MongoDB Atlas now allows you to directly peer virtual private clouds (VPCs) in your AWS accounts with the MongoDB Atlas VPC created for your MongoDB clusters. Easily create an extended, private network connecting your application servers and backend databases.
VPC Peering in MongoDB Atlas is a significant ease of use and security improvement:
- Your application servers (and development environments) can directly connect to MongoDB Atlas while remaining isolated from public networks.
- Automatically scale your application tier without having to manage your database firewall rules.
- Peer multiple VPCs in the same region from your AWS account(s) to each MongoDB Atlas group.
Security groups from your peered VPC can even be referenced in MongoDB Atlas clusters.
Let’s walk through what using this functionality feels like.
- Create an AWS account
- Create a VPC
- Enable “DNS hostnames” on the VPC (optional). This will make it possible to immediately resolve the hostnames in the peered MongoDB Atlas clusters VPC to their private IP addresses (otherwise propagation can take up to one hour).
- Launch instances that you can SSH into
- Download MongoDB shell software onto those instances to confirm connectivity
- Create a MongoDB Atlas account
- Deploy a cluster in the same region as your AWS VPC
Step by Step Guide
- Register for a MongoDB Atlas account.
- Deploy cluster (US-East region is shown here)
- While the database cluster is deploying, navigate to the “Security” tab’s “Peering” section
- Add a New Peering Connection and include the information about your existing VPC (helpful “Show me how” instructions can be found throughout this process)
- Note that the default VPC used for EC2 instances uses a CIDR block that overlaps with that used by MongoDB Atlas and so cannot be peered – a new one must be created. I created a VPC with a CIDR block “10.0.0.0/16” for testing, like so:
- Enable “DNS hostnames” on the VPC and record the VPC ID for use in the peering form:
- Before using the VPC for any EC2 instances, it is necessary to create a new subnet for the VPC, in this case I used the full CIDR of the VPC:
- Create an EC2 instance using the new VPC and subnet:
- Fill in the peering request form as shown below (AWS account detail omitted) and include the entire VPC CIDR (10.0.0.0/16); you could optionally include a subset here. Notes:
- In this example, I am leaving the default option, “Add this CIDR block to my IP whitelist”, selected so that I will be able to immediately connect (but as we’ll see later, I could instead use a security group).
- Also, because I have already created a MongoDB Atlas cluster, the MongoDB Atlas region and CIDR block cannot be adjusted (if I were in a new MongoDB Atlas group that did not have a cluster yet, I could specify those).
- At this point, assuming you have correctly filled in the peering request details, you should see “Waiting for Approval”.
- The UI shown below contains a helpful “How do I approve the connection?” section with two steps:
i. Accept the peering request in my AWS account and
ii. Add the route table entry for the Atlas CIDR Block shown in the top right so that my VPC routes to the MongoDB Atlas VPC
- In the AWS Console, under the VPC Dashboard, in the “Peering Connections” section, choose “Accept Request”.
- In the AWS Console under the “Route Table” for your VPC, choose “Add another rule”, paste in the MongoDB Atlas CIDR block, and associate it with the VPC peering connection.
f. Note that if you don't see a 0.0.0.0/0 route associated with an internet gateway then you should add one if you want to SSH directly into your VPC’s instances from your laptop – this may necessitate creating a new internet gateway.
- After accepting the Peering Connection in our VPC, MongoDB Atlas will display the Peering Connection as “Available” (this may take up to 10 minutes to show)
- Now let’s demonstrate connectivity in this tutorial by navigating to our cluster in MongoDB Atlas and clicking “Connect” to follow instructions.
b. We can confirm that the CIDR block associated with our Peered VPC has already been added to our IP address whitelist
d. We’ll download and extract the MongoDB shell for the operating system of the instance in our VPC, and use the ‘mongo’ shell instructions shown below
e. Success! We’ve connected successfully without having any public IP addresses open to our MongoDB Atlas cluster!
- Now let’s remove the CIDR block (IP addresses) from our IP Address Whitelist, and demonstrate that we can instead reference a Security Group from our peered VPC
a. We’ll navigate to “Security” tab’s “IP Whitelist” section
b. After clicking “Delete” on the Peer VPC’s CIDR Block (10.0.0.0/16 in this case) we’ll see
c. Let’s add an inbound rule to our EC2 instance’s Security Group such that connectivity on ports 27000-28000 can be made within the Security Group itself
d. Now we’ll click “Add IP Address” but specifically enter the security group ID associated with the instance in our VPC
e. Now we can confirm connectivity again (with no explicit IP Addresses in our white list) — Awesome!
Register for MongoDB Atlas and deploy your first cluster today!