This page shows you how to manually deploy a secure multi-node CockroachDB cluster on Google Cloud Platform’s Compute Engine (GCE), using Google’s managed load balancing service to distribute client traffic.

If you are only testing CockroachDB, or you are not concerned with protecting network communication with TLS encryption, you can use an insecure cluster instead. Select Insecure above for instructions.

Requirements

  • Locally, you must have CockroachDB installed, which you’ll use to generate and manage your deployment’s certificates.

  • In GCE, you must have SSH access to each machine with root or sudo privileges. This is necessary for distributing binaries and starting CockroachDB.

Recommendations

Decide how you want to access your Admin UI:

  • Only from specific IP addresses, which requires you to set firewall rules to allow communication on port 8080 (documented on this page).
  • Using an SSH tunnel, which requires you to use --http-host=localhost when starting your nodes.

For guidance on cluster topology, clock synchronization, and file descriptor limits, see Recommended Production Settings.

Step 1. Configure your network

CockroachDB requires TCP communication on two ports:

  • 26257 (tcp:26257) for inter-node communication (i.e., working as a cluster), for applications to connect to the load balancer, and for routing from the load balancer to nodes
  • 8080 (tcp:8080) for exposing your Admin UI

Inter-node and load balancer-node communication works by default using your GCE instances’ internal IP addresses, which allow communication with other instances on CockroachDB’s default port 26257. However, to accept data from applications external to GCE and expose your admin UI, you need to create firewall rules for your project.

Creating Firewall Rules

When creating firewall rules, we recommend using Google Cloud Platform’s tag feature, which lets you specify that you want to apply the rule only to instance that include the same tag.

Admin UI

Field Recommended Value
Name cockroachadmin
Source filter IP ranges
Source IP ranges Your local network’s IP ranges
Allowed protocols… tcp:8080
Target tags cockroachdb

Application Data

If your application is also hosted on GCE, you won't need to create a firewall rule for your application to communicate with your load balancer.
Field Recommended Value
Name cockroachapp
Source filter IP ranges
Source IP ranges Your application’s IP ranges
Allowed protocols… tcp:26257
Target tags cockroachdb

Step 2. Create instances

Create an instance for each node you plan to have in your cluster. We recommend:

  • Running at least 3 nodes to ensure survivability.
  • Selecting the same continent for all of your instances for best performance.

If you used a tag for your firewall rules, when you create the instance, select Management, disk, networking, SSH keys. Then on the Management tab, in the Tags field, enter cockroachdb.

Step 3. Set up load balancing

Each CockroachDB node is an equally suitable SQL gateway to your cluster, but to ensure client performance and reliability, it’s important to use TCP load balancing:

  • Performance: Load balancers spread client traffic across nodes. This prevents any one node from being overwhelmed by requests and improves overall cluster performance (queries per second).

  • Reliability: Load balancers decouple client health from the health of a single CockroachDB node. In cases where a node fails, the load balancer redirects client traffic to available nodes.

GCE offers fully-managed TCP load balancing to distribute traffic between instances. To configure TCP load balancing in the GCE Console:

  1. Go to Networking > Load balancing.
  2. Click Create Load Balancer.
  3. Under TCP Load Balancing, click Start configuration.
  4. Specify that traffic will be From Internet to my VMs, and select No (TCP) for connection termination.
  5. Enter a name for the TCP load balancer.
  6. For Backend configuration, select your instances and their region. Also, if you create a health check, use the HTTP protocol, port 8080, and the /health request path.
  7. For Frontend configuration, use a static IP address with port 26257.
  8. Save the load balancer and note the provisioned frontend IP address. You’ll use this later to test load balancing and to connect your application to the cluster.
If you would prefer to use HAProxy instead of GCE's managed load balancing, see Manual Deployment for guidance.

