Skip to content

Latest commit

 

History

History
127 lines (75 loc) · 8.37 KB

deploy-cockroachdb-on-google-cloud-platform.md

File metadata and controls

127 lines (75 loc) · 8.37 KB
title summary toc toc_not_nested ssh-link
Deploy CockroachDB on Google Cloud Platform GCE
Learn how to deploy CockroachDB on Google Cloud Platform's Compute Engine.
true
true
Secure Insecure

This page shows you how to manually deploy a secure multi-node CockroachDB cluster on Google Cloud Platform's Compute Engine (GCE), using Google's TCP Proxy Load Balancing service to distribute client traffic.

If you are only testing CockroachDB, or you are not concerned with protecting network communication with TLS encryption, you can use an insecure cluster instead. Select Insecure above for instructions.

Requirements

{% include {{ page.version.version }}/prod-deployment/secure-requirements.md %}

Recommendations

{% include {{ page.version.version }}/prod-deployment/secure-recommendations.md %}

Step 1. Configure your network

CockroachDB requires TCP communication on two ports:

  • 26257 (tcp:26257) for inter-node communication (i.e., working as a cluster)
  • 8080 (tcp:8080) for exposing your Admin UI

Inter-node communication works by default using your GCE instances' internal IP addresses, which allow communication with other instances on CockroachDB's default port 26257. However, to expose your admin UI and allow traffic from the TCP proxy load balancer and health checker to your instances, you need to create firewall rules for your project.

Creating Firewall Rules

When creating firewall rules, we recommend using Google Cloud Platform's tag feature, which lets you specify that you want to apply the rule only to instance that include the same tag.

Admin UI

Field Recommended Value
Name cockroachadmin
Source filter IP ranges
Source IP ranges Your local network's IP ranges
Allowed protocols... tcp:8080
Target tags cockroachdb

Application Data

Applications will not connect directly to your CockroachDB nodes. Instead, they'll connect to GCE's TCP Proxy Load Balancing service, which automatically routes traffic to the instances that are closest to the user. Because this service is implemented at the edge of the Google Cloud, you'll need to create a firewall rule to allow traffic from the load balancer and health checker to your instances. This is covered in Step 4.

{{site.data.alerts.callout_danger}}When using TCP Proxy Load Balancing, you cannot use firewall rules to control access to the load balancer. If you need such control, consider using Network TCP Load Balancing instead, but note that it cannot be used across regions. You might also consider using the HAProxy load balancer (see the On-Premises tutorial for guidance.).{{site.data.alerts.end}}

Step 2. Create instances

Create an instance for each node you plan to have in your cluster.

  • Run at least 3 nodes to ensure survivability.

  • Use n1-standard or n1-highcpu predefined VMs, or custom VMs, with Local SSDs or SSD persistent disks. For example, Cockroach Labs has used custom VMs (8 vCPUs and 16 GiB of RAM per VM) for internal testing.

  • Do not use f1 or g1 shared-core machines, which limit the load on a single core.

  • If you used a tag for your firewall rules, when you create the instance, select Management, disk, networking, SSH keys. Then on the Networking tab, in the Network tags field, enter cockroachdb.

For more details, see Hardware Recommendations and Cluster Topology.

Step 3. Synchronize clocks

{% include {{ page.version.version }}/prod-deployment/synchronize-clocks.md %}

Step 4. Set up TCP Proxy Load Balancing

Each CockroachDB node is an equally suitable SQL gateway to your cluster, but to ensure client performance and reliability, it's important to use load balancing:

  • Performance: Load balancers spread client traffic across nodes. This prevents any one node from being overwhelmed by requests and improves overall cluster performance (queries per second).

  • Reliability: Load balancers decouple client health from the health of a single CockroachDB node. In cases where a node fails, the load balancer redirects client traffic to available nodes.

GCE offers fully-managed TCP Proxy Load Balancing. This service lets you use a single IP address for all users around the world, automatically routing traffic to the instances that are closest to the user.

{{site.data.alerts.callout_danger}}When using TCP Proxy Load Balancing, you cannot use firewall rules to control access to the load balancer. If you need such control, consider using Network TCP Load Balancing instead, but note that it cannot be used across regions. You might also consider using the HAProxy load balancer (see Deploy CockroachDB On-Premises for guidance).{{site.data.alerts.end}}

To use GCE's TCP Proxy Load Balancing service:

  1. For each zone in which you're running an instance, create a distinct instance group.
    • To ensure that the load balancer knows where to direct traffic, specify a port name mapping, with tcp26257 as the Port name and 26257 as the Port number.
  2. Add the relevant instances to each instance group.
  3. Configure TCP Proxy Load Balancing.
    • During backend configuration, create a health check, setting the Protocol to HTTPS, the Port to 8080, and the Request path to /health. If you want to maintain long-lived SQL connections that may be idle for more than tens of seconds, increase the backend timeout setting accordingly.
    • During frontend configuration, reserve a static IP address and note the IP address and the port you select. You'll use this address and port for all client connections.
  4. Create a firewall rule to allow traffic from the load balancer and health checker to your instances. This is necessary because TCP Proxy Load Balancing is implemented at the edge of the Google Cloud.
    • Be sure to set Source IP ranges to 130.211.0.0/22 and 35.191.0.0/16 and set Target tags to cockroachdb (not to the value specified in the linked instructions).

Step 5. Generate certificates

{% include {{ page.version.version }}/prod-deployment/secure-generate-certificates.md %}

Step 6. Start nodes

{% include {{ page.version.version }}/prod-deployment/secure-start-nodes.md %}

Step 7. Initialize the cluster

{% include {{ page.version.version }}/prod-deployment/secure-initialize-cluster.md %}

Step 8. Test the cluster

{% include {{ page.version.version }}/prod-deployment/secure-test-cluster.md %}

Step 9. Set up monitoring and alerting

{% include {{ page.version.version }}/prod-deployment/monitor-cluster.md %}

Step 10. Scale the cluster

{% include {{ page.version.version }}/prod-deployment/secure-scale-cluster.md %}

Step 11. Use the database

{% include {{ page.version.version }}/prod-deployment/use-cluster.md %}

See Also

{% include {{ page.version.version }}/prod-deployment/prod-see-also.md %}