Docs Home → Atlas App Services
Use a VPC Private Endpoint (Preview)
On this page
You can use a Private Endpoint to access Atlas App Services from within
your Virtual Private Cloud (VPC). This is a private connection to Atlas
App Services that does not go over the public internet. Requests from outside of
your VPC return a 404 error.
Private Endpoints are only available for Atlas App Services Apps deployed locally to a region in AWS. They connect to your AWS VPC using AWS PrivateLink. To learn more, see What is AWS PrivateLink? in the AWS documentation.
There are two kinds of App Services Private Endpoints:
General: Endpoints that use
services.cloud.mongodb.comfor Client HTTP requests.Sync: Endpoints that use
services.cloud.mongodb.comfor Sync WebSocket connections.
Endpoints that use the realm.mongodb.com domain must migrate to use the new
services.cloud.mongodb.com domain.
Before You Begin
Gather the following information:
Your VPC ID, which you can find in the AWS VPC dashboard or by running the describe-vpcs command in the AWS CLI.
Your Subnet IDs, which you can find in the AWS VPC dashboard or by running the describe-subnets command in the AWS CLI.
Set up a private hosted zone for your VPC. You need your VPC ID for this. Use ModifyVpcAttribute to set the following VPC attributes to true:
EnableDnsHostnamesEnableDnsSupport
You must also install and authenticate the AWS CLI.
Add a Private Endpoint
You can add a new Private Endpoint with the App Services UI or the Admin API.
You can add a new General Endpoint or a new Sync Endpoint. You can also migrate a Legacy Endpoint to either a new General or Sync Endpoint.
Add a General Endpoint
Add a Sync Endpoint
Every Sync Endpoint must be paired with a General Endpoint.
Migrate a Legacy Endpoint
If you have an endpoint that uses the legacy realm.mongodb.com domain, you
must migrate it to use the services.cloud.mongodb.com domain. You can't
create new legacy endpoints.
To migrate a Legacy Endpoint:
Following the procedures on this page, create new VPC endpoints to replace existing VPC endpoints
Update Atlas Device SDK to a version that supports the new domain
Update client API calls to use new services domain
Change Access Restrictions
By default, all private Endpoints only handle internal requests. You can choose to open access from all requests outside your PrivateLink connection.
Important
This setting is global to all of your endpoints.
You can toggle this setting in three ways:
In the UI, from the list of endpoints on the Private Endpoints tab, click the Restrict Access button.
In the UI, when creating your first Private Endpoint, you have the option to toggle this setting in the Modify Your VPC Private DNS step.
In the Admin API, call the Toggle Non-VPC Requests with a boolean value (
trueto remove the default restriction, orfalseto reinstate it.)
Supported SDK Versions
The Atlas Device SDKs can access your General and Sync endpoints. However, they must use a version that supports the new domain.
Private Endpoint Limitations
You can't use Private Endpoints with globally deployed Apps or local Apps deployed to Azure or GCP.
You can't use public internet connections to access your App if you have a Private Endpoint enabled. All requests must come through the Private Endpoint.
If you change your deployment model, then you must create new Private Endpoints for the App's new region.
You can't simultaneously use Private Endpoints and allow connections over the MongoDB wire protocol. If one is enabled, you can't enable the other.
By default, Private Endpoints only handle requests that originate from within your VPC. You can configure your App to also accept requests from the public internet. To learn how, see Change Access Restrictions.
All outbound requests, such as an App Services trigger calling an external API, go over the public internet.