Deploy CockroachDB on Microsoft Azure

On this page

This page shows you how to manually deploy a secure multi-node CockroachDB cluster on Microsoft Azure, using Azure's managed load balancing service to distribute client traffic.

If you are only testing CockroachDB, or you are not concerned with protecting network communication with TLS encryption, you can use an insecure cluster instead. Select Insecure above for instructions.

Before you begin

Requirements

• You must have CockroachDB installed locally. This is necessary for generating and managing your deployment's certificates.

• You must have SSH access to each machine. This is necessary for distributing and starting CockroachDB binaries.

• Your network configuration must allow TCP communication on the following ports:

  • 26257 for intra-cluster and client-cluster communication
  • 8080 to expose your DB Console

• Carefully review the Production Checklist, including supported hardware and software, and the recommended Topology Patterns.

• Do not run multiple node processes on the same VM or machine. This defeats CockroachDB's replication and causes the system to be a single point of failure. Instead, start each node on a separate VM or machine.

• To start a node with multiple disks or SSDs, you can use either of these approaches:

  • Configure the disks or SSDs as a single RAID volume, then pass the RAID volume to the --store flag when starting the cockroach process on the node.
  • Provide a separate --store flag for each disk when starting the cockroach process on the node. For more details about stores, see Start a Node.
  Warning:

  If you start a node with multiple --store flags, it is not possible to scale back down to only using a single store on the node. Instead, you must decommission the node and start a new node with the updated --store.

• When starting each node, use the --locality flag to describe the node's location, for example, --locality=region=west,zone=us-west-1. The key-value pairs should be ordered from most to least inclusive, and the keys and order of key-value pairs must be the same on all nodes.

• When deploying in a single availability zone:

  • To be able to tolerate the failure of any 1 node, use at least 3 nodes with the default 3-way replication factor. In this case, if 1 node fails, each range retains 2 of its 3 replicas, a majority.
  • To be able to tolerate 2 simultaneous node failures, use at least 5 nodes and increase the default replication factor for user data to 5. The replication factor for important internal data is 5 by default, so no adjustments are needed for internal data. In this case, if 2 nodes fail at the same time, each range retains 3 of its 5 replicas, a majority.

• When deploying across multiple availability zones:

  • To be able to tolerate the failure of 1 entire AZ in a region, use at least 3 AZs per region and set --locality on each node to spread data evenly across regions and AZs. In this case, if 1 AZ goes offline, the 2 remaining AZs retain a majority of replicas.
  • To ensure that ranges are split evenly across nodes, use the same number of nodes in each AZ. This is to avoid overloading any nodes with excessive resource consumption.

• When deploying across multiple regions:

  • To be able to tolerate the failure of 1 entire region, use at least 3 regions.

Recommendations

• Decide how you want to access your DB Console:

  Access Level	Description
  Partially open	Set a firewall rule to allow only specific IP addresses to communicate on port 8080.
  Completely open	Set a firewall rule to allow all IP addresses to communicate on port 8080.
  Completely closed	Set a firewall rule to disallow all communication on port 8080. In this case, a machine with SSH access to a node could use an SSH tunnel to access the DB Console.

Step 1. Configure your network

CockroachDB requires TCP communication on two ports:

• 26257 (tcp:26257) for inter-node communication (i.e., working as a cluster), for applications to connect to the load balancer, and for routing from the load balancer to nodes
• 8080 (tcp:8080) for exposing your DB Console

To enable this in Azure, you must create a Resource Group, Virtual Network, and Network Security Group.

1. Create a Resource Group.
2. Create a Virtual Network that uses your Resource Group.

3. Create a Network Security Group that uses your Resource Group, and then add the following inbound rules to it:

   • DB Console support:

     Field	Recommended Value
     Name	cockroachadmin
     Source	IP Addresses
     Source IP addresses/CIDR ranges	Your local network’s IP ranges
     Source port ranges	*
     Destination	Any
     Destination port range	8080
     Protocol	TCP
     Action	Allow
     Priority	Any value > 1000

   • Application support:

     Tip:

     If your application is also hosted on the same Azure Virtual Network, you will not need to create a firewall rule for your application to communicate with your load balancer.

     Field	Recommended Value
     Name	cockroachapp
     Source	IP Addresses
     Source IP addresses/CIDR ranges	Your local network’s IP ranges
     Source port ranges	*
     Destination	Any
     Destination port range	26257
     Protocol	TCP
     Action	Allow
     Priority	Any value > 1000

Step 2. Create VMs

Create Linux VMs for each node you plan to have in your cluster. If you plan to run a sample workload against the cluster, create a separate VM for that workload.

