A newer version of this documentation is available.

View Latest


    Security is very important for big data applications, which process a large amount of unstructured data coming in big volumes and at high speed.

    Couchbase Server provides security features that allow the administrators to implement various security controls to ensure secure deployment.

    Secure deployment in Couchbase consists of security controls to access the entire stack, from physical protection of the network infrastructure to Couchbase Server and the deployed applications


    Infrastructure protection covers the network itself, storage devices, servers, virtual machines, and the operating systems installed on these machines. Database and application protection covers Couchbase Server itself and different applications used with it.

    Where Security is Enforced

    Some applications need an additional layer of security to meet business or regulatory compliance requirements. In nearly all commercial deployments of Couchbase, Couchbase is deployed on a trusted network, and unauthorized access is restricted by firewall routing rules.

    From the network perspective, here are a few layers you might consider for enforcing security:

    • Outside network, where web browsers and mobile applications are located.

    • Perimeter network between the internal and external firewall, which typically consists of web servers and load balancing machines. This network provides physical separation between back-end and external interfaces, such as the web and mobile applications.

    • Internal network within the internal firewall, where Couchbase Server is typically deployed.


    Requests from the external network come through an external firewall and are directed to the load balancing unit, where security administrators can introduce packet filtering and blocking of malicious IP addresses. After that, the requests proceed to a web server.

    On the second firewall level, between the perimeter and internal network, the IT or database administrators can allow only Couchbase ingress and egress ports to be accessible through the internal firewall.

    While the external firewall allows only certain ports to be open, the internal firewall allows only certain Couchbase ports to be open.