MongoDB Atlas with AWS VPC Peering issue

MongoDB Atlas VPC Peering with AWS VPC only allows CIDR starting with 10… (ex: CIDR 10.0.0.0/23 worked) while using 11.0.0.0/23 is giving error as “Route table CIDR “11.0.0.0/23” is not in private range”.

Note: There is no CIDR conflict with Mongo VPC and AWS VPC.

Can anyone help to resolve this?

@Pablo_Iglesias Can you share your thoughts on this?

Hi @Yash_Panchal,

while using 11.0.0.0/23 is giving error as “Route table CIDR “11.0.0.0/23” is not in private range”.

As per the step 3 of the Configure Network Peering for an AWS-backed Cluster procedure, the configured VPC CIDR block range must be within the ranges (as of the time of this message) :

Regards,
Jason

Hi @Jason_Tran , I get that. Thank you for response.

Is there any alternative to peer other CIDR? This one is required because my production VPC CIDR starts with 11 and that can’t be changed.

Hi @Yash_Panchal,

Is there any alternative to peer other CIDR? This one is required because my production VPC CIDR starts with 11 and that can’t be changed.

Depending on your use case(s) or requirements, a possible alternative would be to use Private Endpoint connection rather than a VPC peering connection. For your reference in terms of deciding whether this may suit your requirements and as included in the documentation linked above:

Connections to Atlas database deployments using private endpoints offer the following advantages over other network access management options:

  • Connections using private endpoints are one-way. Atlas VPCs can’t initiate connections back to your VPCs. This ensures your perceived network trust boundary is not extended.
  • Connections to private endpoints within your VPC can be made transitively from:
    • Another VPC peered to the private endpoint-connected VPC.
    • An on-premises data center connected with DirectConnect to the private endpoint-connected VPC. This enables you to connect to Atlas directly from your on-premises data center without adding public IP addresses to the Atlas IP access list.

Regards,
Jason

Thank you @Jason_Tran for response. DirectConnect is the option but Its very costly for our use-case.

I have an observation, I have two mongo atlas cluster and both has same VPC CIDR. Now I want to achieve peering from AWS VPC with both atlas cluster.
However, I’m not able to achieve it because the AWS side route table has already entry of first mongo cluster and its not allowing to do for second cluster peering because of the same CIDR.

Can you share thoughts on this issue? Is there any other way to achieve this?

Hi @Yash_Panchal,

I have an observation, I have two mongo atlas cluster and both has same VPC CIDR.

Just to clarify, are these two MongoDB Atlas clusters you mention each in a different project with the same Atlas VPC CIDR? E.g.:

  • Project1 containing Cluster1 with a Atlas VPC CIDR 192.168.0.0/21
  • Project2 containing Cluster2 with a Atlas VPC CIDR 192.168.0.0/21

Regards,
Jason

Yes you’re correct. I saw both clusters are having same CIDR.

Unfortunately at this point, it is not possible to modify the Atlas VPC CIDR block for an existing VPC if there are resources (E.g. M10+ cluster nodes, peering connections, etc.) deployed in that VPC. As per the steps mentioned in the Set Up a Network Peering Connection documentation Atlas locks the value of the Atlas VPC CIDR if an M10+ tier cluster or a Network Peering connection exists. It also mentions:

To modify the CIDR block, the target project cannot have:

  • Any M10 or greater clusters
  • Any other VPC peering connections

I am assuming you do not want to get rid of the data on either of the projects just to change the CIDR. You can do the following to set up peering with a different CIDR block and migrate your clusters:

  1. Create a new project.

  2. Set up VPC peering before adding any clusters. This will allow you to set the CIDR for the clusters in this project in the peered region. Ensure the CIDR does not overlap with:

    • The CIDR of your application VPC
    • The CIDR of any VPCs currently peered to your application VPC
    • The CIDR of any VPC you plan to peer to your Atlas VPC in the future
  3. Ensure the CIDR must be in one of the following IP ranges:

  4. Add a new cluster to the project.

  5. (Depending on your requirements and the environment being migrated), either:

  6. Test connection from your application to the newly created cluster on the new Atlas VPC CIDR block range.

Hope this helps!

Regards,
Jason