blog-banner

CockroachDB Bring Your Own Cloud (BYOC) Is Now Available in Public Preview

David-Bressler

David Bressler

Devarshi Shah

Devarshi Shah

Published on May 11, 2026

0 minute read

AI Summary

Key Takeaways

  • CockroachDB BYOC runs managed CockroachDB Cloud in your cloud account.

  • BYOC lets teams meet their control, compliance, and cloud-spend requirements.

  • Cockroach Labs manages operations while customers retain infrastructure control.

CockroachDB BYOC public preview SOCIAL TWO webp

For a certain set of customers, the conversation about CockroachDB Cloud always hits the same wall.

They needed a managed database. That means no internal DBA team, no upgrade scripts, and no 3 AM pager duty for a disk stall. However, they couldn't put their data in our cloud account, for a variety of reasons such as: 

  • a large Cloud Service Provider committed spend they needed to run against 

  • an internal policy that everything lives in their own VPC 

  • a compliance requirement that data doesn't leave their cloud environment. 

The answer for those customers was usually self-hosted, which meant they got the database but not the managed service.

Bring Your Own Cloud, or BYOC, is a deployment model that lets organizations run a managed cloud service inside their own cloud environment. For databases, that means teams can keep infrastructure, networking, and data in their cloud account while relying on a vendor to manage day-to-day operations. 

Bring Your Own Cloud (BYOC) is the answer to that tradeoff. With BYOC CockroachDB runs in your own cloud account while we handle database operations.

What is CockroachDB Bring Your Own Cloud (BYOC)? Copy Icon

BYOC is a deployment option for CockroachDB Cloud Advanced. Your cluster runs inside your own AWS, GCP, or Azure account, not ours. We provision it, patch it, upgrade it, back it up, and keep it running. You keep the data, the infrastructure, and the network.

The result is a managed database service that aligns with enterprise cloud controls. Platform teams can reduce operational burden without moving sensitive workloads into a vendor-owned cloud account, and security teams retain visibility into the infrastructure boundary they already govern. 

Here's how the access model works: 

  1. You give Cockroach Labs a scoped IAM role in your organization’s cloud account. 

  2. That role is limited to the specific CockroachDB resources we create inside your environment – we don't have broad access to the rest of your account. 

  3. Our automation handles cluster provisioning, rolling node-by-node upgrades, managed backups, and observability. 

  4. Every action we take through that role shows up in your cloud's native audit trail – CloudTrail on AWS, Audit Logs on GCP, and the Azure Activity Log – so your security team can see exactly what we did and when. There's no black box.

Why run a managed database service in your cloud account? Copy Icon

Your cloud spend stays in your control. With BYOC, you run CockroachDB in your own AWS, Azure, or GCP account, giving you the flexibility to manage infrastructure costs, procurement, and any applicable committed use discounts or reserved instances directly with your cloud provider. In comparison with CockroachDB Cloud SaaS, BYOC keeps those infrastructure purchasing decisions on your side of the account boundary. 

For platform and procurement teams, this can make managed database adoption easier to justify. BYOC lets organizations modernize with a database-as-a-service model (DBaaS) while continuing to use the cloud agreements, discount structures, and governance processes that they already have in place. 

Your data doesn't leave your account. A BYOC cluster runs in a VPC we create inside your cloud account, and the SQL data stays there. For customers in financial services, healthcare, or any regulated industry with strict "everything in our account" policies, this is often what makes a managed database truly viable.

That control can help teams satisfy internal compliance requirements without defaulting back to self-hosted infrastructure. Instead of choosing between cloud database security controls and managed operations, BYOC gives organizations a way to preserve account-level governance while offloading database operations to Cockroach Labs. 

You still don't have to operate it. This is the important part: BYOC is not self-hosted. You're not:

  • managing cluster nodes 

  • writing runbooks for disk failures 

  • handling version upgrades 

  • building a backup pipeline 

Those operations and many more are still handled by Cockroach Labs experts. 

That matters because the cost of self-hosting is not only infrastructure spend; it’s also the engineering time required to keep a distributed SQL database patched, backed up, observable, and available. BYOC lets teams keep the cloud control they need, while reducing the operational work that often slows down application teams. 

