Skip to main content
CockroachDB Cloud provides multiple layers of network security to protect your clusters from unauthorized access and malicious activity.

Network Security Overview

Protect your clusters with:
  1. IP Allowlisting: Restrict access to specific IP address ranges
  2. Private Connectivity: Connect via cloud provider private networks
  3. TLS Encryption: Encrypt all data in transit
  4. Network Isolation: Clusters run in isolated networks

IP Allowlisting

Control which IP addresses can connect to your cluster.

How IP Allowlisting Works

By default:
  • Basic clusters: Open to all traffic (0.0.0.0/0)
  • Standard/Advanced clusters: Locked down, no access until authorized
You must explicitly authorize IP addresses or ranges to allow connections.

Add IP Allowlist Entry

1

Navigate to Networking

  1. Select your cluster
  2. Click Networking in the left navigation
  3. Go to IP Allowlist tab
2

Add Network

Click Add Network and choose:Current Network:
  • Automatically detects your current public IP
  • Quick setup for immediate access
Custom Network:
  • Enter IP address or CIDR range
  • Example: 203.0.113.0/24
3

Configure Access

  1. Give the entry a descriptive name
  2. Select access level:
    • CockroachDB Client: SQL connections
    • DB Console: UI access (Advanced only)
  3. Click Apply

IP Allowlist Limits

Cluster TypeMaximum Rules
Basic50
Standard50
Advanced (AWS)20
Advanced (GCP)200
Advanced (Azure)200
Need more allowlist rules? Contact Support to increase your limit.

CIDR Notation

Use CIDR notation to specify IP ranges: Examples:
  • Single IP: 203.0.113.5/32
  • Subnet (256 IPs): 203.0.113.0/24
  • Larger network: 203.0.0.0/16
Common CIDR Ranges:
CIDRNumber of IPsUse Case
/321Single machine
/2816Small office
/24256Office network
/1665,536Large organization
/0All IPsDevelopment only
Production Security:
  • Never use 0.0.0.0/0 in production
  • Use the smallest CIDR range that works
  • Document all allowlist entries
  • Review and update regularly

Modify Allowlist Entry

1

Find Entry

Navigate to Networking > IP Allowlist
2

Edit

  1. Click action menu (•••) for the entry
  2. Select Edit
  3. Modify IP range or access type
  4. Click Save

Delete Allowlist Entry

1

Select Entry

Go to Networking > IP Allowlist
2

Delete

  1. Click action menu (•••)
  2. Select Delete
  3. Confirm deletion
Changes to IP allowlists take effect within a few seconds.

Private Connectivity

Connect to clusters without exposing them to the public internet.

Benefits of Private Connectivity

  • Enhanced Security: No public internet exposure
  • Reduced Latency: Traffic stays on cloud provider network
  • Compliance: Meet regulatory requirements
  • Cost Savings: Potential reduction in data transfer costs

Available Options

Connect via Private Endpoint

Once configured, get private connection string:
1

Open Connect Dialog

Click Connect on your cluster’s page
2

Select Private Connection

  1. Under Select network, choose your private endpoint
  2. Copy the private connection string
  3. Use in your applications
Private Connection String Example: 
postgresql://[email protected]:26257/defaultdb?sslmode=verify-full

Private Connectivity Best Practices

Recommendations

  • DNS: Use private DNS for name resolution
  • Security Groups: Restrict endpoint access
  • Monitoring: Track private endpoint usage
  • Documentation: Document endpoint configuration
  • Testing: Verify private connectivity before production

TLS/SSL Encryption

All connections to CockroachDB Cloud are encrypted.

TLS Configuration

Required Settings:
  • TLS 1.2 or higher
  • sslmode=verify-full (production)
  • Valid CA certificate
Download CA Certificate: 
mkdir -p ~/.postgresql
curl --create-dirs -o ~/.postgresql/root.crt \
  'https://cockroachlabs.cloud/clusters/{cluster-id}/cert'

SSL Modes

ModeEncryptionVerificationProduction Use
disableNoNoNever
requireYesNoTesting only
verify-caYesPartialNot recommended
verify-fullYesYesRequired
Always use verify-full in production to:
  • Encrypt all data in transit
  • Verify server identity
  • Prevent man-in-the-middle attacks
  • Meet compliance requirements

Network Isolation

Clusters run in isolated network environments.

