We’re pleased to announce the general availability of Capella App Services on Google Cloud Platform (GCP). The cloud expansion comes on the heels of the recent public launch of Capella App Services on AWS.
Capella App Services is a fully managed application backend that brings the power of Couchbase Mobile to Capella, our fully managed Couchbase as-a-service offering. Couchbase Mobile is the industry leading offline-first data sync platform for mobile, desktop and embedded applications. Since its launch in 2014, Couchbase Mobile, which includes the Couchbase Lite embedded database and Sync Gateway, has powered a vast number of business critical enterprise applications.
In this post, we will provide an overview of Capella App Services and discuss the salient features, comparing it with corresponding self managed Couchbase Mobile deployments.
Try for Free Today!
You can try Capella App Services for free for 30-days where you will have the opportunity to evaluate all the capabilities discussed in this post.
App Services: Overview
System Architecture
When you create an App Service and associate it with a Couchbase Server cluster, you are effectively extending or enabling it for data sync. A Couchbase server cluster can only be linked to one App Service.
At a high level, behind the scenes, when an App Service is created, a cluster of Sync Gateway nodes is deployed in the same virtual private cloud network as the corresponding server cluster. Communication between the App Services cluster and backing Couchbase server cluster is secured using TLS and x.509 cert based authentication. The Sync Gateway cluster is fronted by a Load Balancer that balances incoming client requests across the App Services nodes.
An App Service can handle multiple client applications, each of which is represented by an App Endpoint. Conceptually, an App Endpoint represents the instance of your application on the App Service. Each App Endpoint is backed by a server bucket. So if you have multiple applications then each of them would have its own App Endpoint.
Mobile, desktop and web client apps can access and sync data by connecting to the corresponding App Endpoint.
App Endpoint Connection Points
When it comes to options for connecting clients to an App Endpoint, there are multiple options. The choice depends on the type of application and use case.
Secure websockets public URL
Offline-first sync is the ability for apps to run in offline mode in the face of temporary or extended network disruptions and to sync data with the backend servers when connectivity is restored. Mobile, desktop and embedded apps powered by Couchbase Lite can locally store and access data in disconnected mode and sync data with App Service when there is connectivity. With the Internet being inherently unreliable, the use cases for offline-first data sync are vast and varied.
Secure Public REST API
Applications can also access data securely over a public REST endpoint. This is useful in cases where there is reliable network connectivity and so there isn’t a need for offline storage or in cases where the apps are running on hardware that don’t have local storage for running a local embedded database like Couchbase Lite.
Secure Admin REST API
Admin apps can be granted authenticated access to the Admin REST API in order to programmatically create and manage users, roles and sessions. Admin apps are typically hosted in the cloud backend. An example of an admin app is a login service that handles custom authentication and is responsible for registering users via the secure Admin REST API following successful user authentication.
Secure Metrics REST API
Monitoring frameworks like Prometheus can access stats exposed via the metrics REST endpoint. In addition, App Services also supports a dashboard of common operational stats.
User Journey
Prerequisite: App Services requires a Couchbase Capella server cluster. So follow the steps to create a Couchbase Capella server cluster and set up a bucket.
Prepare
Launch App Services
When you create an App Service and associate it with a server cluster, you are effectively enabling it for data sync. While creating an App Service, you give it a name, designate an associated Capella cluster, then choose the deployment configuration which includes the number of nodes and type of compute (RAM/core).
Create App Endpoints
App Endpoints represent the instance of your application on an App Service. You can create multiple App Endpoints on an App Service, each backed by a unique bucket in the corresponding Couchbase Server cluster. By default, all documents in the corresponding bucket are imported by the App Endpoint.
Configure App Endpoints
When the App Endpoint is created, it is set up in offline mode. This gives users the opportunity to complete the security configuration of the App Endpoint before exposing it to applications.
Authentication Provider
Authentication providers define how users are authenticated with the app services. A default auth provider of basic auth is selected for you during App Endpoint creation. So you can skip this config if the default option works for your application.
