We’re pleased to announce the general availability of Capella App Services on Google Cloud Platform (GCP). The cloud expansion comes on the heels of the recent public launch of Capella App Services on AWS.

Capella App Services is a fully managed application backend that brings the power of Couchbase Mobile to Capella, our fully managed Couchbase as-a-service offering. Couchbase Mobile is the industry leading offline-first data sync platform for mobile, desktop and embedded applications. Since its launch in 2014, Couchbase Mobile, which includes the Couchbase Lite embedded database and Sync Gateway, has powered a vast number of business critical enterprise applications.

In this post, we will provide an overview of Capella App Services and discuss the salient features, comparing it with corresponding self managed Couchbase Mobile deployments. 

Try for Free Today!

You can try Capella App Services for free for 30-days where you will have the opportunity to evaluate all the capabilities discussed in this post.

App Services: Overview

System Architecture

Capella App Services System Architecture

When you create an App Service and associate it with a Couchbase Server cluster, you are effectively extending or enabling it for data sync. A Couchbase server cluster can only be linked to one App Service.

At a high level, behind the scenes, when an App Service is created, a cluster of Sync Gateway nodes is deployed in the same virtual private cloud network as the corresponding server cluster. Communication between the App Services cluster and backing Couchbase server cluster is secured using TLS and x.509 cert based authentication. The Sync Gateway cluster is fronted by a Load Balancer that balances incoming client requests across the App Services nodes.

An App Service can handle multiple client applications, each of which is represented by an App Endpoint. Conceptually, an App Endpoint represents the instance of your application on the App Service. Each App Endpoint is backed by a server bucket. So if you have multiple applications then each of them would have its own App Endpoint. 

Mobile, desktop and web client apps can access and sync data by connecting to the corresponding App Endpoint. 

App Endpoint Connection Points

When it comes to options for connecting clients to an App Endpoint, there are multiple options. The choice depends on the type of application and use case.

Capella App Services connection endpoints

Secure websockets public URL

Offline-first sync is the ability for apps to run in offline mode in the face of temporary or extended network disruptions and to sync data with the backend servers when connectivity is restored. Mobile, desktop and embedded apps powered by Couchbase Lite can locally store and access data in disconnected mode and sync data with App Service when there is connectivity. With the Internet being inherently unreliable, the use cases for offline-first data sync are vast and varied.

Secure Public REST API

Applications can also access data securely over a public REST endpoint. This is useful in cases where there is reliable network connectivity and so there isn’t a need for offline storage or in cases where the apps are running on hardware that don’t have local storage for running a local embedded database like Couchbase Lite.

Secure Admin REST API

Admin apps can be granted authenticated access to the Admin REST API in order to programmatically create and manage users, roles and sessions. Admin apps are typically hosted in the cloud backend. An example of an admin app is a login service that handles custom authentication and is responsible for registering users via the secure Admin REST API following successful user authentication.

Secure Metrics REST API

Monitoring frameworks like Prometheus can access stats exposed via the metrics REST endpoint. In addition, App Services also supports a dashboard of common operational stats.

User Journey

Capella App Services user journey

Prerequisite: App Services requires a Couchbase Capella server cluster. So follow the steps to create a Couchbase Capella server cluster and set up a bucket. 


Launch App Services

When you create an App Service and associate it with a server cluster, you are effectively enabling it for data sync. While creating an App Service, you give it a name, designate an  associated Capella cluster, then choose the deployment configuration which includes the number of nodes and type of compute (RAM/core).

Create App Endpoints

App Endpoints represent the instance of your application on an App Service. You can create multiple App Endpoints on an App Service, each backed by a unique bucket in the corresponding Couchbase Server cluster. By default, all documents in the corresponding bucket are imported by the App Endpoint.

Configure App Endpoints

When the App Endpoint is created, it is set up in offline mode. This gives users the opportunity to complete the security configuration of the App Endpoint before exposing it to applications.

Authentication Provider

Authentication providers define how users are authenticated with the app services. A default auth provider of basic auth is selected for you during App Endpoint creation. So you can skip this config if the default option works for your application. 