The upgrade model is the same as with CockroachDB Cloud Advanced: 

  • patch upgrades roll out node-by-node with no downtime 

  • you can set a maintenance window and defer patches by up to 90 days 

  • major version upgrades are always customer-initiated 

If a critical security fix needs to go out urgently, we'll apply it and you'll see it in CloudTrail, Audit Logs, and Activity Logs.

What’s included in the BYOC public preview? Copy Icon

BYOC public preview is available now for AWS, Azure, and GCP.

Cluster management. During preview, clusters are created via the UI, Cloud API, and Terraform. Everything else including monitoring, user management, cluster settings, org and folder structure is available in the Cloud Console, the same as any other CockroachDB Cloud cluster.

Backups and recovery. Managed backups run the same as CockroachDB Cloud Advanced: daily full backups, hourly incrementals, and point-in-time restore down to 5-minute granularity. Physical Cluster Replication to a BYOC cluster as a DR target is on the roadmap.

Connectivity. Private connectivity options including AWS PrivateLink are supported. During preview, we provision one BYOC cluster per AWS account or GCP project; support for multiple clusters per account is coming before general availability (GA).

Pricing.. BYOC is purchased through CockroachDB Cloud Credits, with draw-down usage measured based on vCPU consumption and metered to the minute. Your Cockroach Labs invoice covers the software and managed operations; your cloud provider invoice covers the underlying infrastructure.

Production-ready BYOC, with more capabilities coming before GA Copy Icon

BYOC launches with the same uptime SLAs as CockroachDB Cloud Advanced: 99.99% for single-region and 99.999% for multi-region. That's not a soft preview commitment that we'll harden later; it's the same bar we hold ourselves to across the rest of the Cloud fleet.

We already have customers running BYOC in production across all three clouds, proving the operational model: Cockroach Labs managing upgrades, patches, backups, and incident response inside your cloud account. Public preview is opening up these capabilities to even more CockroachDB users.

Between now and GA in the second half of 2026, we're rounding out the experience: UI-based cluster creation, support for multiple BYOC clusters per cloud account, and continued DR automation. These are additions to a foundation that's already running in production, and not blockers to getting started.

BYOC follows a shared responsibility model. That means Cockroach Labs manages the database service, including provisioning, patching, upgrades, backups, observability, and incident response. Meanwhile, your organization maintains the cloud account, network posture, and scoped access that Cockroach Labs automation uses to operate the cluster. If that access is revoked or materially changed, Cockroach Labs may lose the ability to patch, upgrade, or recover the cluster until access is restored.

That boundary is intentional: BYOC is designed for teams that want managed database operations without giving up control of the cloud environment where their data and infrastructure reside. We document the BYOC access model, including what Cockroach Labs’ access covers, what it does not cover, and how activity appears in your cloud provider’s native audit logs.

How do you get started with CockroachDB BYOC? Copy Icon

To set up a BYOC cluster, reach out to your Cockroach Labs account team. We'll walk through the IAM setup in your cloud account, and provision the cluster from there.

You can also review the BYOC documentation to understand the deployment model, access requirements, and shared responsibility boundary before you start.

If your team is evaluating how to modernize database infrastructure while preserving cloud-account control, CockroachDB BYOC gives you a new path forward: managed CockroachDB operations, your cloud environment, and a deployment model built for enterprise security, compliance, and operational efficiency.

Try CockroachDB Today

Spin up your first CockroachDB Cloud cluster in minutes. Start with $400 in free credits. Or get a free 30-day trial of CockroachDB Enterprise on self-hosted environments.

David Bressler is Staff Product Marketer for Cockroach Labs. He has worked in 26 countries, is an accomplished public speaker, and graduated with distinction with an MBA from NYU. 

Devarshi Shah is Product Manager, Cloud Platform, at Cockroach Labs. 

Database as a Service

FAQ

FAQs about CockroachDB BYOC (Bring Your Own Cloud).
What is CockroachDB Bring Your Own Cloud?
How is BYOC different from self-hosting CockroachDB?
Why would an organization choose BYOC?