Limiting access to a CockroachDB cluster's nodes over the public internet is an important security practice and is also a compliance requirement for many organizations. CockroachDB Dedicated private clusters allow organizations to meet this objective.
By default, CockroachDB Cloud has safeguards in place to protect cluster's data from the public internet. Ingress traffic to a cluster is routed through a load balancer, and it is possible to restrict inbound connections using a combination of IP allowlisting, and either of AWS PrivateLink or GCP VPC peering depending on your cloud provider. However, data egress operations such as exports, backups, and Change Data Capture (CDC) use public subnets.
On the other hand, a private cluster's nodes have no public IP addresses, and egress traffic moves over private subnets and through a highly-available NAT gateway that is unique to the cluster.
One private network exists per cluster region, and each node is connected to the private network for its region. A NAT gateway is connected to each private network and provides a static egress public IP address.
Egress traffic from the cluster nodes to S3 or Google Cloud Storage flows across the private subnet and through the cloud provider's private network. Egress traffic from the cluster nodes to all other external resources flows across the private subnet and through the NAT gateway.
This page shows how to create a private cluster.
Create a private cluster
To create a private cluster, you must use CockroachDB Cloud API or CockroachDB's Terraform provider. When you create a private cluster using Terraform Provider, you set its private_network_visibility field to true. This in turn automatically sets uses the Cloud API to set the cluster's network_visibility field to NETWORK_VISIBILITY_PRIVATE.
An existing cluster can't be migrated in-place to a private cluster.
On GCP, new CockroachDB Dedicated clusters are private by default. On AWS, newly CockroachDB Dedicated clusters deployed on AWS are not private by default.
Limit inbound connections from egress operations
Egress traffic from a private cluster to non-cloud external resources will always appear to come from the static IP addresses that comprise the cluster's NAT gateway. To determine the NAT gateway's IP addresses, you can initiate an egress operation such as an EXPORT or BACKUP operation on the cluster and observe the source addresses of the resulting connections to your non-cloud external resources. Cockroach Labs recommends that you allow connections to such resources only from those IP addresses.
What's next?
Limitations
- An existing cluster can't be migrated in-place to a private cluster. Instead, migrate the existing cluster's data to a new private cluster. Refer to Migrate Your Database to CockroachDB.
- Private clusters are not available with CockroachDB Serverless.
Was this helpful?