• Run at least 3 nodes to ensure survivability.

• Use general-purpose Dsv5-series and Dasv5-series or memory-optimized Ev5-series and Easv5-series VMs. For example, Cockroach Labs has used Standard_D8s_v5, Standard_D8as_v5, Standard_E8s_v5, and Standard_e8as_v5 for performance benchmarking.

  • Compute-optimized F-series VMs are also acceptable.
  Warning:

  Do not use "burstable" B-series VMs, which limit the load on CPU resources. Also, Cockroach Labs has experienced data corruption issues on A-series VMs, so we recommend avoiding those as well.

• When creating the VMs, make sure to select the Resource Group, Virtual Network, and Network Security Group you created.

For more details, see Hardware Recommendations and Cluster Topology.

Step 3. Synchronize clocks

CockroachDB requires moderate levels of clock synchronization to preserve data consistency. For this reason, when a node detects that its clock is out of sync with at least half of the other nodes in the cluster by 80% of the maximum offset allowed (500ms by default), it spontaneously shuts down. This avoids the risk of consistency anomalies, but it's best to prevent clocks from drifting too far in the first place by running clock synchronization software on each node.

ntpd should keep offsets in the single-digit milliseconds, so that software is featured here. However, to run ntpd properly on Azure VMs, it's necessary to first unbind the Time Synchronization device used by the Hyper-V technology running Azure VMs; this device aims to synchronize time between the VM and its host operating system but has been known to cause problems.

1. SSH to the first machine.

2. Find the ID of the Hyper-V Time Synchronization device:

   $ curl -O https://raw.githubusercontent.com/torvalds/linux/master/tools/hv/lsvmbus
   

   $ python lsvmbus -vv | grep -w "Time Synchronization" -A 3
   

   VMBUS ID 12: Class_ID = {9527e630-d0ae-497b-adce-e80ab0175caf} - [Time Synchronization]
       Device_ID = {2dd1ce17-079e-403c-b352-a1921ee207ee}
       Sysfs path: /sys/bus/vmbus/devices/2dd1ce17-079e-403c-b352-a1921ee207ee
       Rel_ID=12, target_cpu=0
   

3. Unbind the device, using the Device_ID from the previous command's output:

   $ echo <DEVICE_ID> | sudo tee /sys/bus/vmbus/drivers/hv_utils/unbind
   

4. Install the ntp package:

   $ sudo apt-get install ntp
   

5. Stop the NTP daemon:

   $ sudo service ntp stop
   

6. Sync the machine's clock with Google's NTP service:

   $ sudo ntpd -b time.google.com
   

   To make this change permanent, in the /etc/ntp.conf file, remove or comment out any lines starting with server or pool and add the following lines:

   server time1.google.com iburst
   server time2.google.com iburst
   server time3.google.com iburst
   server time4.google.com iburst
   

   Restart the NTP daemon:

   $ sudo service ntp start
   

   Note:

   We recommend Google's NTP service because it handles "smearing" the leap second. If you use a different NTP service that doesn't smear the leap second, be sure to configure client-side smearing in the same way on each machine. See the Production Checklist for details.

7. Verify that the machine is using a Google NTP server:

   $ sudo ntpq -p
   

   The active NTP server will be marked with an asterisk.

8. Repeat these steps for each machine where a CockroachDB node will run.

Step 4. Set up load balancing

Each CockroachDB node is an equally suitable SQL gateway to your cluster, but to ensure client performance and reliability, it's important to use load balancing:

• Performance: Load balancers spread client traffic across nodes. This prevents any one node from being overwhelmed by requests and improves overall cluster performance (queries per second).

• Reliability: Load balancers decouple client health from the health of a single CockroachDB node. In cases where a node fails, the load balancer redirects client traffic to available nodes.

Microsoft Azure offers fully-managed load balancing to distribute traffic between instances.

1. Add Azure load balancing. Be sure to:

   • Set forwarding rules to route TCP traffic from the load balancer's port 26257 to port 26257 on the nodes.
   • Configure health checks to use HTTP port 8080 and path /health?ready=1. This health endpoint ensures that load balancers do not direct traffic to nodes that are live but not ready to receive requests.

2. Note the provisioned IP Address for the load balancer. You'll use this later to test load balancing and to connect your application to the cluster.

Step 5. Generate certificates

You can use cockroach cert commands, openssl commands, or Auto TLS cert generation (alpha) to generate security certificates. This section features the cockroach cert commands.

Locally, you'll need to create the following certificates and keys:

• A certificate authority (CA) key pair (ca.crt and ca.key).
• A node key pair for each node, issued to its IP addresses and any common names the machine uses, as well as to the IP addresses and common names for machines running load balancers.
• A client key pair for the root user. You'll use this to run a sample workload against the cluster as well as some cockroach client commands from your local machine.

