Please use the form below to provide your feedback. Because your feedback is valuable to us, the information you submit in this form is recorded in our issue tracking system (JIRA), which is publicly available. You can track the status of your feedback using the ticket number displayed in the dialog once you submit the form.

Manage AWS Private Endpoints for the Data API

  • Capella Operational
  • how-to
    +
    How to configure and manage private endpoints for the Data API using Amazon Web Services (AWS).

    To configure and manage AWS private endpoints with the Data API, you can use the Capella UI or the Capella Management API.

    Prerequisites

    Before you set up and connect an AWS private endpoint for the Data API:

    • You must have successfully deployed a Couchbase Capella operational cluster and the Data API.

    • You must have installed and configured the AWS Command Line Interface (CLI).

    • You must know the VPC ID and Subnet IDs that you want to connect to.

    Examples on this Page

    In the Management API examples on this page:

    • $organizationId is the organization ID.

    • $projectId is the project ID.

    • $clusterId is the cluster ID.

    • $apiKeySecret is the Management API key secret, used as the Bearer token.

    The endpoints described on this page all have the same base path: /v4/organizations/{organizationId}/projects/{projectId}/clusters/{clusterId}. For clarity, this is not shown in the instructions, but it’s included in the examples.

    Set Up and Connect a Private Endpoint

    To set up and connect an AWS private endpoint for the Data API, follow the steps below.

    Procedure:

    1. Obtain a Connection Command

    2. Run the Connection Command

    3. Accept and Complete Connection

    4. Enable Private DNS and Security Group Access

    5. Validate the Connection (Optional)

    Obtain a Connection Command

    In order to set up the private endpoint connection for the Data API, you must obtain the AWS connection command. For this procedure, you need the VPC ID and subnet IDs.

    • Capella UI

    • Management API

    To obtain the connection command for the Data API:

    1. On the Operational Clusters page, click on the cluster where you want to add a private endpoint for the Data API.

    2. Go to Settings  Networking  Private Endpoints.

    3. Click the Data API tab.

    4. Click Add Private Endpoint.

    5. In the Provide Private Endpoint Details section, add the following information:

      Field Value

      VPC ID

      Enter your AWS VPC ID.

      Subnet IDs

      Enter each Subnet ID and separate them with a comma.

    6. Click Next. The connection command is displayed.

    7. Click the connection command to copy it, or click the Download icon to download a shell script containing the connection command.

    To obtain the connection command for the Data API:

    1. Use POST /dataAPI/privateEndpointCommand.

    2. Pass the VPC ID as a string in the request body.

    3. Pass the subnet IDs as an array of strings in the request body.

    The return value includes the connection command.

    Request
    curl -X POST "https://cloudapi.cloud.couchbase.com/v4/organizations/$organizationId/projects/$projectId/clusters/$clusterId/dataAPI/privateEndpointCommand" \
  -H "Accept: application/json" \
  -H "Authorization: Bearer $apiKeySecret" \
  -d '{
  "vpcID": "vpc-1234",
  "subnetIDs": ["subnet-1234"]
}'
    Output
    {
  "command": "aws ec2 create-vpc-endpoint --vpc-id vpc-1234 --region us-east-1 --service-name com.amazonaws.vpce.us-east-1.vpce-svc-1234 --vpc-endpoint-type Interface --subnet-ids subnet-1234"
}

    Run the Connection Command

    To set up the private endpoint connection for the Data API, run the connection command within the AWS CLI.

    The connection command returns a JSON object, giving information about the private endpoint. The most useful information to note is the value of VpcEndpointId — this is the private endpoint ID.

    The private endpoint connection must be accepted by the Data API before you can use it.
    Run the connection command for the Data API

    This example uses the connection command obtained in Obtain a Connection Command.

    Request
    aws ec2 create-vpc-endpoint \
          --vpc-id vpc-1234 \
          --region us-east-1 \
          --service-name com.amazonaws.vpce.us-east-1.vpce-svc-1234 \
          --vpc-endpoint-type Interface \
          --subnet-ids subnet-1234
    Output
    {
    "VpcEndpoint": {
        "VpcEndpointId": "vpce-067bd56a2df9a130e",
        "VpcEndpointType": "Interface",
        "VpcId": "vpc-1234",
        "ServiceName": "com.amazonaws.vpce.us-east-1.vpce-svc-1234",
        "State": "pendingAcceptance",
        "RouteTableIds": [],
        "SubnetIds": [
            "subnet-1234"
        ],
       // ...
    }
}

    Accept and Complete Connection

    When you run the connection command, the connection is pending, and not complete. To complete the connection, the Data API network must accept it.

    To reject the connection at this point, see Remove Private Endpoints.

    • Capella UI

    • Management API

    To accept a connection for a specified private endpoint:

    1. Wait for the new interface endpoint to be shown with a Pending Acceptance status.

    2. Click the Accept button for the pending private endpoint.

    The connection is initiated. It may take a short time to transition to the connected state.

    To accept a connection for a specified private endpoint:

    1. Use POST /dataAPI/privateEndpoints/{endpointId}/associate.

    2. Pass the private endpoint ID as a path parameter.

    The connection is initiated. It may take a short time to transition to the connected state.

    In this example:

    • $endpointId is the private endpoint ID.

    Request
    curl -X POST "https://cloudapi.cloud.couchbase.com/v4/organizations/$organizationId/projects/$projectId/clusters/$clusterId/dataAPI/privateEndpoints/$endpointId/associate" \
  -H "Authorization: Bearer $apiKeySecret"

    To verify the status of the connection, see View Private Endpoints.

    Enable Private DNS and Security Group Access

    Follow these tips to ensure the connection is working correctly.

