Create Private Clusters

On this page Carat arrow pointing down

Limiting access to a CockroachDB cluster's nodes over the public internet is an important security practice and is also a compliance requirement for many organizations. Private clusters on CockroachDB Advanced help organizations to meet this objective.

By default, CockroachDB Cloud has safeguards in place to protect cluster's data from the public internet.

A CockroachDB Advanced cluster with enhanced security features enabled is a private cluster. Its nodes have no public IP addresses, and egress traffic moves over private subnets and through a highly-available NAT gateway that is unique to the cluster.

A private cluster has one private network per cluster region, and each node is connected to the private network for its region. A NAT gateway is connected to each private network and provides a static egress public IP address.

Egress traffic from the cluster nodes to S3 or Google Cloud Storage flows across the private subnet and through the cloud provider's private network. Egress traffic from the cluster nodes to all other external resources flows across the private subnet and through the NAT gateway.

This page shows how to create a private cluster.

Note:

Private clusters are not available for CockroachDB Advanced on Azure.

Create a private cluster

On GCP, new CockroachDB Advanced clusters are private by default. On AWS, newly CockroachDB Advanced with enhanced security features clusters deployed on AWS are private by default.

Note:

An existing cluster can't be migrated in-place to a private cluster.

Limit inbound connections from egress operations

Egress traffic from a private cluster to non-cloud external resources will always appear to come from the static IP addresses that comprise the cluster's NAT gateway. To determine the NAT gateway's IP addresses, you can initiate an egress operation such as an EXPORT or BACKUP operation on the cluster and observe the source addresses of the resulting connections to your non-cloud external resources. Cockroach Labs recommends that you allow connections to such resources only from those IP addresses.

What's next?

Limitations

  • An existing cluster can't be migrated in-place to a private cluster. Instead, migrate the existing cluster's data to a new private cluster. Refer to Migrate Your Database to CockroachDB.

Yes No
On this page

Yes No