1. Install CockroachDB on your local machine, if you haven't already.

2. Create two directories:

   $ mkdir certs
   

   $ mkdir my-safe-directory
   

   • certs: You'll generate your CA certificate and all node and client certificates and keys in this directory and then upload some of the files to your nodes.
   • my-safe-directory: You'll generate your CA key in this directory and then reference the key when generating node and client certificates. After that, you'll keep the key safe and secret; you will not upload it to your nodes.

3. Create the CA certificate and key:

   $ cockroach cert create-ca \
   --certs-dir=certs \
   --ca-key=my-safe-directory/ca.key
   

4. Create the certificate and key for the first node, issued to all common names you might use to refer to the node as well as to the load balancer instances:

   $ cockroach cert create-node \
   <node1 internal IP address> \
   <node1 external IP address> \
   <node1 hostname>  \
   <other common names for node1> \
   localhost \
   127.0.0.1 \
   <load balancer IP address> \
   <load balancer hostname>  \
   <other common names for load balancer instances> \
   --certs-dir=certs \
   --ca-key=my-safe-directory/ca.key
   

5. Upload the CA certificate and node certificate and key to the first node:

   $ ssh <username>@<node1 address> "mkdir certs"
   

   $ scp certs/ca.crt \
   certs/node.crt \
   certs/node.key \
   <username>@<node1 address>:~/certs
   

6. Delete the local copy of the node certificate and key:

   $ rm certs/node.crt certs/node.key
   

   Note:

   This is necessary because the certificates and keys for additional nodes will also be named node.crt and node.key. As an alternative to deleting these files, you can run the next cockroach cert create-node commands with the --overwrite flag.

7. Create the certificate and key for the second node, issued to all common names you might use to refer to the node as well as to the load balancer instances:

   $ cockroach cert create-node \
   <node2 internal IP address> \
   <node2 external IP address> \
   <node2 hostname>  \
   <other common names for node2> \
   localhost \
   127.0.0.1 \
   <load balancer IP address> \
   <load balancer hostname>  \
   <other common names for load balancer instances> \
   --certs-dir=certs \
   --ca-key=my-safe-directory/ca.key
   

8. Upload the CA certificate and node certificate and key to the second node:

   $ ssh <username>@<node2 address> "mkdir certs"
   

   $ scp certs/ca.crt \
   certs/node.crt \
   certs/node.key \
   <username>@<node2 address>:~/certs
   

9. Repeat steps 6 - 8 for each additional node.

10. Create a client certificate and key for the root user:

    $ cockroach cert create-client \
    root \
    --certs-dir=certs \
    --ca-key=my-safe-directory/ca.key
    

11. Upload the CA certificate and client certificate and key to the machine where you will run a sample workload:

    $ ssh <username>@<workload address> "mkdir certs"
    

    $ scp certs/ca.crt \
    certs/client.root.crt \
    certs/client.root.key \
    <username>@<workload address>:~/certs
    

    In later steps, you'll also use the root user's certificate to run cockroach client commands from your local machine. If you might also want to run cockroach client commands directly on a node (e.g., for local debugging), you'll need to copy the root user's certificate and key to that node as well.

Step 6. Start nodes

You can start the nodes manually or automate the process using systemd.

Step 7. Initialize the cluster

On your local machine, run the cockroach init command to complete the node startup process and have them join together as a cluster:

$ cockroach init --certs-dir=certs --host=<address of any node on --join list>

After running this command, each node prints helpful details to the standard output, such as the CockroachDB version, the URL for the DB Console, and the SQL URL for clients.

Step 8. Test the cluster

CockroachDB replicates and distributes data behind-the-scenes and uses a Gossip protocol to enable each node to locate data across the cluster. Once a cluster is live, any node can be used as a SQL gateway.

When using a load balancer, you should issue commands directly to the load balancer, which then routes traffic to the nodes.

Use the built-in SQL client locally as follows:

1. On your local machine, launch the built-in SQL client, with the --host flag set to the address of the load balancer:

   $ cockroach sql --certs-dir=certs --host=<address of load balancer>
   

2. Create a securenodetest database:

   > CREATE DATABASE securenodetest;
   

3. View the cluster's databases, which will include securenodetest:

   > SHOW DATABASES;
   

   +--------------------+
   |      Database      |
   +--------------------+
   | crdb_internal      |
   | information_schema |
   | securenodetest     |
   | pg_catalog         |
   | system             |
   +--------------------+
   (5 rows)
   

4. Use \q to exit the SQL shell.

Step 9. Run a sample workload

CockroachDB comes with a number of built-in workloads for simulating client traffic. This step features CockroachDB's version of the TPC-C workload.

