CockroachDB Dedicated allows explicit configurations of the networks that can access your cluster.
To prevent denial-of-service attacks, brute force password attacks, and other forms of malicious activity, Cockroach Labs recommends restricting your network to allow access only from specific IP address ranges controlled by your organization. These might include specific networks for your application deployments, hardened administrator access points, or disaster recovery pipelines.
Options for controlling network access
You can authorize network access to your cluster by:
- Adding an authorized range of public IP addresses.
Setting up Google Cloud Platform (GCP) Virtual Private Cloud (VPC) peering or Amazon Web Service (AWS) PrivateLink for your cluster (Dedicated clusters only). Access via GCP VPC peering or AWS PrivateLink avoids traversing the public network, and therefore offers several advantages:
- Enhanced network security (no access through public IPs i.e. no transit over public networks).
- Direct connection from application deployment that do not have static public IPs
- Reduced network latency.
- This option can also be helpful if you need more than the current maximum limit of authorized networks per cluster.
Prerequisite: Either the Cluster Operator or Cluster Administrator role on a pre-existing cluster, or the Cluster Creator role in order to create a new cluster.
Use PrivateLink, GCP VPC Peering, or AWS PrivateLink) if:
- You need to allowlist more defined IP address ranges than allowed by the maximum (20 for Dedicated clusters and 50 for Serverless).
- Your servers’ IP addresses are not static.
- You want avoid exposing your cluster to the public internet.
Learn more about Private Clusters (Preview), which offer enhanced cluster security. A private cluster's nodes have no public IP addresses.
During limited access, neither Azure Private Link nor private clusters are available for CockroachDB Dedicated clusters on Azure. Refer to CockroachDB Dedicated on Azure.
Cluster default network configuration
CockroachDB Dedicated and Serverless clusters differ in their default network configuration:
- On creation, a Serverless cluster is open to all traffic as it is created with a
0.0.0.0/0IP allowlist entry. - On creation, a Dedicated cluster is "locked down" and has no access until an authorized network is created.
CockroachDB Cloud clusters can only accept SQL connections from allowed IP addresses.
IP allowlisting
Authorized network access can be managed from the CockroachDB Cloud console Network Authorization page at:
https://cockroachlabs.cloud/cluster/{ your cluster UUID}/networking
Serverless and Dedicated clusters support different maximum numbers of IP allowlist rules:
| Cluster Type | IP allowlist rule max |
|---|---|
| Dedicated | 20 |
| Serverless | 50 |
While developing and testing your application, you may add 0.0.0.0/0 to the allowlist, which allows all networks. However, before moving into production, make sure you delete the 0.0.0.0/0 network.
If your application servers’ IP addresses are not static, or you want to limit your cluster's exposure to the public network, you can connect to your CockroachDB Dedicated clusters using VPC Peering or AWS PrivateLink instead.
Refer to:
- Connect to a CockroachDB Serverless Cluster: Authorize your network.
- Connect to a CockroachDB Dedicated Cluster: Authorize your network.
VPC peering
If you select GCP as your cloud provider while creating your CockroachDB Dedicated cluster, you can use Google Cloud's VPC Network Peering feature to connect your GCP application directly to your CockroachDB Dedicated cluster using internal IP addresses, thus limiting exposure to the public network and reducing network latency.
GKE users should note that we recommend deploying your application to a VPC-native cluster that uses alias IP addresses. If you are connecting from a routes-based GKE cluster instead, you will have to export custom routes. CockroachDB Cloud will import your custom routes by default.
Setting up a VPC peering connection between your CockroachDB Dedicated cluster and GCP application is a two-part process:
- Configure the IP range and size while creating the CockroachDB Dedicated cluster
- Establish a VPC Peering connection after creating the cluster
Self-service VPC peering setup is not supported for CockroachDB Dedicated clusters deployed before March 5, 2020. If your cluster was deployed before March 5, 2020, you will have to create a new cluster with VPC peering enabled, then export your data from the old cluster to the new cluster. If your cluster was deployed on or after March 5, 2020, it will be locked into CockroachDB Dedicated's default IP range (172.28.0.0/14) unless you explicitly configured a different IP range during cluster creation.
AWS PrivateLink
If your cloud provider is AWS, you can use AWS PrivateLink to securely connect your AWS application with your CockroachDB Dedicated cluster using a private endpoint. Like VPC Peering, a PrivateLink connection will prevent your traffic from being exposed to the public internet and reduce network latency.
Refer to: Managing AWS PrivateLink for a Dedicated Cluster.
Was this helpful?
