Limiting access to a CockroachDB cluster's nodes over the public internet is an important security practice and is also a compliance requirement for many organizations. Private clusters on CockroachDB Dedicated advanced help organizations to meet this objective.
By default, CockroachDB Cloud has safeguards in place to protect cluster's data from the public internet. Ingress traffic to a cluster is routed through a load balancer, and it is possible to restrict inbound connections using a combination of IP allowlisting, and either of AWS PrivateLink or GCP VPC peering depending on your cloud provider. However, data egress operations such as exports, backups, and Change Data Capture (CDC) use public subnets.
On the other hand, a CockroachDB Dedicated advanced cluster is a private cluster: its nodes have no public IP addresses, and egress traffic moves over private subnets and through a highly-available NAT gateway that is unique to the cluster.
In a private cluster, one private network exists per cluster region, and each node is connected to the private network for its region. A NAT gateway is connected to each private network and provides a static egress public IP address.
Egress traffic from the cluster nodes to S3 or Google Cloud Storage flows across the private subnet and through the cloud provider's private network. Egress traffic from the cluster nodes to all other external resources flows across the private subnet and through the NAT gateway.
This page shows how to create a private cluster.
Create a private cluster
On GCP, new CockroachDB Dedicated clusters are private by default. On AWS, newly CockroachDB Dedicated advanced clusters deployed on AWS are private by default.
An existing cluster can't be migrated in-place to a private cluster.
Limit inbound connections from egress operations
Egress traffic from a private cluster to non-cloud external resources will always appear to come from the static IP addresses that comprise the cluster's NAT gateway. To determine the NAT gateway's IP addresses, you can initiate an egress operation such as an
BACKUP operation on the cluster and observe the source addresses of the resulting connections to your non-cloud external resources. Cockroach Labs recommends that you allow connections to such resources only from those IP addresses.
- An existing cluster can't be migrated in-place to a private cluster. Instead, migrate the existing cluster's data to a new private cluster. Refer to Migrate Your Database to CockroachDB.
- Private clusters are not available with CockroachDB Serverless.