Cluster Network Architecture

Basic/Standard:
  • Clusters run in Cockroach Labs-managed VPCs
  • Network isolation between customers
  • No direct VPC peering
Advanced:
  • Dedicated VPC per cluster (option)
  • Customizable IP ranges
  • Private connectivity available
  • Network security group controls

Egress Control

For Advanced clusters, control outbound traffic: Egress Perimeter Controls:
  • Restrict outbound connections
  • Allowlist external endpoints
  • Control changefeed destinations
  • Secure backup destinations
Configure Egress Rules:
1

Access Egress Settings

Go to Networking > Egress Rules
2

Add Rule

  1. Click Add Egress Rule
  2. Enter destination CIDR or hostname
  3. Specify port (optional)
  4. Add description
  5. Click Save

DB Console Access

Secure access to the DB Console (Advanced clusters only).

Authorize DB Console Access

1

Add IP to Allowlist

  1. Go to Networking > IP Allowlist
  2. Click Add Network
  3. Select Current Network
  4. Check DB Console to monitor the cluster
  5. Click Apply
2

Access DB Console

  1. Navigate to Tools page
  2. Click Open DB Console
  3. Authenticate with SQL credentials
Best Practice: Remove DB Console allowlist entries after use to minimize attack surface.

Security Monitoring

Monitor network security events and access.

Audit Logs

Track network access attempts:
  • Organization Audit Logs: Track Console access
  • SQL Audit Logs: Track database connections
  • Connection Logs: Monitor successful/failed connections
View Audit Logs:
1

Access Audit Logs

Go to Organization Settings > Audit Log
2

Filter Events

Filter by:
  • Event type
  • User
  • Time range
  • Resource
3

Export Logs

Download audit logs for external analysis

Connection Monitoring

Track active connections: 
-- View active connections
SELECT * FROM crdb_internal.cluster_sessions;

-- View connection attempts
SELECT * FROM crdb_internal.cluster_queries;

-- Monitor by application
SELECT application_name, count(*) 
FROM crdb_internal.cluster_sessions 
GROUP BY application_name;

Compliance and Certifications

CockroachDB Cloud meets security compliance standards:
  • SOC 2 Type 2: All plans
  • PCI DSS: Advanced with security add-on
  • HIPAA: Advanced with security add-on
  • ISO 27001/27017: All plans
See Compliance for details.

Security Best Practices

Network Security Checklist

1

IP Allowlisting

  • Remove 0.0.0.0/0 from production
  • Use smallest necessary CIDR ranges
  • Document all allowlist entries
  • Review allowlist quarterly
2

Private Connectivity

  • Use private endpoints for production
  • Configure private DNS
  • Restrict endpoint security groups
  • Monitor private endpoint usage
3

Encryption

  • Always use sslmode=verify-full
  • Keep CA certificates updated
  • Use TLS 1.2 or higher
  • Verify certificate validity
4

Access Control

  • Implement least privilege
  • Use separate credentials per application
  • Rotate passwords regularly
  • Monitor connection logs
5

Monitoring

  • Enable audit logging
  • Set up connection alerts
  • Review logs regularly
  • Track failed auth attempts

Defense in Depth

Implement multiple security layers:
  1. Network Layer: IP allowlists + private connectivity
  2. Transport Layer: TLS encryption
  3. Authentication: Strong passwords + MFA
  4. Authorization: Role-based access control
  5. Application Layer: Prepared statements + parameterized queries
  6. Monitoring: Audit logs + alerts

Troubleshooting

Connection Blocked

Issue: Cannot connect to cluster Solutions:
  1. Verify IP is in allowlist
  2. Check CIDR range is correct
  3. Confirm network type selected (SQL/DB Console)
  4. Wait a few seconds for changes to propagate
  5. Check firewall rules on client side

Private Endpoint Not Working

Issue: Cannot connect via private endpoint Solutions:
  1. Verify endpoint status is “Available”
  2. Check VPC endpoint configuration
  3. Verify security group rules
  4. Test DNS resolution
  5. Check route tables
  6. Contact Support if issue persists

Certificate Errors

Issue: SSL/TLS certificate verification fails Solutions:
  1. Download latest CA certificate
  2. Verify certificate path is correct
  3. Check sslmode setting
  4. Ensure certificate hasn’t expired
  5. Verify hostname matches certificate

Next Steps

Authentication

Configure authentication methods

Authorization

Manage roles and permissions

Compliance

Security compliance and certifications

Connect to Cluster

Connect applications securely

Build docs developers (and LLMs) love

Get started for freeTalk to us