For comprehensive guidance on benchmarking CockroachDB with TPC-C, refer to Performance Benchmarking.

1. SSH to the machine where you want to run the sample TPC-C workload.

   This should be a machine that is not running a CockroachDB node, and it should already have a certs directory containing ca.crt, client.root.crt, and client.root.key files.

2. Download the CockroachDB archive for Linux, and extract the binary:

   $ curl https://binaries.cockroachdb.com/cockroach-v24.3.0.linux-amd64.tgz \
   | tar -xz
   

3. Copy the binary into the PATH:

   $ cp -i cockroach-v24.3.0.linux-amd64/cockroach /usr/local/bin/
   

   If you get a permissions error, prefix the command with sudo.

4. Use the cockroach workload command to load the initial schema and data, pointing it at the IP address of the load balancer:

   $ cockroach workload init tpcc \
   'postgresql://root@<IP ADDRESS OF LOAD BALANCER>:26257/tpcc?sslmode=verify-full&sslrootcert=certs/ca.crt&sslcert=certs/client.root.crt&sslkey=certs/client.root.key'
   

5. Use the cockroach workload command to run the workload for 10 minutes:

   $ cockroach workload run tpcc \
   --duration=10m \
   'postgresql://root@<IP ADDRESS OF LOAD BALANCER>:26257/tpcc?sslmode=verify-full&sslrootcert=certs/ca.crt&sslcert=certs/client.root.crt&sslkey=certs/client.root.key'
   

   You'll see per-operation statistics print to standard output every second:

   _elapsed___errors__ops/sec(inst)___ops/sec(cum)__p50(ms)__p95(ms)__p99(ms)_pMax(ms)
         1s        0         1443.4         1494.8      4.7      9.4     27.3     67.1 transfer
         2s        0         1686.5         1590.9      4.7      8.1     15.2     28.3 transfer
         3s        0         1735.7         1639.0      4.7      7.3     11.5     28.3 transfer
         4s        0         1542.6         1614.9      5.0      8.9     12.1     21.0 transfer
         5s        0         1695.9         1631.1      4.7      7.3     11.5     22.0 transfer
         6s        0         1569.2         1620.8      5.0      8.4     11.5     15.7 transfer
         7s        0         1614.6         1619.9      4.7      8.1     12.1     16.8 transfer
         8s        0         1344.4         1585.6      5.8     10.0     15.2     31.5 transfer
         9s        0         1351.9         1559.5      5.8     10.0     16.8     54.5 transfer
        10s        0         1514.8         1555.0      5.2      8.1     12.1     16.8 transfer
   ...
   

   After the specified duration (10 minutes in this case), the workload will stop and you'll see totals printed to standard output:

   _elapsed___errors_____ops(total)___ops/sec(cum)__avg(ms)__p50(ms)__p95(ms)__p99(ms)_pMax(ms)__result
     600.0s        0         823902         1373.2      5.8      5.5     10.0     15.2    209.7
   

   Tip:

   For more tpcc options, use cockroach workload run tpcc --help. For details about other workloads built into the cockroach binary, use cockroach workload --help.

6. To monitor the load generator's progress, open the DB Console by pointing a browser to the address in the admin field in the standard output of any node on startup.

   Since the load generator is pointed at the load balancer, the connections will be evenly distributed across nodes. To verify this, click Metrics on the left, select the SQL dashboard, and then check the SQL Connections graph. You can use the Graph menu to filter the graph for specific nodes.

Step 10. Monitor the cluster

Despite CockroachDB's various built-in safeguards against failure, it is critical to actively monitor the overall health and performance of a cluster running in production and to create alerting rules that promptly send notifications when there are events that require investigation or intervention.

For details about available monitoring options and the most important events and metrics to alert on, see Monitoring and Alerting.

Step 11. Scale the cluster

You can start the nodes manually or automate the process using systemd.

Step 12. Use the database

Now that your deployment is working, you can:

1. Implement your data model.
2. Create users and grant them privileges.
3. Connect your application. Be sure to connect your application to the load balancer, not to a CockroachDB node.
4. Take backups of your data.

You may also want to adjust the way the cluster replicates data. For example, by default, a multi-node cluster replicates all data 3 times; you can change this replication factor or create additional rules for replicating individual databases and tables differently. For more information, see Replication Controls.

See also

• Production Checklist
• Manual Deployment
• Orchestrated Deployment
• Monitoring and Alerting
• Performance Benchmarking
• Performance Tuning
• Local Deployment

Was this helpful?