At Cockroach Labs, we are relentlessly focused on providing a database that is not only powerful and resilient but also fundamentally secure. We’re excited to announce a noteworthy milestone in our commitment to enterprise security and our integration with the Microsoft Azure ecosystem: CockroachDB Cloud now supports Customer-Managed Encryption Keys (CMEK) for Azure, along with Egress Perimeter Controls.
This feature is a critical enabler for organizations in highly regulated industries. With these new capabilities, now in private preview as part of CockroachDB 25.3, CockroachDB Cloud on Azure is positioned to meet the strictest requirements for HIPAA (Health Insurance Portability and Accountability Act) and PCI DSS (Payment Card Industry Data Security Standard) compliance. Data architects can now build massively scalable, resilient applications on Azure with the confidence that your data is protected by controls that you manage, satisfying both your internal governance policies and external regulatory mandates.
Let's break down these new features and why they are so impactful.
What are customer-managed encryption keys (CMEK for Azure)? 
By default, CockroachDB Cloud encrypts all data at rest. Customer-Managed Encryption Keys (CMEK) takes this a step further by putting the customer in direct control of the cryptographic keys used to secure your data. Instead of using a key managed by CockroachDB, you use a key that you own and manage within your own Azure Key Vault.
To access CMEK securely without exchanging static credentials, our integration leverages Azure Workload Identity. Here’s the workflow:
The CockroachDB cluster running on Azure Kubernetes Service (AKS), is assigned a managed identity.
This identity is granted specific, tightly-scoped permissions to perform cryptographic operations using your designated key in Azure Key Vault.
When the database needs to encrypt or decrypt data, it authenticates to Key Vault using this workload identity, which provides a secure, short-lived token.
This modern, passwordless authentication method ensures that CockroachDB Cloud can use the key but never has access to the key material itself. Benefits include:
Complete Control: Customer has full ownership over the key's lifecycle. Keys can be created, rotated, and, most importantly, revoked at any time. If you revoke access, your data in the CockroachDB cluster becomes cryptographically inaccessible.
Centralized Governance and Auditability: By integrating with Azure Key Vault, all key usage is logged and auditable within your Azure environment. This provides a clear, verifiable trail for compliance auditors, proving that you maintain control over your data's security posture.
Meet Strict Compliance Mandates: For standards like PCI DSS and HIPAA, demonstrating exclusive control over encryption keys is often a mandatory requirement.
What are egress perimeter controls in CockroachDB for Azure?
Egress Perimeter Controls act as a digital fence around your database cluster, strictly governing its outbound network traffic: You can define a precise list of approved network endpoints (such as specific cloud storage buckets, monitoring services, or other internal APIs) that your CockroachDB cluster is allowed to communicate with. Any attempt to send data to an unauthorized destination is blocked.
This functionality is implemented at the networking layer of our underlying Kubernetes infrastructure using Cilium. By leveraging Cilium's powerful eBPF-based networking and security capabilities within Azure Kubernetes Service (AKS), we define fine-grained Kubernetes Network Policies. These policies inspect all outbound traffic from the database pods at the kernel level and enforce rules based on IP address, DNS names, or other criteria. Any attempt to send data to a destination not on your pre-approved list is blocked before it can leave the cluster.
The benefits of Egress Perimeter Controls in CockroachDB for Azure include:
Preventing Data Exfiltration: In a sophisticated threat landscape, one of the biggest risks is unauthorized data exfiltration.
Enforcing Network Policy: Enterprises have strict network security policies. Egress Perimeter Controls allow you to extend these policies directly to your managed database service, ensuring consistency across your entire cloud environment.
A Pillar of HIPAA and PCI Readiness: Both HIPAA and PCI DSS require strict network controls to protect sensitive data like Protected Health Information (PHI) and Cardholder Data (CHD).
Visualizing the cloud console: The above screenshots show CockroachDB’s CMEK and egress perimeter controls in action.
What are the use cases in regulated industries?
With these features, CockroachDB on Azure becomes an ideal platform for:
Financial Services: Build payment processing systems, core banking platforms, and trading applications that meet PCI DSS requirements for encryption, key management, and network segmentation. Learn more: Multi-cloud architecture: Three real-world examples from fintech
Healthcare: Develop modern patient record systems and telemedicine applications with the confidence that Protected Health Information (PHI) is secured according to HIPAA's strict privacy and security rules. Learn more: How distributed SQL databases solve scale in the healthcare industry
Why CockroachDB on Azure is the right choice
For enterprises operating in regulated industries such as financial services and healthcare, choosing a database is a decision that impacts everything from application performance to corporate risk. CockroachDB on Azure converges a unique combination of capabilities:
Azure-Native Integration: Deep integrations like CMEK with Azure Key Vault using Workload Identity make CockroachDB feel like a natural extension of the Azure platform.
Best-in-Class Security: With encryption at rest and in transit, CMEK, Cilium-powered Egress Perimeter Controls, and robust access management, we provide the layered security that modern enterprises require.
Unmatched Distributed SQL Architecture: Get all this security without compromising on the core benefits of CockroachDB: effortless scale, bulletproof resilience against failures, and low-latency performance for a global user base.
FAQ: HIPAA & PCI Readiness on Azure with CockroachDB Cloud
What makes CockroachDB Cloud on Azure ready for HIPAA and PCI compliance? CockroachDB Cloud now supports Customer-Managed Encryption Keys (CMEK) and Egress Perimeter Controls on Azure. Together, these features give organizations full control over encryption keys and strict governance of outbound network traffic, which are key requirements for HIPAA and PCI DSS compliance.
How does CockroachDB support PCI compliance? CockroachDB helps organizations meet PCI DSS requirements through strong encryption, network isolation, and auditable access controls. With Customer-Managed Encryption Keys (CMEK) and Egress Perimeter Controls on Azure, customers maintain exclusive control of key management and outbound data flow, ensuring that cardholder data remains protected and compliant across distributed environments.
How does Customer-Managed Encryption Keys (CMEK) improve security? CMEK lets you control the cryptographic keys used to protect your data. Keys are stored and managed in your own Azure Key Vault, not by CockroachDB. You can rotate or revoke keys at any time, ensuring full lifecycle control and auditable governance within your Azure environment.
What are the benefits of using CMEK for HIPAA compliance? Using CMEK allows healthcare organizations to meet HIPAA’s strict requirements for data privacy and access control. By managing encryption keys directly in Azure Key Vault, organizations maintain exclusive control over key rotation, revocation, and audit trails, which ensures that PHI remains secure and compliant at every stage of its lifecycle.
What are Egress Perimeter Controls, and why are they important? Egress Perimeter Controls define exactly where your database can send data. By allowing only approved endpoints (e.g., internal APIs, storage buckets, monitoring systems), they block unauthorized data exfiltration attempts, making them an essential safeguard for regulated workloads.
Which industries benefit most from these new Azure capabilities? Financial services and healthcare organizations gain the most immediate advantages. These features enable applications like payment processing systems and patient record platforms to meet encryption, key management, and network security mandates required by PCI DSS and HIPAA. But, Security is important for all industries, as data breaches and cyberattacks can have devastating consequences, leading to financial losses, reputational damage, and erosion of customer trust.
Ready to learn more about how CockroachDB elevates enterprise security on Microsoft Azure? Visit here to talk to an expert.
Try CockroachDB Today
Spin up your first CockroachDB Cloud cluster in minutes. Start with $400 in free credits. Or get a free 30-day trial of CockroachDB Enterprise on self-hosted environments.
Biplav Saraf is Product Manager for Cockroach Labs.
Sanchit Khanna is Member of Technical Staff for Cockroach Labs.
