Data in transit encryption

As YDB is a distributed system typically running on a cluster, often spanning multiple datacenters or availability zones, user data is routinely transferred over the network. Various protocols can be involved, and each can be configured to run over TLS. Below is a list of protocols supported by YDB:

• Interconnect, a specialized protocol for all communication between YDB nodes.

• YDB as a server:

  • gRPC for external communication with client applications designed to work natively with YDB via the SDK or CLI.
  • PostgreSQL wire protocol for external communication with client applications initially designed to work with PostgreSQL.
  • Kafka wire protocol for external communication with client applications initially designed to work with Apache Kafka.
  • HTTP for running the Embedded UI, exposing metrics, and other miscellaneous endpoints.

• YDB as a client:

  • LDAP for user authentication.
  • Federated queries, a feature that allows YDB to query various external data sources. Some sources are queried directly from the ydbd process, while others are proxied via a separate connector process.
  • Tracing data sent to an external collector via gRPC.

• In asynchronous replication between two YDB databases, one serves as a client to the other.

By default, data in transit encryption is disabled and must be enabled separately for each protocol. They can either share the same set of TLS certificates or use dedicated ones. For instructions on how to enable TLS, refer to the YDB cluster configuration section.