configuring-ip-allowlists
Configuring IP Allowlists
Configures and hardens IP allowlists on CockroachDB Cloud clusters to restrict SQL and DB Console access to authorized CIDR ranges. Identifies overly permissive entries (such as 0.0.0.0/0) and replaces them with specific, narrow ranges.
When to Use This Skill
- Removing
0.0.0.0/0(open to all) from the IP allowlist - Restricting network access after initial cluster setup
- Adding office, VPN, or CI/CD CIDR ranges to the allowlist
- Reviewing and tightening existing allowlist entries
- Responding to a security audit finding about overly broad network access
Prerequisites
- ccloud CLI installed and authenticated (
ccloud auth login) - Cloud Console role: Cluster Admin or Cluster Operator
- Known CIDR ranges: Office IPs, VPN egress IPs, CI/CD runner IPs, or other authorized sources
- Cluster ID: Available from
ccloud cluster list
Verify access:
ccloud auth whoami
ccloud cluster list
Steps
1. List Current Allowlist Entries
# List all IP allowlist entries for the cluster
ccloud cluster networking allowlist list <cluster-id> -o json
Review each entry. Flag any of these as overly permissive:
0.0.0.0/0— Open to all IPv4 addresses/8ranges — 16 million+ addresses/16ranges — 65,000+ addresses- Unknown or undocumented entries
See ccloud commands reference for full command syntax.
2. Understand Allowlist Limits
CockroachDB Cloud clusters have a maximum number of IP allowlist entries per cluster. If you need more entries than the limit allows:
- Consolidate entries: Use broader CIDR ranges where security permits (e.g., combine several
/32entries into a/24) - Use private endpoints: Switch to private endpoints instead of allowlists for VPC-based access — private endpoints bypass the allowlist entirely
- Request a limit increase: Contact CockroachDB Cloud support if consolidation and private endpoints are not sufficient
3. Identify Required CIDR Ranges
Before modifying the allowlist, document all legitimate access sources:
| Source | CIDR | SQL Access | UI Access |
|---|---|---|---|
| Office network | 203.0.113.0/24 |
Yes | Yes |
| VPN egress | 198.51.100.0/24 |
Yes | Yes |
| CI/CD runners | 192.0.2.0/28 |
Yes | No |
| Monitoring | 10.0.1.5/32 |
Yes | No |
4. Add Specific CIDR Entries
# Add a specific CIDR range (CIDR is a positional argument)
ccloud cluster networking allowlist create <cluster-name> <cidr> \
--sql \
--ui \
--name "<description>"
Examples:
# Office network — SQL and UI access
ccloud cluster networking allowlist create <cluster-name> 203.0.113.0/24 \
--sql \
--ui \
--name "Office network"
# CI/CD runners — SQL only
ccloud cluster networking allowlist create <cluster-name> 192.0.2.0/28 \
--sql \
--name "CI/CD runners"
# Single IP — /32 for maximum specificity
ccloud cluster networking allowlist create <cluster-name> 198.51.100.42/32 \
--sql \
--ui \
--name "Developer workstation"
5. Remove Overly Permissive Entries
# Delete the 0.0.0.0/0 entry (or other overly broad entries)
ccloud cluster networking allowlist delete <cluster-name> 0.0.0.0/0
Important: Only remove 0.0.0.0/0 after confirming your specific CIDR entries are in place and tested.
6. Verify the Updated Allowlist
# Confirm the final allowlist
ccloud cluster networking allowlist list <cluster-id> -o json
Test connectivity from each authorized source:
# Test SQL connection from an allowed IP
cockroach sql --url "<connection-string>" -e "SELECT 1;"
# Test from a non-allowed IP (should fail)
# Attempt connection from an IP not in the allowlist — expect connection refused
Safety Considerations
Risk: Locking yourself out. Removing 0.0.0.0/0 before adding your current IP will immediately block your access.
Mitigation steps:
- Identify your current IP before making changes:
curl -s https://checkip.amazonaws.com - Add your IP first as a
/32entry before removing broad ranges - Test connectivity after adding specific entries but before removing
0.0.0.0/0 - Keep Cloud Console access — the Cloud Console UI can modify allowlists even if SQL access is blocked
Order of operations:
- Add all specific CIDR entries
- Verify SQL connectivity from each allowed source
- Remove
0.0.0.0/0only after verifying all needed entries are in place - Test again to confirm access still works
Rollback
If you lose access after removing a broad entry:
- Cloud Console: Log into the CockroachDB Cloud Console (web UI) — this does not use the IP allowlist
- Re-add your IP: Add your current IP as a
/32or re-add0.0.0.0/0temporarily - Investigate: Determine which CIDR was missing and add it
# Emergency: re-add 0.0.0.0/0 via ccloud (if you still have ccloud access)
ccloud cluster networking allowlist create <cluster-name> 0.0.0.0/0 \
--sql \
--ui \
--name "Emergency - temporary open access"
References
Skill references:
Related skills:
- auditing-cloud-cluster-security — Run a full security posture audit
- configuring-private-connectivity — Private endpoints as an alternative to IP allowlists
Official CockroachDB Documentation:
More from cockroachlabs/cockroachdb-skills
cockroachdb-sql
Use when writing, generating, or optimizing SQL for CockroachDB, designing CockroachDB schemas, or when the user asks about CockroachDB-specific SQL patterns, type mappings, and distributed database best practices. Also use when encountering CockroachDB anti-patterns like missing primary keys, sequential ID hotspots, or incorrect type usage.
31analyzing-range-distribution
Analyzes CockroachDB range distribution across tables and indexes using SHOW RANGES to identify range count, size patterns, leaseholder placement, and replication health. Use when investigating hotspots, uneven data distribution, range fragmentation, or validating zone configuration effects without DB Console access.
27managing-cluster-settings
Reviews, audits, and modifies CockroachDB cluster settings. Self-Hosted has full control over all settings and start flags. Advanced/BYOC can modify most SQL-level settings but infrastructure settings are managed by CRL. Standard has limited settings access — session variables are the primary tuning mechanism. Basic has minimal settings — use session variables and Cloud Console. Use when auditing configuration, tuning performance, or troubleshooting settings-related issues.
25hardening-user-privileges
Hardens CockroachDB user privileges by auditing and tightening role-based access control, reducing admin grants, restricting PUBLIC role permissions, and applying least-privilege principles. Use when reducing excessive privileges, cleaning up admin access, or implementing RBAC best practices.
25auditing-table-statistics
Audits optimizer table statistics for staleness, missing coverage, and data quality issues using SHOW STATISTICS. Use when diagnosing poor query performance, unexpected plan changes, or after bulk data changes to identify stale statistics requiring refresh via CREATE STATISTICS.
25monitoring-background-jobs
Monitors CockroachDB background job health by identifying failed, paused, and long-running jobs using SHOW JOBS and SHOW AUTOMATIC JOBS. Surfaces schema changes, backups/restores, automatic statistics collection, and SQL stats compaction jobs without DB Console access. Use when investigating schema change delays, failed backups, or automatic job issues.
24