Clarifying VPC Peering IP Whitelist

Hello,

We’ve recently set up a VPC peer between our MongoDB Atlas cluster on AWS us-east-2 and our AWS default VPC with our EC2 instances running inside us-east-2 region. We referenced this doc page: https://www.mongodb.com/docs/atlas/security-vpc-peering/

The connection seems to work and our EC2 instances can connect to the mongodb using the existing connection URL that we’d previously used for public/internet connections.

We’ve removed the public IP of the EC2 instance from the Mongo Atlas Network Access list and haven’t added any private CIDR blocks, but our EC2 instance can still access the Peered mongo DB.

I wanted to clarify if that’s expected, because the docs seem to indicate at the end that we need to have private IPs whitelisted for the connection to work:

Before your new VPC peer can connect to your Atlas cluster, you must:

Locate the VPC CIDR block addresses (or subset), or the Security Groups, associated with the VPC configured in your project.

Add at least one of these CIDR blocks to the access list.

So, we’re a bit leery as to why it’s “just working.” Do we not need CIDR blocks or private IP addressed whitelisted to use VPC peering?

I want to make sure when we go live and any private IPs potentially change from deploys that those EC2 Instances can still connect to the MongoDB.

Any ideas? Thanks!

We found out the reason. On server restart the whitelist kicked in and didn’t allow connections. It must have kept working because we didn’t restart the Node server after the mongo db connection was already established with the previous public IP whitelist. So, we were rocking an existing db connection cached in the server memory, vs re-connecting each request.

We added the private CIDR like the docs suggest and everything works as expected and documented. Cheer. :rocket:

1 Like