To prevent denial-of-service attacks, brute force password attacks, and other forms of malicious activity, Cockroach Labs recommends restricting your network to allow access only from specific IP address ranges controlled by your organization. These might include specific networks for your application deployments, hardened administrator access points, or disaster recovery pipelines.
This page describes these options and how they help to protect CockroachDB Dedicated and CockroachDB Serverless clusters.
Options for controlling network access
You can authorize network access to your cluster by:
- Adding an authorized range of public IP addresses.
Setting up private connectivity so that inbound connections to your cluster from your cloud tenant are made over the cloud provider's private network rather than over the public internet, for enhanced network security and reduced network latency. If you use IP allowlisting rules together with private connectivity, private networks do not need to be added to that allowlist.
- CockroachDB Dedicated clusters deployed on GCP can connect privately using GCP Private Service Connect (PSC) (Preview) or GCP VPC peering. PSC allows you to connect your cluster directly to a VPC within your Google Cloud project, while VPC Peering allows you to peer your cluster's VPC in CockroachDB Cloud to a VPC within your Google Cloud project.
- CockroachDB Dedicated clusters deployed on AWS, as well as multi-region CockroachDB Serverless clusters deployed on AWS, can connect privately using AWS PrivateLink, which allows you to connect your cluster to a VPC within your AWS account.
- CockroachDB Dedicated clusters deployed on Azure can connect privately using Azure Private Link, which allows you to connect your cluster to a virtual network within your Azure tenant.
For detailed instructions, refer to Establish private connectivity.
VPC Peering and AWS PrivateLink in CockroachDB Dedicated clusters do not support connecting to a Kafka sink's internal IP addresses for changefeeds. To connect to a Kafka sink from CockroachDB Dedicated, it is necessary to expose the Kafka cluster's external IP address and open ports with firewall rules to allow access from a CockroachDB Dedicated cluster.
Prerequisite: Either the Cluster Operator or Cluster Administrator role on a pre-existing cluster, or the Cluster Creator role in order to create a new cluster.
Use private connectivity if:
- You need to allowlist more defined IP address ranges than the default maximum.
- Your servers’ IP addresses are not static.
- You have a requirement to avoid exposing your cluster to the public internet.
Learn more about Private Clusters (Preview), which offer enhanced cluster security. A private cluster's nodes have no public IP addresses.
Neither Azure Private Link nor private clusters are available for CockroachDB Dedicated on Azure.
Cluster default network configuration
CockroachDB Dedicated and Serverless clusters differ in their default network configuration:
- On creation, a Serverless cluster is open to all traffic as it is created with a
0.0.0.0/0
IP allowlist entry. - On creation, a Dedicated cluster is "locked down" and has no access until an authorized network is created.
CockroachDB Cloud clusters can only accept SQL connections from allowed IP addresses.
IP allowlisting
Authorized network access can be managed from the CockroachDB Cloud console Network Authorization page at:
https://cockroachlabs.cloud/cluster/{ your cluster UUID}/networking
Serverless and Dedicated clusters support different maximum numbers of IP allowlist rules:
Cluster Type | IP allowlist rule max |
---|---|
Dedicated (AWS) | 7 |
Dedicated (GCP and Azure) | 200 |
Serverless | 50 |
If you need to add more than the maximum number of allowlist rules, contact Support.
While developing and testing your application, you may add 0.0.0.0/0
to the allowlist, which allows all networks. However, before moving into production, make sure you delete the 0.0.0.0/0
network.
If your application servers’ IP addresses are not static, or you want to limit your cluster's exposure to the public network, you can connect to your CockroachDB Dedicated clusters using VPC Peering or AWS PrivateLink instead.
Refer to:
- Connect to a CockroachDB Serverless Cluster: Authorize your network.
- Connect to a CockroachDB Dedicated Cluster: Authorize your network.
DB Console
The DB Console provides details about your cluster and database configuration, and helps you optimize cluster performance.
Users must have the Cluster Developer, Cluster Operator, Cluster Admin, or Cluster Creator on a specific cluster role to access its DB Console. Refer to Organization user roles
For information on functionality, refer to: DB Console Overview.
To access the DB Console, you must first authorize your current IP address:
Visit your Dedicated cluster's IP allowlist page:
https://cockroachlabs.cloud/cluster/{ your cluster UUID }/networking/allowlist
Click Add Network.
Add your Current Network:
- Give it a Name indicating its use for DB Console access from your current location.
- Under Allow this network to access, select DB Console to monitor the cluster.
- Click Apply.
When you have finished your work with the DB Console, it is recommended to remove your authorized network from the allowlist, in the interest of the general best practice of restricting network access as much as possible.
Remove an authorized network by selecting Delete from the Action dropdown its row on the allowlist page.
To access your cluster's DB Console:
Navigate to your CockroachDB Dedicated cluster's Tools page in the Monitoring section of the CockroachDB Cloud Console.
Click Open DB Console. Your browser will attempt to access the DB console in a new tab.
You can also access the DB Console by navigating to https://admin-{cluster-name}crdb.io:8080/#/metrics/overview/cluster
. Replace the {cluster-name}
placeholder with the name of your cluster.
(Optional) To find the IP addresses for your cluster's DB Console, perform DNS lookup on the DB Console URL that opens in the browser. These IP addresses are static for the lifecycle of the cluster.
dig examplary-dedicated-clusterberry-77tq.cockroachlabs.cloud | grep -A3 'ANSWER SECTION'
;; ANSWER SECTION:
examplary-dedicated-clusterberry-77tq.cockroachlabs.cloud. 300 IN A 35.245.55.160
examplary-dedicated-clusterberry-77tq.cockroachlabs.cloud. 300 IN A 34.129.61.133
examplary-dedicated-clusterberry-77tq.cockroachlabs.cloud. 300 IN A 34.117.21.266