This page answers the frequently asked questions about CockroachDB Serverless and CockroachDB Dedicated.
General
In what clouds and regions is CockroachDB Cloud available?
Refer to CockroachDB Cloud Regions for the regions where CockroachDB Dedicated and clusters can be deployed. To express interest in additional regions, contact Support or your Cockroach Labs account team.
What is CockroachDB Dedicated?
CockroachDB Dedicated provides fully-managed, single-tenant CockroachDB clusters with no shared resources. CockroachDB Dedicated supports single and multi-region clusters in AWS and GCP.
What is the difference between CockroachDB Dedicated standard and advanced?
CockroachDB Dedicated advanced clusters have access to features required for PCI readiness in addition to all CockroachDB Dedicated standard features. You must be a contract customer to create a CockroachDB Dedicated advanced cluster. For more information, contact us.
How do CockroachDB Dedicated free trials work?
CockroachDB Dedicated offers a 30-day free trial. Free trials require a credit card so we can validate that you are not a bot and provide a seamless transition into production. Free trials apply when you:
- Create the first cluster in your organization
- Select 9 or fewer nodes (we recommend starting with 3 so you can try scaling)
- Select up to 4 vCPUs of compute and 150 GiB of storage (the trial code will not apply to larger clusters)
- Select a single region or 3 regions
- Don't remove the pre-applied trial code at check out
Once the 30-day period is over, your cluster can be scaled beyond the trial period hardware limitations. You can create other paid clusters at any time. If Cockroach Labs has provided you with additional codes, you can use those on applicable clusters. For extended trial options, contact us.
How do I connect to my cluster?
To connect to a cluster, you need to authorize your network, create a SQL user, download the CA certificate, and then generate a connection string or parameters. You can use this information to connect to your cluster through the CockroachDB SQL client or a PostgreSQL-compatible driver or ORM. For more details, see Connect to Your CockroachDB Dedicated Cluster.
Security
Is my cluster secure?
Yes. We create individual sub-accounts and VPCs for each cluster within the cloud provider. These VPCs are firewalled from each other and any other outside connection, unless allowlisted for SQL and Web UI ports.
The allowlist is comprised of IP addresses that you provide to us, and is an additional layer of protection for your cluster. Connections will only be accepted if they come from an allowlisted IP address, which protects against both compromised passwords and any potential bugs in the server.
We use separate certificate authorities for each cluster, and all connections to the cluster over the internet use TLS 1.2 or 1.3.
CockroachDB clusters support TLS 1.2 or TLS 1.3 encryption for SQL clients. However, the following less-secure TLS 1.2 cipher suites are rejected by default, in accordance with the IETF's recommended cipher list defined in RFC 8447:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
SQL clients, intermediate proxies, or load balancers that do not support any cipher suites that CockroachDB supports will be unable to connect to CockroachDB clusters. To allow SQL connections using the deprecated cipher suites, set the COCKROACH_TLS_ENABLE_OLD_CIPHER_SUITES
environment variable to true
for your cockroach start
command. This mode is not recommended, unless you must use a client, intermediate proxy, or load balancer that doesn't support any of the more secure cipher suites.
See the Security Overview page for more information, and for comparison of security options by CockroachDB product.
Is encryption-at-rest enabled on CockroachDB Dedicated?
All data on CockroachDB Cloud is encrypted at rest by the cloud provider where your cluster is deployed. Refer to persistent disk encryption for GCP, EBS encryption-at-rest for AWS, and Azure disk encryption for Azure. With CockroachDB Dedicated advanced, Customer Managed Encryption Keys (CMEK) allows you to optionally protect cluster data at rest with cryptographic keys that are entirely within your control.
All data in CockroachDB Serverless and CockroachDB Dedicated is encrypted at rest by the cloud provider where your cluster is deployed.
CockroachDB Serverless and CockroachDB Dedicated users delegate responsibility for encryption-at-rest to the cloud provider. CockroachDB's proprietary storage-layer encryption-at-rest functionality is currently only available with an Enterprise license and is not currently available to users of CockroachDB Serverless or CockroachDB Dedicated.
As a result, encryption will appear to be disabled in the DB Console, since the console is unaware of cloud provider encryption.
See the Security Overview page for more information, and for comparison of security options by CockroachDB product.
Is my cluster isolated? Does it share resources with any other clusters?
CockroachDB Dedicated is a single-tenant offering and resources are not shared among clusters.
Who has access to my cluster data?
The Cockroach Labs SRE team has direct access to CockroachDB Cloud cluster data. They adhere to the confidentiality agreement described in our Terms and Conditions.
Cluster maintenance
How do I change the configurations on my cluster?
You can change your cluster's compute, add and remove nodes, and increase storage using the CockroachDB Cloud Console, the Cloud API, or Terraform. Due to cloud provider limitations, storage space cannot be removed from a node once added.
How do I add nodes?
You can add nodes by accessing the Clusters page on the CockroachDB Cloud Console and clicking the ... button for the cluster you want to add or delete nodes for. See Cluster Management for more details..
CockroachDB Cloud does not support scaling a multi-node cluster down to a single node.
Do you auto-scale?
We do not automatically scale nodes based on your capacity usage. To add or remove nodes, see Cluster Management.
