I’m working within the AWS infrastructure and have successfully made a connection between a FARGATE task and ATLAS using the PrivateLink connection. This all works nicely when I have a single PrivateLink, however it is not possible to make a connection to additional PrivateLinks created within the same Region.
The documentation states that there are limitations on creating multiple PrivateLinks but only across Regions.
Is there a single PrivateLink limitation within a single region?
For a single-region Atlas Project (e.g. with a single VPC on the Atlas backend in a single region), you can set up multiple AWS Privatelinks.
It’s specifically where your Atlas Project’s cluster(s) involves multiple AWS regions and hence multiple VPCs in different regions on the Atlas backend that we limit you to setting up one AWS Privatelink per region.
Importantly, because AWS Privatelink is transitive you can set up your own peering connections within your app tier VPCs and hence reach the AWS Privatelink you’ve set up to reach Atlas from multiple VPCs within your AWS account.
I’m probably misunderstanding something, but in practice, I’m not able to get an ATLAS connection from a second app tier VPC created in the same region as the first (which has a working vpce/PrivateLink connection). Each app tier has its own AWS vpce connected to its own ATLAS Private Endpoint (PrivateLink connection).
The ATLAS cluster is a single region cluster, each app tier is using an identical connection string.
The following exception is thrown from the second app tier -
Of the 3 Network Access options available within the ATLAS console (IP Whitelist, Peering and Private Endpoint) I’m using the Private Endpoint option which gives provides the ‘Add PrivateLink Connection’ wizard. It’s this wizard that I’m using to set up access for my AWS app tier to ATLAS, so I’m not using the Peering option. My app tier VPCs are not peered with the ATLAS one.
Apologies. I had assumed you had connected 1 VPC “VPC A” in your applications tier to Atlas using an Atlas Private Endpoint / AWS Privatelink and then had another VPC “VPC B” in your app tier peered to your first VPC A.
I understand you have set up two Atlas Private Endpoints, one in each of VPC A and VPC B.
Therefore, I wonder if you might be using the connection string associated with Private Endpoint A from VPC B or vice versa? The Atlas connect modal should offer both options in the drop-down with the Private Endpoint selector. Since each endpoint is specifically associated with one VPC on your side, if they might have been reversed that could explain the issue.
I had thought that there should be a different connection string for each Endpoint but when I first looked at the 2 options they appeared to be the same. Now that you mention that I might be using the same connection string for both (which is what I’ve been doing), upon closer inspection I see that there is a difference - an incrementing numeric on the -pl-0- portion of the connection string for each PrivateLink created.
Thanks for your help, I now have an additional app tier connection from another VPC.