Network Authorization for CockroachDB Cloud Clusters

On this page Carat arrow pointing down

To prevent denial-of-service attacks, brute force password attacks, and other forms of malicious activity, Cockroach Labs recommends restricting your network to allow access only from specific IP address ranges controlled by your organization. These might include specific networks for your application deployments, hardened administrator access points, or disaster recovery pipelines.

This page describes these options and how they help to protect CockroachDB Dedicated and CockroachDB Serverless clusters.

Options for controlling network access

You can authorize network access to your cluster by:

Note:

VPC Peering and AWS PrivateLink in CockroachDB Dedicated clusters do not support connecting to a Kafka sink's internal IP addresses for changefeeds. To connect to a Kafka sink from CockroachDB Dedicated, it is necessary to expose the Kafka cluster's external IP address and open ports with firewall rules to allow access from a CockroachDB Dedicated cluster.

Prerequisite: Either the Cluster Operator or Cluster Administrator role on a pre-existing cluster, or the Cluster Creator role in order to create a new cluster.

Use GCP VPC Peering or AWS PrivateLink if:

  • You need to allowlist more defined IP address ranges than the default maximum.
  • Your servers’ IP addresses are not static.
  • You want to avoid exposing your cluster to the public internet.

Learn more about Private Clusters (Preview), which offer enhanced cluster security. A private cluster's nodes have no public IP addresses.

Note:

Neither Azure Private Link nor private clusters are available for CockroachDB Dedicated on Azure.

Cluster default network configuration

CockroachDB Dedicated and Serverless clusters differ in their default network configuration:

  • On creation, a Serverless cluster is open to all traffic as it is created with a 0.0.0.0/0 IP allowlist entry.
  • On creation, a Dedicated cluster is "locked down" and has no access until an authorized network is created.

CockroachDB Cloud clusters can only accept SQL connections from allowed IP addresses.

IP allowlisting

Authorized network access can be managed from the CockroachDB Cloud console Network Authorization page at:

https://cockroachlabs.cloud/cluster/{ your cluster UUID}/networking

Serverless and Dedicated clusters support different maximum numbers of IP allowlist rules:

Cluster Type IP allowlist rule max
Dedicated (AWS) 7
Dedicated (GCP and Azure) 200
Serverless 50

If you need to add more than the maximum number of allowlist rules, contact Support.

Note:

While developing and testing your application, you may add 0.0.0.0/0 to the allowlist, which allows all networks. However, before moving into production, make sure you delete the 0.0.0.0/0 network.

If your application servers’ IP addresses are not static, or you want to limit your cluster's exposure to the public network, you can connect to your CockroachDB Dedicated clusters using VPC Peering or AWS PrivateLink instead.

Refer to:

VPC peering

If you select GCP as your cloud provider while creating your CockroachDB Dedicated cluster, you can use Google Cloud's VPC Network Peering feature to connect your GCP application directly to your CockroachDB Dedicated cluster using internal IP addresses, thus limiting exposure to the public network and reducing network latency.

GKE users should note that we recommend deploying your application to a VPC-native cluster that uses alias IP addresses. If you are connecting from a routes-based GKE cluster instead, you will have to export custom routes. CockroachDB Cloud will import your custom routes by default.

Setting up a VPC peering connection between your CockroachDB Dedicated cluster and GCP application is a two-part process:

  1. Configure the IP range and size while creating the CockroachDB Dedicated cluster
  2. Establish a VPC Peering connection after creating the cluster
Note:

Self-service VPC peering setup is not supported for CockroachDB Dedicated clusters deployed before March 5, 2020. If your cluster was deployed before March 5, 2020, you will have to create a new cluster with VPC peering enabled, then export your data from the old cluster to the new cluster. If your cluster was deployed on or after March 5, 2020, it will be locked into CockroachDB Dedicated's default IP range (172.28.0.0/14) unless you explicitly configured a different IP range during cluster creation.

If your cloud provider is AWS, you can use AWS PrivateLink to securely connect your AWS application with your CockroachDB Dedicated or multi-region CockroachDB Serverless clusters using private endpoints. Like VPC Peering, a PrivateLink connection will prevent your traffic from being exposed to the public internet and reduce network latency.

Refer to: - Managing AWS PrivateLink for a CockroachDB Dedicated Cluster - Managing AWS PrivateLink for a multi-region CockroachDB Serverless Cluster

DB Console

The DB Console provides details about your cluster and database configuration, and helps you optimize cluster performance.

Note:

Users must have the Cluster Developer, Cluster Operator, Cluster Admin, or Cluster Creator on a specific cluster role to access its DB Console. Refer to Organization user roles

For information on functionality, refer to: DB Console Overview.

To access the DB Console, you must first authorize your current IP address:

  1. Visit your Dedicated cluster's IP allowlist page:

    icon/buttons/copy
    https://cockroachlabs.cloud/cluster/{ your cluster UUID }/networking/allowlist
    
  2. Click Add Network.

  3. Add your Current Network:

    1. Give it a Name indicating its use for DB Console access from your current location.
    2. Under Allow this network to access, select DB Console to monitor the cluster.
    3. Click Apply.
Warning:

When you have finished your work with the DB Console, it is recommended to remove your authorized network from the allowlist, in the interest of the general best practice of restricting network access as much as possible.

Remove an authorized network by selecting Delete from the Action dropdown its row on the allowlist page.

To access your cluster's DB Console:

  1. Navigate to your CockroachDB Dedicated cluster's Tools page in the Monitoring section of the CockroachDB Cloud Console.

  2. Click Open DB Console. Your browser will attempt to access the DB console in a new tab.

You can also access the DB Console by navigating to https://admin-{cluster-name}crdb.io:8080/#/metrics/overview/cluster. Replace the {cluster-name} placeholder with the name of your cluster.

(Optional) To find the IP addresses for your cluster's DB Console, perform DNS lookup on the DB Console URL that opens in the browser. These IP addresses are static for the lifecycle of the cluster.

icon/buttons/copy
dig examplary-dedicated-clusterberry-77tq.cockroachlabs.cloud | grep -A3 'ANSWER SECTION'
;; ANSWER SECTION:
examplary-dedicated-clusterberry-77tq.cockroachlabs.cloud. 300 IN A 35.245.55.160
examplary-dedicated-clusterberry-77tq.cockroachlabs.cloud. 300 IN A 34.129.61.133
examplary-dedicated-clusterberry-77tq.cockroachlabs.cloud. 300 IN A 34.117.21.266

Yes No
On this page

Yes No