Manage Replication Security

Capella Operational

Configure your Cross Datacenter Replication (XDCR) to securely replicate data between source and destination buckets.

XDCR supports different security models to protect data as it travels between source and target clusters. Data replication can be:

Capella supports both public and private connectivity, allowing you to secure XDCR based on your network architecture and security requirements. By default, Capella secures data replication between 2 Capella operational clusters. For replications involving a self-managed cluster deployed on-premises or in a non-Capella cloud, your replication security depends on the deployment model and cloud service provider (CSP) of your source and destination clusters.

You can secure your replication using 1 of the following approaches:

Public Internet
VPC Peering
Private Endpoint Service

Choose the option that best fits your cluster’s configuration and security requirements.

Once you create a replication, you cannot modify how its securely routed. To make changes, you need to create a new replication.

Prerequisites

You have created a single node or multi-node cluster that you want to use for replication, either as a source or destination cluster.
To view and manage replications for a cluster, you need the Project Owner role.
To create a new replication, you need the Project Owner role for the projects that contain your source cluster and destination cluster.

Replicate Data Over the Public Internet

Capella supports public Internet-based XDCR for all replication configurations with self-managed clusters. Replicating data over the public Internet provides the broadest compatibility, but it does not offer network-level isolation.

If your replication is between a Capella operational cluster and a self-managed cluster with a different cloud provider or in an on-premises environment, you can only connect through the public Internet.

Enable Replication Over the Public Internet

If you do not have a private network configured before creating a replication, Capella defaults to TLS-secured, public Internet-based replication.

To enable replication over the public Internet:

Create a replication. Choose 1 of the following options and follow the steps for securing replication over the public Internet:
1. Create a replication to Capella from a self-managed cluster.
2. Create a replication from Capella to a self-managed cluster.

Replicate Data Over a VPC Peering Connection

VPC Peering can secure XDCR by replicating data over a private network. This approach avoids exposure to the public Internet and provides stronger network isolation than public Internet connectivity.

You can only use VPC Peering when your replication is between an Capella operational cluster and a self-managed cluster with the same CSP.

Enable Replication Over VPC Peering

To enable replication over VPC Peering:

Configure a VPC Peering Connection. For more information, see Configure a VPC Peering Connection.
Create a replication. Choose 1 of the following options and follow the steps for securing replication over a peered VPC network:
1. Create a replication from Capella to a self-managed cluster.
2. Create a replication to Capella from a self-managed cluster.

Replicate Data Over a Private Endpoint Connection

This is only available upon request from Capella Support. To open a Support ticket, see Create a Support Ticket.

Private endpoints expose a service-specific endpoint for XDCR, allowing clusters to replicate without network-level peering or public Internet exposure. Enabling XDCR over a private endpoint connection is only available through the Management REST API.

For an overview of the Management API, see Manage Deployments with the Management API.

To enable XDCR over a private endpoint connection, your cluster and replication configurations must meet specific requirements. If your configurations do not meet the requirements for private endpoint security, use VPC Peering.

Replicating data over a private endpoint connection is only available with the following conditions:

Supported Replications	Supported Clusters	Additional Requirements
Replications from a self-managed cluster to a Capella operational cluster with the same CSP.	Clusters deployed on AWS with: A source self-managed cluster running Couchbase Server version 7.6.8 or earlier, or 8.0. A destination Capella operational cluster co-located with all Services running on every node. This cluster is not restricted to a specific version.	Clusters deployed on AWS can only have a maximum of 20 nodes. If you previously contacted Capella Support to map Query nodes separately with 1:1 node mapping over private endpoints, enabling XDCR over private endpoints limits your cluster to a maximum of 13 nodes.^[1]
Clusters deployed on GCP with: A source self-managed cluster running Couchbase Server version 7.6.8 or earlier, or 8.0. A destination Capella operational cluster co-located with all Services running on every node.	There are no additional requirements for GCP clusters.

Supported Replications

Supported Clusters

Additional Requirements

Replications from a self-managed cluster to a Capella operational cluster with the same CSP.

Clusters deployed on AWS with:

A source self-managed cluster running Couchbase Server version 7.6.8 or earlier, or 8.0.
A destination Capella operational cluster co-located with all Services running on every node. This cluster is not restricted to a specific version.

Clusters deployed on AWS can only have a maximum of 20 nodes. If you previously contacted Capella Support to map Query nodes separately with 1:1 node mapping over private endpoints, enabling XDCR over private endpoints limits your cluster to a maximum of 13 nodes.^[1]

Clusters deployed on GCP with:

A source self-managed cluster running Couchbase Server version 7.6.8 or earlier, or 8.0.
A destination Capella operational cluster co-located with all Services running on every node.

There are no additional requirements for GCP clusters.

^[1] Enabling both 1:1 Query mapping and XDCR requires the Data and Query Services to have dedicated listeners on each node, which reduces the number of nodes you can have to 13. For more information, contact Capella Support.

Enable Replication Over a Private Endpoint Connection

To enable replication over a private endpoint connection:

Enable XDCR with the Management REST API:
1. If you’re enabling the private endpoint service for the first time, use the POST v4/organizations/{organizationId}/projects/{projectIs}/clusters/{clusterId}/privateEndpointService endpoint.
2. If you want to enable XDCR after enabling the private endpoint service, use the PUT /v4/organizations/{organizationId}/projects/{projectId}/clusters/{clusterId}/privateEndpointService endpoint.
Create a replication to Capella from a self-managed cluster and follow the steps for securing a replication over a private endpoint.