This page shows you how to manually deploy a secure multi-node CockroachDB cluster on Google Cloud Platform's Compute Engine (GCE), using Google's TCP Proxy Load Balancing service to distribute client traffic.
If you are only testing CockroachDB, or you are not concerned with protecting network communication with TLS encryption, you can use an insecure cluster instead. Select Insecure above for instructions.
Requirements
Locally, you must have CockroachDB installed, which you'll use to generate and manage your deployment's certificates.
In GCE, you must have SSH access to each machine with root or sudo privileges. This is necessary for distributing binaries and starting CockroachDB.
Recommendations
For guidance on cluster topology, clock synchronization, and file descriptor limits, see Recommended Production Settings.
Decide how you want to access your Admin UI:
- Only from specific IP addresses, which requires you to set firewall rules to allow communication on port
8080
(documented on this page). - Using an SSH tunnel, which requires you to use
--http-host=localhost
when starting your nodes.
- Only from specific IP addresses, which requires you to set firewall rules to allow communication on port
Step 1. Configure your network
CockroachDB requires TCP communication on two ports:
- 26257 (
tcp:26257
) for inter-node communication (i.e., working as a cluster) - 8080 (
tcp:8080
) for exposing your Admin UI
Inter-node communication works by default using your GCE instances' internal IP addresses, which allow communication with other instances on CockroachDB's default port 26257
. However, to expose your admin UI and allow traffic from the TCP proxy load balancer and health checker to your instances, you need to create firewall rules for your project.
Creating Firewall Rules
When creating firewall rules, we recommend using Google Cloud Platform's tag feature, which lets you specify that you want to apply the rule only to instance that include the same tag.
Admin UI
Field | Recommended Value |
---|---|
Name | cockroachadmin |
Source filter | IP ranges |
Source IP ranges | Your local network's IP ranges |
Allowed protocols... | tcp:8080 |
Target tags | cockroachdb |
Application Data
Applications will not connect directly to your CockroachDB nodes. Instead, they'll connect to GCE's TCP Proxy Load Balancing service, which automatically routes traffic to the instances that are closest to the user. Because this service is implemented at the edge of the Google Cloud, you'll need to create a firewall rule to allow traffic from the load balancer and health checker to your instances. This is covered in Step 3.
Step 2. Create instances
Create an instance for each node you plan to have in your cluster. We recommend:
- Running at least 3 nodes to ensure survivability.
- Selecting the same continent for all of your instances for best performance.
If you used a tag for your firewall rules, when you create the instance, select Management, disk, networking, SSH keys. Then on the Networking tab, in the Network tags field, enter cockroachdb.
Step 3. Set up TCP Proxy Load Balancing
Each CockroachDB node is an equally suitable SQL gateway to your cluster, but to ensure client performance and reliability, it's important to use load balancing:
Performance: Load balancers spread client traffic across nodes. This prevents any one node from being overwhelmed by requests and improves overall cluster performance (queries per second).
Reliability: Load balancers decouple client health from the health of a single CockroachDB node. In cases where a node fails, the load balancer redirects client traffic to available nodes.
GCE offers fully-managed TCP Proxy Load Balancing. This service lets you use a single IP address for all users around the world, automatically routing traffic to the instances that are closest to the user.
To use GCE's TCP Proxy Load Balancing service:
- For each zone in which you're running an instance, create a distinct instance group.
- To ensure that the load balancer knows where to direct traffic, specify a port name mapping, with
tcp26257
as the Port name and26257
as the Port number.
- To ensure that the load balancer knows where to direct traffic, specify a port name mapping, with
- Add the relevant instances to each instance group.
- Configure TCP Proxy Load Balancing.
- During backend configuration, create a health check, setting the Protocol to
HTTPS
, the Port to8080
, and the Request path to/health
. If you want to maintain long-lived SQL connections that may be idle for more than tens of seconds, increase the backend timeout setting accordingly. - During frontend configuration, reserve a static IP address and note the IP address and the port you select. You'll use this address and port for all client connections.
