XDCR through a proxy or NAT


#1

Hi,

I am trying to set up two clusters of Couchbase with two-way XDCR, one in AWS and one in our client’s enterprise network. Normally, for each cluster, I would set up each node using its private IP. But, in order to get XDCR, I need to open up the node at the destination with a public IP. The problem is, the nodes in the enterprise network’s cluster can’t have public IPs as they are in a private network.

What I’d like to know is:

  1. Do all nodes in the destination cluster need to have public IP? Will XDCR work if I make only the referenced node public (via NAT forwarding), but the rest of the nodes private? Does that node need to identify itself via the public IP?
    For example, if I have set up the node as 10.8.1.20 and the source cluster uses a public ip 203.x.x.x to connect to that node (via NAT), will the XDCR replication work?

  2. Is there some sort of proxy that I can go through to setup XDCR to that cluster? That proxy server can sit on a DMZ (or behind NAT) and forward the replication requests to the destination cluster.


#2

Hi There, xdcr will grab the list of the nodes from destination at the time of initial setup. These destination node names need to be reachable from each node in the the source cluster. One option you have is to manipulate the hosts file in each source node so the destination node addresses resolve to the addresses you want. To do this, you cannot use IPs for nodes but you need to use host names.

The simpler option would be to set up a VPN across all these environments so they don’t have to go over public IPs. you can set these up across sites and sites and on prom networks.
thanks
-cihan


#3

Hi cihan,

Thanks for your answer. Since we don’t want a permanent VPN between two entire networks, we’ve decided to set up a VPN server at the VPC and let the individual nodes from the enterprise network connect to it. Do you think there is a way I can set it up so that the intra-cluster traffic on the enterprise nodes go through their local LAN, but the XDCR traffic goes through the VPN ? I’m guessing I can use the host files to resolve the node names to LAN IPs on the local nodes, but VPN-assigned IPs on the remote nodes.


#4

Yes, Hosts file manipulation is the best method for this. The issue is you will need to be careful in adding new nodes. As you add new nodes, you will need to make sure to apply the changes to the hosts files across all nodes. you could script this to ensure adding a new node takes care of the changes to all existing nodes and the new node.
thanks
-cihan