Docs Menu

Docs HomeAtlas App Services

Use a VPC Private Endpoint (Preview)

On this page

  • Private Endpoint Limitations
  • Set Up a Private Endpoint
  • Create an Interface Endpoint in Your VPC
  • Add the Private Endpoint to Your App
  • Modify Your VPC Private DNS
  • Create an Interface Endpoint in Your VPC
  • Add the Private Endpoint to Your App
  • Modify Your VPC Private DNS
  • Change Access Restrictions

You can use a Private Endpoint to access Atlas App Services from within your Virtual Private Cloud (VPC). This is a private connection to Atlas App Services that does not go over the public internet.

Private Endpoints are only available for Atlas App Services Apps deployed locally to a region in AWS. They connect to your AWS VPC using AWS PrivateLink. To learn more, see What is AWS PrivateLink? in the AWS documentation.

  • You cannot use Private Endpoints with globally deployed Apps or local Apps deployed to Azure or GCP.

  • You cannot use public internet connections to access your App if you have a Private Endpoint enabled. All requests must come through the Private Endpoint.

  • If you change your deployment model then your existing Private Endpoints will not continue to work. You will have to create new Private Endpoints for the App's new region.

  • You cannot simultaneously use Private Endpoints and allow connections over the MongoDB wire protocol. If one is enabled, you cannot enable the other.

  • By default, private Endpoints only handle requests that originate from within your VPC. You can configure your App to also accept requests from the public internet. To learn how, see Change Access Restrictions.

  • All outbound requests, such as an an App Services trigger calling an external API, go over the public internet.

To configure a Private Endpoint connection you need to have the following information:

  • Your VPC ID, which you can find in the AWS VPC dashboard or by running the describe-vpcs command in the AWS CLI.

  • Your Subnet IDs, which you can find in the AWS VPC dashboard or by running the describe-subnets command in the AWS CLI.

  • The App Services Endpoint Service Name for your region. If you're using the App Services UI, this value will be provided to you. If you're using the Admin API, you can find this value by calling the List VPC Private Endpoint Services endpoint and then locating the entry for your App's deployment region in the response.

    curl https://services.cloud.mongodb.com/api/admin/v3.0/groups/{groupId}/apps/{appId}/security/private_endpoint_service_infos \
    -H "Authorization: Bearer <access_token>"
    [
    {
    "cloud_provider_region": "aws-us-east-1",
    "name": "eps_baas-pl-prod_us-east-1_cloud",
    "dns": "*.aws.services.cloud.mongodb.com",
    "service_name": "com.amazonaws.vpce.us-east-1.vpce-svc-0f12ab34cd56ef789"
    },
    ...
    ]

Once you have this information, you can set up the Private Endpoint connection using either the App Services UI or the Admin API.

By default, all private Endpoints only handle internal requests. You can choose to open access from all requests outside your PrivateLink connection.

Important

This setting is global to all of your endpoints.

You can toggle this setting in three ways:

  • In the UI, from the list of endpoints on the Private Endpoints tab, click the Restrict Access button.

  • In the UI, when creating your first Private Endpoint, you have the option to toggle this setting in the Modify Your VPC Private DNS step.

  • In the Admin API, call the Toggle Non-VPC Requests with a boolean value (true to remove the default restriction, or false to reinstate it.)

← Manage Developer Access