Step 4. Generate certificates

Locally, you’ll need to create the following certificates and keys:

  • A certificate authority (CA) key pair (ca.crt and ca.key)
  • A client key pair for the root user
  • A node key pair for each node, issued to its IP addresses and any common names the machine uses, as well as to the IP address provisioned for the GCE load balancer
Before beginning, it's useful to collect each of your machine's internal and external IP addresses, as well as any server names you want to issue certificates for.
  1. Create a certs directory and a safe directory to keep your CA key:

    $ mkdir certs
    $ mkdir my-safe-directory
    
  2. Create the CA key pair:

    $ cockroach cert create-ca \
    --certs-dir=certs \
    --ca-key=my-safe-directory/ca.key
    
  3. Create a client key pair for the root user:

    $ cockroach cert create-client \
    root \
    --certs-dir=certs \
    --ca-key=my-safe-directory/ca.key
    
  4. Create the certificate and key for the first node, issued to all common names you might use to refer to the node as well as to addresses provisioned for the GCE load balancer:

    • <node1 internal IP address> which is the instance’s Internal IP.
    • <node1 external IP address> which is the instance’s External IP address.
    • <node1 hostname> which is the instance’s Name.
    • <other common names for node1> which include any domain names you point to the instance.
    • localhost and 127.0.0.1
    • <load balancer IP address>
    • <load balancer hostname>
    $ cockroach cert create-node \
    <node1 internal IP address> \
    <node1 external IP address> \
    <node1 hostname>  \
    <other common names for node1> \
    localhost \
    127.0.0.1 \
    <load balancer IP address> \
    <load balancer hostname> \
    --certs-dir=certs \
    --ca-key=my-safe-directory/ca.key
    
  5. Upload the certificates to the first node:

    # Create the certs directory:
    $ ssh <username>@<node1 external IP address> "mkdir certs"
    
    # Upload the CA certificate, client (root) certificate and key, and node certificate and key:
    $ scp certs/ca.crt \
    certs/client.root.crt \
    certs/client.root.key \
    certs/node.crt \
    certs/node.key \
    <username>@<node1 external IP address>:~/certs
    
  6. Create the certificate and key for the second node, using the --overwrite flag to replace the files created for the first node:

    $ cockroach cert create-node --overwrite\
    <node2 internal IP address> \
    <node2 external IP address> \
    <node2 hostname>  \
    <other common names for node2> \
    localhost \
    127.0.0.1 \
    <load balancer IP address> \
    <load balancer hostname> \
    --certs-dir=certs \
    --ca-key=my-safe-directory/ca.key
    
  7. Upload the certificates to the second node:

    # Create the certs directory:
    $ ssh <username>@<node2 external IP address> "mkdir certs"
    
    # Upload the CA certificate, client (root) certificate and key, and node certificate and key:
    $ scp certs/ca.crt \
    certs/client.root.crt \
    certs/client.root.key \
    certs/node.crt \
    certs/node.key \
    <username>@<node2 external IP address>:~/certs
    
  8. Repeat steps 6 and 7 for each additional node.

Step 5. Start the first node

  1. SSH to your instance:

    $ ssh <username>@<node1 external IP address>
    
  2. Install the latest CockroachDB binary:

    # Get the latest CockroachDB tarball.
    $ wget https://binaries.cockroachdb.com/cockroach-latest.linux-amd64.tgz
    
    # Extract the binary.
    $ tar -xf cockroach-latest.linux-amd64.tgz  \
    --strip=1 cockroach-latest.linux-amd64/cockroach
    
    # Move the binary.
    $ sudo mv cockroach /usr/local/bin
    
  3. Start a new CockroachDB cluster with a single node, specifying the location of certificates and the address at which other nodes can reach it:

    $ cockroach start --background \
    --certs-dir=certs
    

Step 6. Add nodes to the cluster

At this point, your cluster is live and operational but contains only a single node. Next, scale your cluster by setting up additional nodes that will join the cluster.

