monogoDB Atlas VPC peering and Security Group

I’m using dedicated instance in mongodb Atlas

To connect atlas and instance in my personnel instances in aws, I do vpc-peering with Atlas and vpc in AWS.

But I do not want to let all instances in VPC to connect to Atlas.
So I’m trying to use security group instead.

Here’s a problem.
What I know is that only security group in VPC with vpc peering can be used in IP-access-list.
Is it right?

Then what happens when I add security group in ip-access-list while using vpc-peering? Only instances in security group can connect? Or all instances in vpc can connect?
If all instances in vpc can connect to atlas, then can I only add security group in IP-access-list without vpc-peering?

1 Like

Hi @seungwoo_hwang and welcome to MongoDB community forums!!

Based on the above statement, I would like to outline my interpretation with the below example.

You have an Atlas cluster created in region 1, and you have three EC2 instances running in the same region on the AWS account. Considering that a VPC connection is set between both, according to the above statement, you would like to establish connection between Atlas and the AWS such that only one or two of the EC2 instances but not all, are able to connect to the Atlas Cluster.
Could you please confirm if my understanding is correct. It would highly appreciated if you could clarify based on an example situation.

Ideally, when you establish a VPC connection between Atlas and AWS instances, establishing a security group within the resource becomes one of the prerequisite to make the connection between them.

Also, can you also help me with a detailed clarification for the above statement.

Regards
Aasawari

Hi, @Aasawari , Thank you for answering.

What you understand is perfect for my situation.
In my AWS vpc(peering with Atlas), there are 5 instances but I expect to have situation that only 3 instances can connect to Atlas.

What I want to ask is, can I add the security group id to the ip-access-list without vpc peering?

Thank you for reading.

Hi @seungwoo_hwang

Thank you for confirming.

As mentioned in the documentation for IP Access Listing, in order to use the security group ID into the Atlas IP whitelisting, you need a VPC peering connection setup between AWS and the Atlas cluster.

Regards
Aasawari

Thank you for answering.

Then, what does “adding security group id to to ip-access-list” do?

Without adding security group, setting vpc peering makes free connection with aws and atlas between vpc!

When “adding security group id to to ip-access-list”, what happens?