Capella supports following modes of authentication:
-
-
-
- Basic Auth: This is where the app users are authenticated using username and password credentials are Base64 encoded and passed in as part of the authorization Header of HTTP request
- Open ID Connect(OIDC): App users are authenticated against a third-party Identity Provider that is registered with App Endpoint. This is implemented using OIDC Implicit flow.
- Anonymous: In this mode, we allow unauthenticated read-only access to data. This mode could be useful when your app is only dealing with public static data
-
-
User Management
With the exception of “Anonymous” mode, all client side access must be authenticated with suitable user credentials. The choice of how users (and roles) are created depends on the Authentication Provider that is configured.
-
-
-
- Basic Auth: Users are created via the Capella web UI or via Admin REST endpoint
- Open ID Connect (OIDC): By enabling the “auto-register” option when configuring OIDC Provider, users will be automatically created on App Service after successful authentication.
-
-
Access Control
Access Control is implemented using the channel based access control model of Couchbase Mobile. Access Control specifies who has access to what data. This is specified via a Javascript access control function. Read access control is at the granularity of a document while write access control is at the granularity of a field.
Connect
After completing security setup for the App Endpoint, un-pause the App Endpoint to bring it online. Once online, apps can be connected using any of the Connection points discussed earlier.
Operate
Once your App Service is operational, you can administer the App Service and App Endpoints and change the configuration to meet the evolving needs of the apps.
Monitoring
Metrics dashboards provide insights into resource utilization of the App Service as well as the operational state of the App Endpoints. These include stats such as the number of documents read/written, error counts, number of active replications, etc.
Activity Log
All key system events of type info, warning and error are recorded in the activity center. Users are also alerted to key events that may need attention such as significantly high memory utilization over an extended period of time.
On Demand Scaling
To keep up with the evolving needs of the app, users can scale App Services horizontally and/or vertically by changing the number of nodes and/or compute type.
Capella App Services and Couchbase Mobile
If you are an existing Couchbase Mobile user, then this cheat sheet may be relevant to you. Even if you have never used Couchbase Mobile but are curious about how Couchbase Mobile powers App Services, then read on.
| Term | Description within Capella | Couchbase Mobile Mapping |
| App Service | An instance of Capella App Services backend. By linking an App Service to Server cluster, your cluster is now extended for mobile sync. | Cluster of Sync Gateway nodes connected to a Couchbase Server cluster |
| App Endpoint | An instance of application on App Service that represents the endpoint to which the client app connects. Every App Endpoint is backed by a Server bucket. | Sync Gateway Database |
| Channel | A tag associated with a document processed by an App Service. The channel associated with the document determines the routing and access control policies of the document. | Sync Gateway Channel |
| App User | End user of the app that is accessing or syncing data over a public URL endpoint. A user is granted access to one or more channels. | Sync Gateway User |
| App Role | Logical grouping of App Users. A role is granted access to one or more channels. | Sync Gateway Role |
| Authentication Provider | The mechanism by when App Users authenticate with App Endpoint. Options include Basic (default), OIDC Implicit Flows, Anonymous Read only. | Basic (default), Read/write GUEST access, OIDC Implicit & Authorization Flows |
| Access Control Function | Javascript Function configured on App Endpoint that specifies read/write access of documents | Sync Function |
| Import Filter Function | Javascript Function configured on Endpoint that specifies the subset of server bucket documents that are processed by the App Service and available for mobile sync | Import Filter Function |
What’s next
The proof is in the pudding. So try Capella App Services for free today. Stay tuned for a short demo of the major concepts discussed in this tutorial.
Here are some helpful resources:
-
- –Capella App Services Documentation
- Developer Portal for learning paths and tutorials on Capella and Couchbase Mobile
- App Services Use Cases & Applications Overview
You can leave a comment below or feel free to reach out to me via Twitter or email.
