- CockroachDB Standard: Deployed in shared (multi-tenant) network and compute infrastructure. Storage scales automatically according to demand, but the cluster’s compute requirements are defined explicitly as part of the cluster’s configuration.
- CockroachDB Basic: Deployed in shared (multi-tenant) network and compute infrastructure. Storage and compute scale automatically according to demand, and you are charged only for the storage and activity of your cluster.
- CockroachDB Advanced: Deployed in dedicated network and compute infrastructure. This deployment may be distributed over multiple regions for added disaster-resilience. In addition to infrastructure isolation, Advanced clusters can be customized with advanced network, identity-management, and encryption-related security features required for high benchmark security goals such as . Refer to
| Security Domain | CockroachDB Basic | CockroachDB Standard | CockroachDB Advanced | Feature |
|---|---|---|---|---|
| ✓ | ✓ | ✓ | Inter-node and node identity authentication using TLS 1.3 | |
| ✓ | ✓ | ✓ | Client identity authentication using a username and password | |
| ✓ | ✓ | ✓ | ||
| ✓ | Cluster DB console authentication with third-party using OpenID Connect OIDC or SAML | |||
| ✓ | ✓ | ✓ | SQL Client authentication with using CockroachDB Cloud as identity provider | |
| ✓ | ✓ | ✓ | SQL Client authentication with using customer-managed identity providers | |
| ✓ | Client identity authentication using | |||
| ✓ | certificate revocation protocol | |||
| Data Protection | ✓ | ✓ | ✓ | Encryption-in-flight using TLS 1.3 |
| ✓ | ✓ | ✓ | Automatic backups for AWS clusters are encrypted-at-rest using AWS S3’s server-side encryption | |
| ✓ | ✓ | ✓ | Automatic backups for GCP clusters are encrypted-at-rest using Google-managed server-side encryption keys | |
| ✓ | ✓ | ✓ | Industry-standard encryption-at-rest provided at the infrastructure level by your chosen deployment environment, such as Google Cloud Platform (GCP), Amazon Web Services (AWS), or Microsoft Azure. | |
| ✓ | , with enabled. | |||
| ✓ | ✓ | ✓ | SQL users with direct privilege management | |
| ✓ | ✓ | ✓ | SQL Role-based access control (RBAC) | |
| ✓ | ✓ | ✓ | Cloud Organization users with fine-grained access roles | |
| Network Security | ✓ | ✓ | ✓ | |
| ✓ | ||||
| ✓ | ✓ | ✓ | Network-level Configuration of allowed IP addresses | |
| ✓ | Egress Perimeter Controls | |||
| ✓ | ✓ | |||
| ✓ | for GCP clusters | |||
| ✓ | ✓ | PrivateLink for AWS clusters. | ||
| ✓ | ||||
| Non-Repudiation | ✓ | ✓ | ✓ | |
| ✓ | ✓ | ✓ | ||
| ✓ | ✓ | ✓ | CockroachDB, as a distributed SQL database, is uniquely resilient by nature. A cluster can tolerate node failures as long as the majority of nodes remain functional. See |