Who is responsible for backup?
Taking regular backups of your data is an operational best practice. Both a) frequently and securely backing up your data, and b) maintaining readiness to quickly restore from saved backups, are essential to resilience and disaster recovery.
CockroachDB Cloud automatically runs full backups daily and incremental backups hourly for every CockroachDB Dedicated cluster. By default, full backups are retained for 30 days and incremental backups for 7 days. However, there are some cases where you will no longer be able to restore the managed backups even within the retainment window:
- Manually deleting the managed backup schedule.
- Enabling CMEK for a CockroachDB Dedicated cluster. Refer to Backup and restore operations on a cluster with CMEK.
Once a cluster is deleted, Cockroach Labs retains the full backups for 30 days and incremental backups for 7 days. If an organization is deleted, you will lose access to all of the managed-service backups that Cockroach Labs has taken of the cluster.
In addition to these managed backups, you can also take manual backups and store them in your cloud storage buckets using the BACKUP
statement.
All databases are not backed up at the same time. Each database is backed up every hour based on the time of creation. For larger databases, you might see an hourly CPU spike while the database is being backed up.
Learn more:
Refer to Use Managed-Service Backups to learn how to restore data from CockroachDB Cloud's automatic backups in the Console.
Refer to Take and Restore Customer-Owned Backups on CockroachDB Cloud for more information about using customer-managed backups.
Refer to Disaster Recovery for information about more holistically maintaining a capacity to recover from potential disruptions.
Cloud provider considerations
The backups for AWS clusters are encrypted using AWS S3’s server-side encryption and the backups for GCP clusters are encrypted using Google-managed server-side encryption keys.
Can I download the backups that CockroachDB Cloud takes for me?
CockroachDB Cloud automated backups cannot be downloaded, but you can manually run a backup to your own storage location at any time. To do this, you will need either admin
or SELECT
privileges on the data you are backing up.
Can I restore my self-hosted CockroachDB cluster to CockroachDB Dedicated?
Yes. You can backup your self-hosted CockroachDB databases to an external location and then restore to your CockroachDB Cloud cluster.
If you are backing up the data to AWS or GCP, use the specified
option for the AUTH
parameter.
Can I set up VPC peering or AWS PrivateLink after my cluster is created?
AWS clusters can set up a PrivateLink connection at any time after the cluster is created.
GCP clusters can also set up VPC peering after the cluster is created, but you will be locked into our default IP range (172.28.0.0/14
) unless you configure a different IP range during cluster creation. You can use the default IP range for VPC peering as long as it doesn't overlap with the IP ranges in your network. For more information, see VPC peering.
Azure Private Link is not yet available for CockroachDB Dedicated on Azure.
Product features
Are enterprise features available to me?
Yes, CockroachDB Dedicated clusters run the enterprise version of CockroachDB and all enterprise features are available to you.
Is there a public API for CockroachDB Cloud?
Yes, see the Cloud API page for more information. We’re always looking for design partners and customer input for our features, so please contact us if you have specific API requirements.
Do you have a UI? How can I see details?
All customers of our CockroachDB Dedicated service can view and manage their clusters in the Console.
What latency should I expect when making a call to CockroachDB Dedicated?
Response times are under 10ms for public access but typically much lower. Additionally, using VPC peering or AWS PrivateLink will reduce latency.
Support
Where can I find the Support Policy and Service Level Agreement (SLA) for CockroachDB Dedicated?
The following pages can be found in our Terms & Conditions:
Am I in control of upgrades for my CockroachDB Dedicated clusters?
Yes, an Org Administrator can apply major release upgrades directly through the CockroachDB Cloud Console; however, patch version upgrades are automatically applied to all clusters. CockroachDB Dedicated clusters are restarted one node at a time for patch version upgrades, so previously established connections will need to be reestablished after the restart. For more information, see the CockroachDB Cloud Upgrade Policy.
What is the support policy for older versions of the software?
CockroachDB Dedicated supports the latest major version of CockroachDB and the version immediately preceding it. We highly recommend running one of the two latest versions of CockroachDB, but we will never force a major upgrade to a cluster without your knowledge. You can contact Support if you require an exception.
How do I check to see if CockroachDB Cloud is down?
The CockroachDB Cloud Status page is a publicly available page that displays the current uptime status of the following services:
- CockroachDB Cloud Console: The UI used for signing up for CockroachDB Cloud, cluster creation and management, and user management.
- AWS: The status reported here reflects the health of existing AWS CockroachDB Cloud clusters and the ability to provision new clusters in AWS.
- GCP: The status reported here reflects the health of existing GCP CockroachDB Cloud clusters and the ability to provision new clusters in GCP.
Cluster troubleshooting
What do I do if my queries are too slow?
To optimize schema design to achieve your performance goals, we recommend working with our Sales Engineering team before you set up your cluster. You can also read our SQL Performance Best Practices and Query Performance Optimization docs for more information.
Can I monitor my cluster with third-party tools?
Yes, CockroachDB Dedicated clusters support an integration with Datadog that enables data collection and alerting on a subset of CockroachDB metrics. Enabling the Datadog integration on your CockroachDB Dedicated cluster will apply additional charges to your Datadog bill. See Monitor with Datadog for more information.
If you need additional help, contact Support.