- During backend configuration, create a health check, setting the Protocol to
- Create a firewall rule to allow traffic from the load balancer and health checker to your instances. This is necessary because TCP Proxy Load Balancing is implemented at the edge of the Google Cloud.
- Be sure to set Source IP ranges to
130.211.0.0/22
and35.191.0.0/16
and set Target tags tocockroachdb
(not to the value specified in the linked instructions).
- Be sure to set Source IP ranges to
Step 4. Generate certificates
Locally, you'll need to create the following certificates and keys:
- A certificate authority (CA) key pair (
ca.crt
andca.key
). - A node key pair for each node, issued to its IP addresses and any common names the machine uses, as well as to the IP address provisioned for the GCE load balancer.
- A client key pair for the
root
user.
Install CockroachDB on your local machine, if you haven't already.
Create two directories:
$ mkdir certs
$ mkdir my-safe-directory
certs
: You'll generate your CA certificate and all node and client certificates and keys in this directory and then upload some of the files to your nodes.my-safe-directory
: You'll generate your CA key in this directory and then reference the key when generating node and client certificates. After that, you'll keep the key safe and secret; you will not upload it to your nodes.
Create the CA certificate and key:
$ cockroach cert create-ca \ --certs-dir=certs \ --ca-key=my-safe-directory/ca.key
Create the certificate and key for the first node, issued to all common names you might use to refer to the node as well as to addresses provisioned for the GCE load balancer:
$ cockroach cert create-node \ <node1 internal IP address> \ <node1 external IP address> \ <node1 hostname> \ <other common names for node1> \ localhost \ 127.0.0.1 \ <load balancer IP address> \ <load balancer hostname> \ --certs-dir=certs \ --ca-key=my-safe-directory/ca.key
<node1 internal IP address>
which is the instance's Internal IP.<node1 external IP address>
which is the instance's External IP address.<node1 hostname>
which is the instance's Name.<other common names for node1>
which include any domain names you point to the instance.localhost
and127.0.0.1
<load balancer IP address>
<load balancer hostname>
Upload certificates to the first node:
# Create the certs directory: $ ssh <username>@<node1 external IP address> "mkdir certs"
# Upload the CA certificate and node certificate and key: $ scp certs/ca.crt \ certs/node.crt \ certs/node.key \ <username>@<node1 external IP address>:~/certs
Delete the local copy of the node certificate and key:
$ rm certs/node.crt certs/node.key
Note:This is necessary because the certificates and keys for additional nodes will also be namednode.crt
andnode.key
As an alternative to deleting these files, you can run the nextcockroach cert create-node
commands with the--overwrite
flag.Create the certificate and key for the second node, issued to all common names you might use to refer to the node as well as to addresses provisioned for the GCE load balancer:
$ cockroach cert create-node \ <node2 internal IP address> \ <node2 external IP address> \ <node2 hostname> \ <other common names for node2> \ localhost \ 127.0.0.1 \ <load balancer IP address> \ <load balancer hostname> \ --certs-dir=certs \ --ca-key=my-safe-directory/ca.key
Upload certificates to the second node:
# Create the certs directory: $ ssh <username>@<node2 external IP address> "mkdir certs"
# Upload the CA certificate and node certificate and key: $ scp certs/ca.crt \ certs/node.crt \ certs/node.key \ <username>@<node2 external IP address>:~/certs
Repeat steps 6 - 8 for each additional node.
Create a client certificate and key for the
root
user:$ cockroach cert create-client \ root \ --certs-dir=certs \ --ca-key=my-safe-directory/ca.key
Tip:In later steps, you'll use theroot
user's certificate to runcockroach
client commands from your local machine. If you might also want to runcockroach
client commands directly on a node (e.g., for local debugging), you'll need to copy theroot
user's certificate and key to that node as well.
