an App Service, follow the steps below.
Enable Private Endpoints
Enabling private endpoints for an App Service deploys all of the infrastructure which you need to initiate a connection. This runs as a job in the background, and deploys components such as the network load balancer and DNS configuration.
To enable private endpoints for a specified App Service:
-
Use
POST /appservices/{appServiceId}/privateEndpointService. -
Pass the App Service ID as a path parameter.
It can take several minutes for Capella to enable private endpoints.
In this example:
-
$appServiceIdis the App Service ID.
curl -X POST "https://cloudapi.cloud.couchbase.com/v4/organizations/$organizationId/projects/$projectId/clusters/$clusterId/appservices/$appServiceId/privateEndpointService" \
-H "Authorization: Bearer $apiKeySecret"Monitor Private Endpoints
To view the current status of private endpoints for a specified App Service:
-
Pass the App Service ID as a path parameter.
The operation returns an object containing the following properties.
| state |
The current state of private endpoints for the specified App Service.
Possible values are: |
| targetState |
The intended state of private endpoints for the specified App Service.
Possible states are: |
In this example:
-
$appServiceIdis the App Service ID.
curl -X GET "https://cloudapi.cloud.couchbase.com/v4/organizations/$organizationId/projects/$projectId/clusters/$clusterId/appservices/$appServiceId/privateEndpointService" \
-H "Authorization: Bearer $apiKeySecret"{
"state": "disabled",
"targetState": "disabled"
}Obtain a Connection Command
Before you can initiate the private endpoint connection for an App Service, you must obtain the AWS connection command. For this procedure, you need the VPC ID and subnet IDs.
To obtain the connection command for a specified App Service:
-
Use
POST /appservices/{appServiceId}/privateEndpointService/privateEndpointCommand. -
Pass the App Service ID as a path parameter.
-
Pass the VPC ID as a string in the request body.
-
Pass the subnet IDs as an array of strings in the request body.
The return value includes the connection command.
In this example:
-
$appServiceIdis the App Service ID.
curl -X POST "https://cloudapi.cloud.couchbase.com/v4/organizations/$organizationId/projects/$projectId/clusters/$clusterId/appservices/$appServiceId/privateEndpointService/privateEndpointCommand" \
-H "Accept: application/json" \
-H "Authorization: Bearer $apiKeySecret" \
-d '{
"vpcId": "vpc-0e4c66e70f63b51e0",
"subnetIds": ["subnet-01423b12bd81bb116"]
}'{
"command": "aws ec2 create-vpc-endpoint --vpc-id vpc-0e4c66e70f63b51e0 --region us-east-1 --service-name com.amazonaws.vpce.us-east-1.vpce-svc-0823b61a6d8cee231 --vpc-endpoint-type Interface --subnet-ids subnet-01423b12bd81bb116"
}Run the Connection Command
To initiate the private endpoint connection for an App Service, run the connection command within the AWS CLI.
The connection command returns a JSON object, giving information about the private endpoint.
The most useful information to note is the value of VpcEndpointId.
| The private endpoint connection must be accepted by the App Service before you can use it. |
This example uses the connection command obtained in Example 3.
aws ec2 create-vpc-endpoint \
--vpc-id vpc-0e4c66e70f63b51e0 \
--region us-east-1 \
--service-name com.amazonaws.vpce.us-east-1.vpce-svc-0823b61a6d8cee231 \
--vpc-endpoint-type Interface \
--subnet-ids subnet-01423b12bd81bb116{
"VpcEndpoint": {
"VpcEndpointId": "vpce-067bd56a2df9a130e",
"VpcEndpointType": "Interface",
"VpcId": "vpc-0e4c66e70f63b51e0",
"ServiceName": "com.amazonaws.vpce.us-east-1.vpce-svc-03cf83ff522bf54aa",
"State": "pendingAcceptance",
"RouteTableIds": [],
"SubnetIds": [
"subnet-01423b12bd81bb116"
],
// ...
}
}List Connections
To list connection requests for a specified App Service:
-
Use
GET /appservices/{appServiceId}/privateEndpointService/endpoints. -
Pass the App Service ID as a path parameter.
In this example:
-
$appServiceIdis the App Service ID.
curl -X GET "https://cloudapi.cloud.couchbase.com/v4/organizations/$organizationId/projects/$projectId/clusters/$clusterId/appservices/$appServiceId/privateEndpointService/endpoints" \
-H "Authorization: Bearer $apiKeySecret"{
"endpoints": [
{
"id": "vpce-067bd56a2df9a130e",
"status": "pending"
}
]
}In this case, there is a private endpoint connection request in a pending state.
Accept and Complete Connection
When you run the connection command, the connection is pending, and not complete. To complete the connection, the App Services network must accept it.
To accept a connection for a specified private endpoint:
-
Use
POST /appservices/{appServiceId}/privateEndpointService/endpoints/{endpointId}. -
Pass the App Service ID and private endpoint ID as path parameters.
The connection is initiated. It may take a short time to transition to the connected state.
In this example:
-
$appServiceIdis the App Service ID. -
$endpointIdis the private endpoint ID.
curl -X POST "https://cloudapi.cloud.couchbase.com/v4/organizations/$organizationId/projects/$projectId/clusters/$clusterId/appservices/$appServiceId/privateEndpointService/endpoints/$endpointId" \
-H "Authorization: Bearer $apiKeySecret"To verify the status of the connection, see List Connections.
