- Advanced
- Standard
Set up a cluster
- Use the CockroachDB Cloud Console to on AWS in the same regions as your application.
- Navigate to the Networking page.
- Select the PrivateLink tab.
- Click Add Connection to open the connection dialog.
(Optional) Configure private endpoint trusted owners
This feature is in and is only available to enrolled organizations. To enroll your organization, contact your Cockroach Labs account team. This feature is subject to change.
- to add or remove private endpoint trusted owners. The Cluster Admin role includes all of the capabilities of the Cluster Operator role.
- to list or get details about private endpoint trusted owners.
Add a private endpoint trusted owner
To , send aPOST request to the endpoint as follows:- : The ID of the cluster.
- : The service account’s API key.
- : The ID of the AWS account to trust.
List private endpoint trusted owners
To , send aGET request to the endpoint as follows:- : The ID of the cluster.
- : The service account’s API key.
Get details about a trusted owner
To , send aGET request to the endpoint as follows:- : The ID of the cluster.
- : The UUID of a private endpoint trusted owner entry.
- : The service account’s API key.
Remove a trusted owner
To , send aDELETE request to the endpoint as follows:- : The ID of the cluster.
- : The UUID of a private endpoint trusted owner entry.
- : The service account’s API key
Create an AWS endpoint
- In the Add connection dialog in the CockroachDB Cloud Console, select the region to create a connection in.
- Copy the Service Name shown in the connection dialog. Make a note of the availability zones where your cluster is deployed in this region.
- On the Amazon VPC Console in your AWS account, click Your VPCs in the sidebar. Locate the VPC ID of the VPC you want to create your endpoint in, and make a note of its IPv4 CIDR. Cockroach Labs recommends that you use a VPC that has subnets in the availability zones where your cluster is deployed, and that your application or service is also deployed in the same availability zones. You can choose a different VPC for the private endpoint as long as it is peered to the VPC your application is running in and the private endpoint is configured to be DNS-accessible across the peered VPCs.
- Click Subnets in the sidebar. Make a note of the subnet ID of each subnet that corresponds to your chosen VPC.
- Click Security Groups in the sidebar.
-
Click Create security group to create a security group within your VPC. The security group allows inbound access from your application or source program on Port 26257:
- In the Security group name field, enter a name for the security group.
- In the Description field, enter a description for the security group.
- From the VPC dropdown, select the VPC you chose in Step 4.
- In the Inbound rules section, click Add rule.
- Enter 26257 in the Port range field.
- In the Source field, enter the CIDR range from Step 5.
- Click Create security group.
- AWS Console
- AWS CLI
- Click Endpoints in the sidebar.
- Click Create Endpoint.
- On the Create Endpoint page, for the Service Category field, select Find service by name.
- In the Service Name field, enter the Service Name you copied from the connection dialog in Create an AWS endpoint.
- Click Verify.
- In the VPC field, enter the ID of the VPC you want to create your endpoint in.
- Verify that the subnets are pre-populated.
- In the Security group section, select the security group you created in Create an AWS endpoint and uncheck the box for default security group.
- Click Create Endpoint. The VPC Endpoint ID displays.
- Copy the Endpoint ID to your clipboard and return to the Add PrivateLink dialog in CockroachDB Cloud.
Verify the endpoint ID
- Click Next.
- Enter the Endpoint ID, then click Validate. If validation fails, check the endpoint ID and try again. Otherwise, click Next.
- Follow the instructions in the dialog to enable private DNS name for the endpoint in AWS. When this option is enabled, CockroachDB Cloud maintains private DNS records in the VPC for the cluster.
- Click Complete to save the configuration and close the dialog.
Enable private DNS
Allow CockroachDB Cloud to modify the private DNS name for the endpoint in AWS. When this option is enabled, CockroachDB Cloud maintains private DNS records in the VPC for your cluster. Use either the Amazon VPC Console or the AWS Command Line Interface (CLI) to continue:- AWS Console
- AWS CLI
- On the Amazon VPC Console Endpoints page, select the endpoint you created.
- Click Actions.
- Click Modify Private DNS Names.
- Check the Enable Private DNS Name checkbox.
- Click Modify Private DNS Name.
- In the CockroachDB Cloud Console, click Complete to save the configuration and close the dialog.

