CIDR Subnet Selection for MongoDB Atlas
Rate this tutorial
One of the best features of MongoDB
Atlas is the ability to peer your
host
VPC
on your own Amazon Web Services (AWS) account to your Atlas VPC. VPC
peering provides you with the ability to use the private IP range of
your hosts and MongoDB Atlas cluster. This allows you to reduce your
network exposure and improve security of your data. If you chose to use
peering there are some considerations you should think about first in
selecting the right IP block for your private traffic.
The host VPC is where you configure the systems that your application
will use to connect to your MongoDB Atlas cluster. AWS provides your
account with a default VPC for your hosts You may need to modify the
default VPC or create a new one to work alongside MongoDB Atlas.
MongoDB Atlas requires your host VPC to follow the
RFC-1918 standard for creating
private ranges. The Internet Assigned Numbers Authority (IANA) has
reserved the following three blocks of the IP address space for private
internets:
- 10.0.0.0 - 10.255.255.255 (10/8 prefix)
- 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
- 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
Don't overlap your ranges!
The point of peering is to permit two private IP ranges to work in
conjunction to keep your network traffic off the public internet. This
will require you to use separate private IP ranges that do not conflict.
You cannot create a VPC peering connection between VPCs with matching or
overlapping IPv4 CIDR blocks.
When you create a group in MongoDB Atlas, by default we provide you with
an AWS VPC which you can only modify before launching your first
cluster. Groups with an existing cluster CANNOT MODIFY their VPC CIDR
block - this is to comply with the AWS requirement for
peering.
By default we create a VPC with IP range 192.168.248.0/21. To specify
your IP block prior to configuring peering and launching your cluster,
follow these steps:
- Click on the Network Access tab, then select Peering. You should see a page such as this which shows you that you have not launched a cluster yet:
- Click on the New Peering Connection button. You will be given a new "Peering Connection" window to add your peering details. At the bottom of this page you'll see a section to modify "Your Atlas VPC"
- If you would like to specify a different IP range, you may use one of the RFC-1918 ranges with the appropriate subnet and enter it here. It's extremely important to ensure that you choose two distinct RFC-1918 ranges. These two cannot overlap their subnets:
- Click on the Initiate Peering button and follow the directions to add the appropriate subnet ranges.
Using peering ensures that your database traffic remains off the public
network. This provides you with a much more secure solution allowing you
to easily scale up and down without specifying IP addresses each time,
and reduces costs on transporting your data from server to server. At
any time if you run into problems with this, our support team is always
available by clicking the SUPPORT link in the lower left of your window.
Our support team is happy to assist in ensuring your peering connection
is properly configured.