Step 5. Start the first node
SSH to your instance:
$ ssh <username>@<node1 external IP address>
Install the latest CockroachDB binary:
# Get the latest CockroachDB tarball. $ curl https://binaries.cockroachdb.com/cockroach-v1.0.7.linux-amd64.tgz
# Extract the binary. $ tar -xzf cockroach-v1.0.7.linux-amd64.tgz \ --strip=1 cockroach-v1.0.7.linux-amd64/cockroach
# Move the binary. $ sudo mv cockroach /usr/local/bin/
Start a new CockroachDB cluster with a single node, specifying the location of certificates and the address at which other nodes can reach it:
$ cockroach start --background \ --certs-dir=certs
Step 6. Add nodes to the cluster
At this point, your cluster is live and operational but contains only a single node. Next, scale your cluster by setting up additional nodes that will join the cluster.
SSH to your instance:
$ ssh <username>@<additional node external IP address>
Install the latest CockroachDB binary:
# Get the latest CockroachDB tarball. $ curl https://binaries.cockroachdb.com/cockroach-v1.0.7.linux-amd64.tgz
# Extract the binary. $ tar -xzf cockroach-v1.0.7.linux-amd64.tgz \ --strip=1 cockroach-v1.0.7.linux-amd64/cockroach
# Move the binary. $ sudo mv cockroach /usr/local/bin/
Start a new node that joins the cluster using the first node's internal IP address:
$ cockroach start --background \ --certs-dir=certs \ --join=<node1 internal IP address>:26257
Repeat these steps for each instance you want to use as a node.
Step 7. Test your cluster
CockroachDB replicates and distributes data for you behind-the-scenes and uses a Gossip protocol to enable each node to locate data across the cluster.
To test this, use the built-in SQL client locally as follows:
On your local machine, connect the built-in SQL client to node 1, with the
--host
flag set to the external address of node 1 and security flags pointing to the CA cert and the client cert and key:$ cockroach sql \ --certs-dir=certs \ --host=<node1 external IP address>
Create a
securenodetest
database:> CREATE DATABASE securenodetest;
Use CTRL-D, CTRL-C, or
\q
to exit the SQL shell.Connect the built-in SQL client to node 2, with the
--host
flag set to the external address of node 2 and security flags pointing to the CA cert and the client cert and key:$ cockroach sql \ --certs-dir=certs \ --host=<node2 external IP address>
View the cluster's databases, which will include
securenodetest
:> SHOW DATABASES;
+--------------------+ | Database | +--------------------+ | crdb_internal | | information_schema | | securenodetest | | pg_catalog | | system | +--------------------+ (5 rows)
Use CTRL-D, CTRL-C, or
\q
to exit the SQL shell.
Step 8. Test load balancing
The GCE load balancer created in step 3 can serve as the client gateway to the cluster. Instead of connecting directly to a CockroachDB node, clients connect to the load balancer, which will then redirect the connection to a CockroachDB node.
To test this, use the built-in SQL client locally as follows:
On your local machine, launch the built-in SQL client, with the
--host
flag set to the load balancer's IP address and security flags pointing to the CA cert and the client cert and key:$ cockroach sql \ --certs-dir=certs --host=<load balancer IP address> \ --port=<load balancer port>
View the cluster's databases:
> SHOW DATABASES;
+--------------------+ | Database | +--------------------+ | crdb_internal | | information_schema | | securenodetest | | pg_catalog | | system | +--------------------+ (5 rows)
As you can see, the load balancer redirected the query to one of the CockroachDB nodes.
Check which node you were redirected to:
> SELECT node_id FROM crdb_internal.node_build_info LIMIT 1;
+---------+ | node_id | +---------+ | 1 | +---------+ (1 row)
Use CTRL-D, CTRL-C, or
\q
to exit the SQL shell.
Step 9. Monitor the cluster
View your cluster's Admin UI by going to https://<any node's external IP address>:8080
.
On this page, verify that the cluster is running as expected:
Click View nodes list on the right to ensure that all of your nodes successfully joined the cluster.
Click the Databases tab on the left to verify that
securenodetest
is listed.
Step 10. Use the database
Now that your deployment is working, you can:
- Implement your data model.
- Create users and grant them privileges.
- Connect your application. Be sure to connect your application to the GCE load balancer, not to a CockroachDB node.