Configure a Private Network

    +
    Setting up a private network enables your application to interact with Couchbase Cloud over a private connection by co-locating them through VPC or VNet peering.

    Using a private network provides an added layer of security for organizations by avoiding communication over the Internet. It also results in significant reduction in latency and egress costs.

    Prerequisites

    The following services must be enabled before you set up a private network.

    • AWS

    • Azure

    • Route53 must be enabled on your AWS account.

    • AWS VPC peering connection must be setup. For information on setting up a VPC peering connection, refer to the AWS documentation: Creating and Accepting a VPC Peering Connection.

    • Ensure that the application VPC and Couchbase Cloud cluster VPC have different CIDR.

    • Private DNS must be enabled on your Azure subscription.

    • Azure Virtual Network peering connection must be set up. For information on setting up a VNet peering connection, refer to the Azure documentation: Azure virtual network peering.

    • Ensure that the application VNet and Couchbase Cloud cluster VNet have different CIDR.

    • Ensure the network security group on both sides allow VNETInbound.

    Setting up a Private Network

    Setting up a private network involves the following steps:

    1. Set up AWS VPC peering or Azure VNet peering. Refer to your Cloud provider documentation for details.

      1. Create a peering request from AWS VPC or Azure VNET (Requester) to Couchbase Cloud cluster VPC (Acceptor)

      2. Accept the pending peering request on Couchbase Cloud Cluster VPC (Acceptor).

      3. If you are on AWS — update route tables on the requestor by adding routes to Couchbase Cloud VPC over peering connection. This should be done for route tables that are associated with private subnets (subnets with a route to Nat gateway)

      4. If you are on AWS — update route tables on Couchbase Cloud VPC to add routes to requestor AWS VPC over peering connection. This should be done for route tables that are associated with private subnets (subnets with a route to Nat gateway). These route tables are marked as Couchbase cloud internal route tables.

      5. Enable DNS resolution on peering connection.

    2. Set up a private network zone in Couchbase Cloud.

    3. Associate the AWS VPC or Azure VNet with the private network zone.

      Depending on where your application VPC or VNet resides, an optional manual step may be required to complete associating the AWS VPC or Azure VNet peering with the private network you create.

    AWS

    1. Go to the Clusters tab in the main navigation and select the Couchbase Cloud cluster for which you want to configure a virtual private network.

    2. Go to Connect tab and click Setup Private Networks.

    3. In the Setup Private Networks dialog, confirm that you have enabled Route53 and Virtual Network Peering in your AWS account by selecting the checkboxes and then click Submit.

      Select the checkboxed to confirm that you have enabled Route53 and Virtual Network Peering in your AWS acount, and then click Submit.
    4. In the Link Private Networks screen, provide the following details to peer your AWS VPC with the Couchbase Cloud virtual network.

      • Name: Enter the name of the application VPC.

      • AWS Account ID: Optional.

      • Virtual Network ID: Enter the application VPC ID that was noted when setting up the peering connection.

      • Available Regions: Select the same AWS region as your application VPC and Couchbase Cloud VPC.

      • CIDR block: Enter the CIDR block for your application VPC.

        Provide details to create a private network.
    5. Click Submit to create the virtual private network.

    When the linking is complete, the UI is refreshed to display the private endpoint.

    The status field provides information about different states during this process.

    If the application VPC resides in a separate AWS account, you need to manually run the command displayed on the Connect tab to complete associating the VPC peering with the private network.

    Azure

    Azure private networking will work within one Azure tenant across subscriptions. We do not support private networking across multiple Azure tenants.
    1. Go to the Clusters tab in the main navigation and select the Couchbase Cloud cluster for which you want to configure a virtual private network.

    2. Go to Connect tab and click Setup Private Networks.

    3. In the Setup Private Networks dialog, confirm that you have enabled Private DNS and Virtual Network Peering in your Azure account by selecting the checkboxes and then click Submit.

    4. In the Link Private Networks screen, provide the following details to peer your Azure VNet with the Couchbase Cloud virtual network.

      • Name: Enter the name of the application VNet.

      • Azure Subscription ID: Enter the subscription ID that was noted when setting up the peering connection.

      • Virtual Network ID: Enter the virtual network ID defined when setting up the peering connection.

      • Resource Group: Enter the resource group name for your subscription.

      • CIDR block: Enter the CIDR block for your application VNet.

    5. Click Submit to create the virtual private network.

    When the linking is complete, the UI is refreshed to display the private endpoint.

    If the application VNet resides in a different subscription, you need to manually run the command displayed on the Connect tab to complete associating the VNet peering with the private network.

    Troubleshoot Private Network Issues

    Check the Status of Your Private Network Connection

    The following table provides information about the status

    Table 1. Private Network Connection Status
    Status Description

    Not Setup (Default state)

    No networks exist and no infrastructure has been provisioned.

    Linking Network

    One or more networks are being connected and/or the infrastructure is being provisioned.

    Linking Failed

    One or more networks have failed to connect but the infrastructure was provisioned successfully.

    Infrastructure Failed

    Infrastructure provisioning failed.

    Ready

    One or more networks are linked successfully.

    No Networks

    No networks are linked but the infrastructure has been provisioned for your cluster.

    Infrastructure Provsioning

    The infrastructure is being provisioned. Note that this is an intermediate state that is only possible for the first network linked for a cluster.

    If you create multiple networks in rapid succession, both the Linking and Provisioning states may be displayed as Failed at the same time.

    Possible Errors and Workarounds

    • You can set up private networks on a new deployment only after the private networking feature is enabled. Check if you are using an existing cluster and/or if the feature is enabled.

    • If the private networking feature does not exist in your region, the private zone creation can fail. Check that the feature is enabled in your region.

    • Policy added for the private zone could fail. Retry adding the policy to resolve the issue.

    • Security group update for the CIDR may fail. Retry the operation to resolve the issue.

    • If you provided an incorrect CIDR block, application VPC, VPC ID, or Regions when creating a private network, we recommend that you delete that private network and re-create a new one with the correct values.

    • While we support multiple subscriptions within a single Azure tenant, VNet peering across two or more Azure tenants is not supported.

    • If using Couchbase Go SDK Version 1.6 with private networking, ensure that you set network=default in the connection string.

    Tools such as the AWS VPC Reachability Analyzer can be useful to verify communications.