To prevent denial-of-service attacks, brute force password attacks, and other forms of malicious activity, Cockroach Labs recommends restricting your network to allow access only from specific IP address ranges controlled by your organization. These might include specific networks for your application deployments, hardened administrator access points, or disaster recovery pipelines.
This page describes these options and how they help to protect clusters in CockroachDB Cloud.
Options for controlling network access
You can authorize network access to your cluster by:
- Adding an authorized range of public IP addresses.
Setting up private connectivity so that inbound connections to your cluster from your cloud tenant are made over the cloud provider's private network rather than over the public internet, for enhanced network security and reduced network latency. Available for CockroachDB Advanced and CockroachDB Standard. If you use IP allowlisting rules together with private connectivity, private networks do not need to be added to that allowlist.
- CockroachDB Advanced or Standard clusters deployed on GCP can connect privately using GCP Private Service Connect (PSC) (Preview) or GCP VPC peering. PSC allows you to connect your cluster directly to a VPC within your Google Cloud project, while VPC Peering allows you to peer your cluster's VPC in CockroachDB Cloud to a VPC within your Google Cloud project.
- CockroachDB Advanced or Standard clusters deployed on AWS can connect privately using AWS PrivateLink, which allows you to connect your cluster to a VPC within your AWS account.
- CockroachDB Advanced clusters deployed on Azure can connect privately using Azure Private Link, which allows you to connect your cluster to a virtual network within your Azure tenant.
For detailed instructions, refer to Establish private connectivity.
VPC Peering and AWS PrivateLink in CockroachDB Advanced clusters do not support connecting to a Kafka sink's internal IP addresses for changefeeds. To connect to a Kafka sink from CockroachDB Advanced, it is necessary to expose the Kafka cluster's external IP address and open ports with firewall rules to allow access from the cluster.
Prerequisite: Either the Cluster Operator or Cluster Administrator role on a pre-existing cluster, or the Cluster Creator role in order to create a new cluster.
Use private connectivity if:
- You need to allowlist more defined IP address ranges than the default maximum.
- Your servers’ IP addresses are not static.
- You have a requirement to avoid exposing your cluster to the public internet.
Learn more about Private Clusters (Preview), which offer enhanced cluster security. A private cluster's nodes have no public IP addresses.
Neither Azure Private Link nor private clusters are available for CockroachDB Advanced on Azure.
Cluster default network configuration
CockroachDB Advanced clusters differ from CockroachDB Standard clusters in their default network configuration:
- On creation, a CockroachDB Standard cluster is open to all traffic as it is created with a
0.0.0.0/0
IP allowlist entry. - On creation, a CockroachDB Advanced cluster is "locked down" and has no access until an authorized network is created.
CockroachDB Cloud clusters can accept SQL connections only from allowed IP addresses.
IP allowlisting
Authorized network access can be managed from the CockroachDB Cloud console Network Authorization page at:
https://cockroachlabs.cloud/cluster/{ your cluster UUID}/networking
Standard and Advanced clusters support different maximum numbers of IP allowlist rules:
Cluster Type | IP allowlist rule max |
---|---|
Advanced (AWS) | 20 |
Advanced (GCP and Azure) | 200 |
Standard or Basic | 50 |
If you need to add more than the maximum number of allowlist rules, contact Support.
While developing and testing your application, you may add 0.0.0.0/0
to the allowlist, which allows all networks. However, before moving into production, it is recommenced that you remove the 0.0.0.0/0
network from the allowlist.
If your application servers’ IP addresses are not static, or you want to limit your cluster's exposure to the public network, you can connect to a CockroachDB Advanced cluster privately instead.
Refer to:
- Connect to a CockroachDB Basic Cluster: Authorize your network.
- - Connect to a CockroachDB Standard Cluster: Authorize your network.
- Connect to a CockroachDB Advanced Cluster: Authorize your network.
DB Console
The DB Console provides details about a CockroachDB Advanced cluster's configuration, and helps you optimize cluster performance. The DB Console is not available on CockroachDB Standard or Basic.
Users must have the Cluster Developer, Cluster Operator, Cluster Admin, or Cluster Creator on a specific cluster role to access its DB Console. Refer to Organization user roles
For information on functionality, refer to: DB Console Overview.
To access the DB Console, you must first authorize your current IP address:
Visit your cluster's IP allowlist page:
https://cockroachlabs.cloud/cluster/{ your cluster UUID }/networking/allowlist
Click Add Network.
Add your Current Network:
- Give it a Name indicating its use for DB Console access from your current location.
- Under Allow this network to access, select DB Console to monitor the cluster.
- Click Apply.
When you have finished your work with the DB Console, it is recommended to remove your authorized network from the allowlist, in the interest of the general best practice of restricting network access as much as possible.
Remove an authorized network by selecting Delete from the Action dropdown its row on the the cluster's Networking page.
To access your cluster's DB Console:
Navigate to your CockroachDB Advanced cluster's Tools page in the Monitoring section of the CockroachDB Cloud Console.
Click Open DB Console. Your browser will attempt to access the DB console in a new tab.
You can also access the DB Console by navigating to https://admin-{cluster-name}.crdb.io:8080/#/metrics/overview/cluster
. Replace the {cluster-name}
placeholder with the name of your cluster.
(Optional) To find the IP addresses for your cluster's DB Console, perform DNS lookup on the DB Console URL that opens in the browser. These IP addresses are static for the lifecycle of the cluster. For example, to use the dig
command:
dig examplary-advanced-clusterberry-77tq.cockroachlabs.cloud | grep -A3 'ANSWER SECTION'
;; ANSWER SECTION:
examplary-advanced-clusterberry-77tq.cockroachlabs.cloud. 300 IN A 35.245.55.160
examplary-advanced-clusterberry-77tq.cockroachlabs.cloud. 300 IN A 34.129.61.133
examplary-advanced-clusterberry-77tq.cockroachlabs.cloud. 300 IN A 34.117.21.266