This feature is in preview and is only available to enrolled organizations. To enroll your organization in the preview, contact your Cockroach Labs account team. This feature is subject to change.
Limiting access to a CockroachDB cluster's nodes over the public internet is an important security practice and is also a compliance requirement for many organizations. CockroachDB dedicated private clusters allow organizations to meet this objective.
By default, CockroachDB Cloud has safeguards in place to protect cluster's data from the public internet. Ingress traffic to a cluster is routed through a load balancer, and it is possible to restrict inbound connections using a combination of IP allowlisting, and either of AWS PrivateLink or GCP VPC peering depending on your cloud provider. However, data egress operations such as exports, backups, and Change Data Capture (CDC) use public subnets.
On the other hand, a private CockroachDB dedicated cluster's nodes have no public IP addresses, and egress traffic moves over private subnets and through a highly-available NAT gateway that is unique to the cluster. This page explains what happens when you create a private cluster.
Create a private cluster
To be enrolled in the preview and deploy a new private cluster on AWS or GCP, contact your account team.
After your organization is enrolled in the preview:
- By default, newly-created CockroachDB dedicated clusters deployed on GCP will be private clusters.
- By default, newly-created CockroachDB dedicated clusters deployed on AWS will not be private clusters. To create a private cluster on AWS, you can specify a special field using the CockroachDB Cloud API. Contact your account team for details.
- An existing cluster can't be migrated in-place to a private cluster.
When you create a private cluster:
- One private subnet is created per requested region.
- Each node is connected to the regional private subnet.
- A highly-available NAT gateway is created with static egress public IP addresses. For private clusters deployed on AWS, the NAT gateways are created in three separate availability zones to mitigate against the risk of an availability zone outage.
- All egress traffic from the cluster nodes to non-cloud external resources is sent across the private subnet and through the NAT gateway to reach its destination.
- All egress traffic from the cluster nodes to S3 (for private clusters on AWS) or Google Cloud Storage (for private clusters on GCP) is sent across the private subnet and through the private network for the relevant cloud provider (S3 Gateway endpoints on AWS and Private Google Access on GCP).
Limit inbound connections from egress operations
Egress traffic from a private cluster to non-cloud external resources will always appear to come from the static IP addresses that comprise the cluster's NAT gateway. To determine the NAT gateway's IP addresses, you can initiate an egress operation such as an
BACKUP operation on the cluster and observe the source addresses of the resulting connections to your non-cloud external resources. Cockroach Labs recommends that you allow connections to such resources only from those IP addresses.
- An existing cluster can't be migrated in-place to a private cluster. Instead, migrate the existing cluster's data to a new private cluster. Refer to Migrate Your Database to CockroachDB.
- Private clusters are not available with CockroachDB serverless.