Reject Connection
To reject a connection for a specified private endpoint:
-
Use
DELETE /appservices/{appServiceId}/privateEndpointService/endpoints/{endpointId}. -
Pass the App Service ID and private endpoint ID as path parameters.
If the connection is already made, the connection is severed. If the connection is not yet established, the connection is just listed as rejected. It may take a short period of time to transition to the rejected state.
In this example:
-
$appServiceIdis the App Service ID. -
$endpointIdis the private endpoint ID.
curl -X DELETE "https://cloudapi.cloud.couchbase.com/v4/organizations/$organizationId/projects/$projectId/clusters/$clusterId/appservices/$appServiceId/privateEndpointService/endpoints/$endpointId" \
-H "Authorization: Bearer $apiKeySecret"To verify the status of the connection, see List Connections.
Enable Private DNS and Security Group Access
Follow these tips to ensure the connection is working correctly.
Private DNS
You must enable private DNS in the cloud service provider’s endpoint to successfully connect to App Services.
To enable private DNS in AWS:
-
In the AWS console, go to Endpoints using the ID obtained earlier.
-
Choose .
-
Under Enable private DNS names, select Enable for this endpoint.
Security Groups
If your Couchbase Capella security groups do not properly allow through a connection, any attempt to communicate over the connection will hang. If this occurs, modify the security groups to allow the connection through.
To modify the security groups:
-
In the AWS VPC console, add an inbound rule for the private endpoint:
-
With the Your VPCs page open, find and record the IPv4 CIDR value for your VPC, for example
10.0.0.0/16. You need this for later steps. -
In the navigation pane, click Endpoints.
-
Select your endpoint.
-
In the Security groups panel, click the Group ID link. This link is to your default VPC security group.
-
With the security group open to the Inbound rules panel, click Edit inbound rules.
-
In the Edit inbound rules dialog, add the VPC IPv4 CIDR you recorded earlier and use the following port ranges:
-
4984-4985
-
4988
-
-
Click Save rules.
-
-
In the AWS VPC console, configure your network access control list (ACL) with an inbound rule:
-
In the navigation pane, click Network ACLs.
-
On the Network ACLs page, select the Network ACL associated with your VPC.
-
Click .
-
On the Edit inbound rules page, specify the following for a new inbound rule:
Field Value Source
Your VPC IPv4 CIDR.
For example:10.0.0.0/16Type
All traffic
Port range
All
Before selecting
All trafficas an inbound rule, consult with your security team and confirm that your private link meets security standards.For any further questions or concerns, contact Couchbase Support.
-
Click Save changes.
-
-
In the AWS VPC console, configure your network ACL with an outbound rule:
-
In the navigation pane, click Network ACLs.
-
Select the Network ACL associated with your VPC.
-
Click .
-
On the Edit outbound rules page, specify the following for the new outbound rule:
Field Value Type
Custom TCP
Port ranges
4984-4985;4988Destination
Your VPC IPv4 CIDR.
For example:10.0.0.0/16 -
Click Save Changes.
-
For more information, see Add an AWS PrivateLink Connection.
Validate the Connection
Connect to an instance within the connected VPC and validate your connection.
nslookup a24yjkpxarl3drdb.apps.cloud.couchbase.comServer: 10.0.1.2
Address: 10.0.1.2#53
Non-authoritative answer:
Name: a24yjkpxarl3drdb.apps.cloud.couchbase.com
Address: 10.0.1.89curl https://a24yjkpxarl3drdb.apps.cloud.couchbase.com:4984{
"couchdb": "Welcome",
"vendor": {
"name": "Couchbase Sync Gateway",
"version":"3.2"
},
"version": "Couchbase Sync Gateway/3.2.2(21;3c0abf2) EE",
"persistent_config": true
}Remove Connections
Removing connections isn’t usually necessary for most operations using App Services. If you want to remove a connection, there are two options:
-
Delete the endpoint via the AWS CLI or the AWS console.
-
Reject the connection. The connection is severed, but remains in the connection list as rejected.
Turn App Services On and Off
The App Services On/Off feature is fully compatible with private endpoints. When an App Service is turned off, any private endpoints will remain in place, although not usable. When the App Service is turned back on, any private endpoints will begin working again. You do not need to re-create any private endpoints.
| When an App Service is turned off, a network load balancer remains active in the infrastructure to maintain the private endpoint state. There is some cost associated with this, even though the App Service is turned off. To avoid this cost, you must fully tear down the private endpoint and disable it, before turning off the App Service. |
Disable Private Endpoints
You can disable private endpoints for an App Service without needing to remove or reject any connections first.
To disable private endpoints for a specified App Service:
-
Use
DELETE /appservices/{appServiceId}/privateEndpointService. -
Pass the App Service ID as a path parameter.
All existing connections are rejected and the private endpoints service is torn down.
In this example:
-
$appServiceIdis the App Service ID.
curl -X DELETE "https://cloudapi.cloud.couchbase.com/v4/organizations/$organizationId/projects/$projectId/clusters/$clusterId/appservices/$appServiceId/privateEndpointService" \
-H "Authorization: Bearer $apiKeySecret"To monitor the status of private endpoints for an App Service, see Monitor Private Endpoints.