    Private DNS

    You must enable private DNS in the cloud service provider’s endpoint to successfully connect to the Data API.

    To enable private DNS in AWS:

    1. In the AWS console, go to Endpoints using the ID obtained earlier.

    2. Choose Actions  Modify private DNS name.

    3. Under Enable private DNS names, select Enable for this endpoint.

    Security Groups

    If your Couchbase Capella security groups do not allow a connection, any attempt to communicate over the connection will hang. If this occurs, modify the security groups to allow the connection through.

    To modify the security groups:

    1. In the AWS VPC console, add an inbound rule for the private endpoint:

      1. With the Your VPCs page open, find and record the IPv4 CIDR value for your VPC, for example 10.0.0.0/16. You need this for later steps.

      2. In the navigation pane, click Endpoints.

      3. Select your endpoint.

      4. In the Security groups panel, click the Group ID link. This link is to your default VPC security group.

      5. With the security group open to the Inbound rules panel, click Edit inbound rules.

      6. In the Edit inbound rules dialog, add the VPC IPv4 CIDR you recorded earlier and use the following port ranges:

        • 443

      7. Click Save rules.

    2. In the AWS VPC console, configure your network access control list (ACL) with an inbound rule:

      1. In the navigation pane, click Network ACLs.

      2. On the Network ACLs page, select the Network ACL associated with your VPC.

      3. Click Actions  Edit inbound rules.

      4. On the Edit inbound rules page, specify the following for a new inbound rule:

        Field Value

        Source

        Your VPC IPv4 CIDR.
        For example: 10.0.0.0/16

        Type

        All traffic

        Port range

        All

        Before selecting All traffic as an inbound rule, consult with your security team and confirm that your private link meets security standards.

        For any further questions or concerns, contact Couchbase Support.

      5. Click Save changes.

    3. In the AWS VPC console, configure your network ACL with an outbound rule:

      1. In the navigation pane, click Network ACLs.

      2. Select the Network ACL associated with your VPC.

      3. Click Actions  Edit outbound rules.

      4. On the Edit outbound rules page, specify the following for the new outbound rule:

        Field Value

        Type

        Custom TCP

        Port ranges

        443

        Destination

        Your VPC IPv4 CIDR.
        For example: 10.0.0.0/16

      5. Click Save Changes.

    For more information, see Add an AWS PrivateLink Connection.

    Validate the Connection

    Connect to an instance within the connected VPC and validate your connection.

    Look up the Data API node

    In this example:

    • $BASEURL is the base URL for the Data API.

    Request
    nslookup $BASEURL
    Output
    Server: 10.0.1.2
Address: 10.0.1.2#53
Non-authoritative answer:
Name: <BASEURL>
Address: 10.0.1.89
    Test the Data API node

    In this example:

    • $BASEURL is the base URL for the Data API.

    • $USER is the cluster access username.

    • $PASSWORD is the cluster access secret.

    Request
    curl "$BASEURL/v1/callerIdentity" \
  -u $USER:$PASSWORD
    Output
    {"user": "<USER>"}

    View Private Endpoints

    You can view a list of private endpoints and connection requests using the Capella UI or the Management API.

    • Capella UI

    • Management API

    To view private endpoints and connection requests for the Data API:

    1. Go to Settings  Networking  Private Endpoints.

    2. Click the Data API tab. Any existing private endpoints or connection requests are shown in the Data API Private Endpoints list.

    The Status column shows the status of each connection. Connection requests are shown with the status Pending Acceptance.

    To view private endpoints and connection requests for the Data API:

    1. Use GET /dataAPI/privateEndpoints.

    2. Check the response to see the status of each connection. Connection requests are shown with the status "pending".

    Request
    curl -X GET "https://cloudapi.cloud.couchbase.com/v4/organizations/$organizationId/projects/$projectId/clusters/$clusterId/dataAPI/privateEndpoints" \
  -H "Authorization: Bearer $apiKeySecret"
    Output
    {
  "endpoints": [
    {
      "id": "vpce-000000000000aaaaa",
      "status": "pending"
    }
  ]
}

    In this case, there is a private endpoint connection request in a pending state.

    Remove Private Endpoints

    You can remove a private endpoint or reject a connection request using the Capella UI or the Management API.

    Alternatively, delete the private endpoint via the AWS CLI or the AWS console.

    • Capella UI

    • Management API

    To delete a specified private endpoint:

    1. Display the list of Data API Private Endpoints.

    2. Click the trash icon for the private endpoint.

    3. When prompted, type delete and click Delete Private Endpoints.

    The private endpoint is removed from the list. It may take a short period of time to be deleted.

    To disassociate a specified private endpoint:

    1. Use POST /dataAPI/privateEndpoints/{endpointId}/unassociate.

    2. Pass the private endpoint ID as a path parameter.

    If the connection is already made, the connection is severed, but remains in the connection list as rejected. If the connection is not yet established, the connection is just listed as rejected. It may take a short period of time to transition to the rejected state.

    In this example:

    • $endpointId is the private endpoint ID.

    Request
    curl -X POST "https://cloudapi.cloud.couchbase.com/v4/organizations/$organizationId/projects/$projectId/clusters/$clusterId/dataAPI/privateEndpoints/$endpointId/unassociate" \
  -H "Authorization: Bearer $apiKeySecret"

    To verify the status of the connection, see View Private Endpoints.

    Turn the Data API On and Off

    Turning the Data API on or off is fully compatible with private endpoints. When the Data API is turned off, any private endpoints will remain in place, although not usable. When the Data API is turned back on, any private endpoints will begin working again. You do not need to re-create any private endpoints.

    See Also