Connect with Couchbase Capella over Private network created using AWS VPC Peering

This blog will cover the following things:

1. What is Private Network in Couchbase Capella?
2. What is AWS VPC Peering and how Private network is created using it?
3. How to connect with Capella over private network?

Let's get started...

What is Private Network in Couchbase Capella?

Capella is a fully managed Database as a Service (DBaaS) offered by Couchbase which provides easiest and fastest way to begin with Couchbase database and eliminate your database management efforts. You can easily deploy a clustered database in the public cloud such as AWS/Azure/GCP using Couchbase Capella.

Private network is the feature provided by Capella using which you can connect your application with the Couchbase Capella Cluster over a private connection. It enables you to have more secure connection with less latency and data egress costs.

What is AWS VPC Peering and how Private network is created using it?

AWS VPC Peering is the private network connection created between two VPCs that can be in the same or another AWS account, to route traffic between them using private IPv4 addresses or IPv6 addresses and access or share the resources created in those VPCs as if all the resources are a part of the same network.

Couchbase Capella uses AWS VPC Peering to create a Private Network connection between your application and the Capella Cluster.

How to connect with Capella over private network?

Let me help you with the step-by-step guidelines to create a Private Network connection in Capella below:

Note: Before beginning, please make sure of the following things:

1. Route53 should be enabled on your AWS account
2. Your application VPC and Couchbase Capella cluster VPC have different CIDR. If both VPCs will have overlapping CIDR blocks, then we won't be able to setup peering connection due to the limitation of VPC peering.

So, let's get started with the setup...

1. Login to Couchbase Capella console and create a cluster using Couchbase’s Cloud Account option for free.
   You can create the cluster using your own Cloud account option as well. However, I am sharing the steps using Couchbase Cloud Account option so would be easier for you to follow.

2. Created private network between Capella Cluster VPC and your own VPC in which your application resides. Steps are as follows:

• Go to Clusters in the left pane
• Go to Connect tab > Virtual Network > Manage Private Network
• On the top-right corner, click on Setup Private Network
• Confirm the pre-requisites Route53 Enabled Virtual Network Peering Enabled

• Enter the following details
  Name - Your Private Network name which will be visible on the Capella UI
  AWS Account ID - Your AWS Account ID in which your application VPC resides
  Virtual Network ID - Your application VPC ID
  Available Regions - AWS Region in which your application VPC exists
  CIDR Block - CIDR block of your app VPC

• Now, run the commands shown on your Capella UI

aws ec2 accept-vpc-peering-connection --region=<> --vpc-peering-connection-id=<pcx-xxxxxxxxxx> -> for accepting vpc-peering connection (this can be done via AWS console also)

aws route53 associate-vpc-with-hosted-zone --hosted-zone-id=<> --vpc=VPCId=<>,VPCRegion=<> --region=<> -> for associating VPC with the hosted zone in route53

• By now, your peering connection between Capella VPC and application VPC has been created. Next step would be to add the routes in your app VPC's route table in order to communicate.

• Capella Cluster VPC CIDR can be found in the AWS VPC peering console
  -> Login to your AWS account in which app VPC resides
  -> Go to VPC peering console
  -> Search for the peering connection using the ID provided in above commands
  -> You should see the requester VPC details, copy the Requester CIDRs
  -> Now, Go to the your app VPC route table
  -> Go to Routes tab > Click on edit route
  -> Add Capella VPC CIDR in destination and select peering connection as target

• Private network setup is completed at this point. Now, it's time to test the connection if it is working fine or not.

• You can use the below commands to test the private connectivity with Capella Cluster.

nslookup output for DNS resolution:

[ec2-user@ip-192-0-0-4 ~]$ nslookup -type=SRV _couchbases._tcp.cb.uvbaw6f5kvhmun7s.cloud.couchbase.com
Server:  192.0.0.2
Address:    192.0.0.2#53

Non-authoritative answer:
_couchbases._tcp.cb.uvbaw6f5kvhmun7s.cloud.couchbase.com    service = 0 0 11207 yk9iixsbth4mj5uf.uvbaw6f5kvhmun7s.cloud.couchbase.com.
_couchbases._tcp.cb.uvbaw6f5kvhmun7s.cloud.couchbase.com    service = 0 0 11207 20pcyksdifyr2r2s.uvbaw6f5kvhmun7s.cloud.couchbase.com.
_couchbases._tcp.cb.uvbaw6f5kvhmun7s.cloud.couchbase.com    service = 0 0 11207 cxq21w9wmkbl90em.uvbaw6f5kvhmun7s.cloud.couchbase.com.

Netcat or telnet command to test connectivity

telnet output:

[ec2-user@ip-192-0-0-4 ~]$ telnet yk9iixsbth4mj5uf.uvbaw6f5kvhmun7s.cloud.couchbase.com. 18091
Trying 10.0.113.52...
Connected to yk9iixsbth4mj5uf.uvbaw6f5kvhmun7s.cloud.couchbase.com..
Escape character is '^]'.

netcat output:

[ec2-user@ip-192-0-0-4 ~]$ nc -v 20pcyksdifyr2r2s.uvbaw6f5kvhmun7s.cloud.couchbase.com. 11207
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 10.0.112.74:11207.
^C
[ec2-user@ip-192-0-0-4 ~]$ nc -v yk9iixsbth4mj5uf.uvbaw6f5kvhmun7s.cloud.couchbase.com. 11207
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 10.0.113.52:11207.

Traceroute output to confirm the path taken:

[ec2-user@ip-192-0-0-4 ~]$ sudo traceroute 20pcyksdifyr2r2s.uvbaw6f5kvhmun7s.cloud.couchbase.com. -T -p 18091
traceroute to 20pcyksdifyr2r2s.uvbaw6f5kvhmun7s.cloud.couchbase.com. (10.0.112.74), 30 hops max, 60 byte packets
 1  ip-10-0-112-74.ec2.internal (10.0.112.74)  1.292 ms  1.279 ms  1.271 ms

Hope this information was helpful. Thank you.