Capella supports following modes of authentication:

        • Basic Auth: This is where the app users are authenticated using username and password credentials are Base64 encoded and passed in as part of the authorization Header of HTTP request
        • Open ID Connect(OIDC): App users are authenticated against a third-party Identity Provider that is registered with App Endpoint. This is implemented using OIDC Implicit flow.
        • Anonymous: In this mode, we allow unauthenticated read-only access to data. This mode could be useful when your app is only dealing with public static data

User Management

With the exception of “Anonymous” mode, all client side access must be authenticated with suitable user credentials. The choice of how users (and roles) are created depends on the Authentication Provider that is configured.

        • Basic Auth:  Users are created via the Capella web UI or via Admin REST endpoint
        • Open ID Connect (OIDC): By enabling the “auto-register” option when configuring OIDC Provider, users will be automatically created on App Service after successful authentication.

Access Control

Access Control is implemented using the channel based access control model of Couchbase Mobile. Access Control specifies who has access to what data. This is specified via a Javascript access control function. Read access control is at the granularity of a document while write access control is at the granularity of a field. 


After completing security setup for the App Endpoint, un-pause the App Endpoint to bring it online. Once online, apps can be connected using any of the Connection points discussed earlier.


Once your App Service is operational, you can administer the App Service and App Endpoints and change the configuration to meet the evolving needs of the apps.


Metrics dashboards provide insights into resource utilization of the App Service as well as the operational state of the App Endpoints. These include stats such as the number of documents read/written, error counts, number of active replications, etc.

Activity Log

All key system events of type info, warning and error are recorded in the activity center. Users are also alerted to key events that may need attention such as significantly high memory utilization over an extended period of time.

On Demand Scaling

To keep up with the evolving needs of the app, users can scale App Services horizontally and/or vertically by changing the number of nodes and/or compute type.

Capella App Services and Couchbase Mobile

If you are an existing Couchbase Mobile user, then this cheat sheet may be relevant to you. Even if you have never used Couchbase Mobile but are curious about how Couchbase Mobile powers App Services, then read on.

Term Description within Capella Couchbase Mobile Mapping
App Service An instance of Capella App Services backend. By linking an App Service to Server cluster, your cluster is now extended for mobile sync. Cluster of Sync Gateway nodes connected to a Couchbase Server cluster
App Endpoint An instance of application on App Service that represents the endpoint to which the client app connects. Every App Endpoint is backed by a Server bucket. Sync Gateway Database
Channel A tag associated with a document processed by an App Service. The channel associated with the document determines the routing and access control policies of the document. Sync Gateway Channel
App User End user of the app that is accessing or syncing data over a public URL endpoint. A user is granted access to one or more channels. Sync Gateway User
App Role Logical grouping of App Users. A role is granted access to one or more channels. Sync Gateway Role
Authentication Provider The mechanism by when App Users authenticate with App Endpoint. Options include Basic (default), OIDC Implicit Flows, Anonymous Read only. Basic (default), Read/write GUEST access, OIDC Implicit & Authorization Flows
Access Control Function Javascript Function configured on App Endpoint that specifies read/write access of documents Sync Function
Import Filter Function Javascript Function configured on Endpoint that specifies the subset of server bucket documents that are processed by the App Service and available for mobile sync Import Filter Function

What’s next

The proof is in the pudding. So try Capella App Services for free today. Stay tuned for a short demo of the major concepts discussed in this tutorial.

Here are some helpful resources:

You can leave a comment below or feel free to reach out to me via Twitter or email.


Posted by Priya Rajagopal, Senior Director, Product Management

Priya Rajagopal is a Senior Director of Product Management at Couchbase responsible for developer platforms for the cloud and the edge. She has been professionally developing software for over 20 years in several technical and product leadership positions, with 10+ years focused on mobile technologies. As a TISPAN IPTV standards delegate, she was a key contributor to the IPTV standards specifications. She has 22 patents in the areas of networking and platform security.

Leave a reply