  1. SSH to your instance:

    $ ssh <username>@<additional node external IP address>
    
  2. Install the latest CockroachDB binary:

    # Get the latest CockroachDB tarball.
    $ wget https://binaries.cockroachdb.com/cockroach-latest.linux-amd64.tgz
    
    # Extract the binary.
    $ tar -xf cockroach-latest.linux-amd64.tgz  \
    --strip=1 cockroach-latest.linux-amd64/cockroach
    
    # Move the binary.
    $ sudo mv cockroach /usr/local/bin
    
  3. Start a new node that joins the cluster using the first node’s internal IP address:

    $ cockroach start --background  \
    --certs-dir=certs \
    --join=<node1 internal IP address>:26257
    
  4. Repeat these steps for each instance you want to use as a node.

Step 7. Test your cluster

CockroachDB replicates and distributes data for you behind-the-scenes and uses a Gossip protocol to enable each node to locate data across the cluster.

To test this, use the built-in SQL client as follows:

  1. SSH to your first node:

    $ ssh <username>@<node1 external IP address>
    
  2. Launch the built-in SQL client and create a database:

    $ cockroach sql \
    --certs-dir=certs
    
    > CREATE DATABASE securenodetest;
    
  3. In another terminal window, SSH to another node:

    $ ssh <username>@<node3 external IP address>
    
  4. Launch the built-in SQL client:

    $ cockroach sql \
    --certs-dir=certs
    
  5. View the cluster’s databases, which will include securenodetest:

    > SHOW DATABASES;
    
    +--------------------+
    |      Database      |
    +--------------------+
    | crdb_internal      |
    | information_schema |
    | securenodetest     |
    | pg_catalog         |
    | system             |
    +--------------------+
    (5 rows)
    
  6. Use CTRL + D, CTRL + C, or \q to exit the SQL shell.

Step 8. Test load balancing

The GCE load balancer created in step 3 can serve as the client gateway to the cluster. Instead of connecting directly to a CockroachDB node, clients can connect to the load balancer, which will then redirect the connection to a CockroachDB node.

To test this, use the built-in SQL client locally as follows:

  1. On your local machine, launch the built-in SQL client, with the --host flag set to the load balancer’s IP address and security flags pointing to the CA cert and the client cert and key:

    $ cockroach sql \
    --certs-dir=certs \
    --host=<load balancer IP address>
    
  2. View the cluster’s databases:

    > SHOW DATABASES;
    
    +--------------------+
    |      Database      |
    +--------------------+
    | crdb_internal      |
    | information_schema |
    | securenodetest     |
    | pg_catalog         |
    | system             |
    +--------------------+
    (5 rows)
    

    As you can see, the load balancer redirected the query to one of the CockroachDB nodes.

  3. Check which node you were redirected to:

    > SELECT node_id FROM crdb_internal.node_build_info LIMIT 1;
    
    +---------+
    | node_id |
    +---------+
    |       3 |
    +---------+
    (1 row)
    
  4. Use CTRL + D, CTRL + C, or \q to exit the SQL shell.

Step 9. Monitor the cluster

View your cluster’s Admin UI by going to https://<any node's external IP address>:8080.

Note that your browser will consider the CockroachDB-created certificate invalid; you’ll need to click through a warning message to get to the UI.

On this page, verify that the cluster is running as expected:

  1. Click View nodes list on the right to ensure that all of your nodes successfully joined the cluster.

  2. Click the Databases tab on the left to verify that securenodetest is listed.

You can also use Prometheus and other third-party, open source tools to monitor and visualize cluster metrics and send notifications based on specified rules. For more details, see Monitor CockroachDB with Prometheus.

Step 10. Use the database

Now that your deployment is working, you can:

  1. Implement your data model.
  2. Create users and grant them privileges.
  3. Connect your application. Be sure to connect your application to the GCE load balancer, not to a CockroachDB node.

See Also



Yes No