Docs Menu
Docs Home
/
Atlas
/
Query Federated Data
/
Administration
/
Manage Private Endpoints

Set Up a Private Endpoint for a Federated Database Instance

MongoDB supports AWS and Azure private endpoints for your federated database instance. You can set up the private endpoints from the Atlas CLI, Atlas UI, and and Atlas Administration API.

Note

You can't use your Atlas cluster private endpoint ID for Atlas Data Federation. The Atlas Data Federation endpoint ID must be different from your Atlas cluster endpoint ID, if you have one.

Required Access

To set up a private endpoint, you must have Project Owner access to the project. Users with Organization Owner access must add themselves as a Project Owner to the project before setting up a private endpoint.

Prerequisites

The procedure differs depending on whether you use AWS or Azure for your cloud provider. Select the appropriate tab:

  1. Have an AWS user account with an IAM user policy that grants permissions to create, modify, describe, and delete endpoints. To learn more about controlling the use of interface endpoints, see the AWS Documentation.

  2. Install the AWS CLI.

  3. If you have not already done so, create your VPC and EC2 instances in AWS. To learn more, see the AWS documentation for guidance.

  1. Have an Azure user account with permissions to create resources like virtual networks and private endpoints. To learn more about the permissions required, see the Azure Documentation.

  2. Install the Azure CLI.

Important

With Azure, you can create up to three private endpoints per project for your federated database instances due to an Azure-imposed limit. This is why Atlas prevents you from deleting an Atlas project before first deleting its private endpoints. To request more than three private endpoints for a project, contact MongoDB Support.

Procedure

To create a new Data Federation private endpoint using the Atlas CLI, run the following command:

atlas dataFederation privateEndpoints create <endpointId> [options]

To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas dataFederation privateEndpoints create.

To configure a private endpoint from the API, send a POST request with the private endpoint ID to the privateNetworkSettings endpoint.

  • If the endpoint ID already exists and there is no change to the comment associated with the endpoint, Atlas makes no change to the endpoint ID list.

  • If the endpoint ID already exists and there is a change to the associated comment, Atlas updates the comment value only in the endpoint ID list.

  • If the endpoint ID doesn't exist, Atlas appends the new endpoint to the list of endpoints in the endpoint ID list.

To learn more about the syntax and options, see API.

To set up a private endpoint for your federated database instance using the Atlas UI, follow these steps:

1

In Atlas, go to the Network Access page for your project.

Warning

Navigation Improvements In Progress

We're currently rolling out a new and improved navigation experience. If the following steps don't match your view in the Atlas UI, see the preview documentation.

  1. If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.

  2. If it's not already displayed, select your project from the Projects menu in the navigation bar.

  3. In the sidebar, click Network Access under the Security heading.

    The Network Access page displays.

2

Click the Private Endpoint tab.

3

Click the Federated Database Instance / Online Archive tab.

4

Click the Create New Endpoint button.

5

Choose a cloud provider and region.

  1. Click the AWS button.

  2. From the dropdown, select the region where you want to create the private endpoint.

    You can select one of the following regions:

    Data Federation Region
    AWS Region
    Atlas Region

    Northern Virginia, USA

    us-east-1

    US_EAST_1

    Oregon, USA

    us-west-2

    US_WEST_2

    Sao Paulo, Brazil

    sa-east-1

    SA_EAST_1

    Ireland

    eu-west-1

    EU_WEST_1

    London, England, UK

    eu-west-2

    EU_WEST_2

    Frankfurt, Germany

    eu-central-1

    EU_CENTRAL_1

    Tokyo, Japan

    ap-northeast-1

    AP_NORTHEAST_1

    Seoul, South Korea

    ap-northeast-2

    AP_NORTHEAST_2

    Mumbai, India

    ap-south-1

    AP_SOUTH_1

    Singapore

    ap-southeast-1

    AP_SOUTHEAST_1

    Sydney, Australia

    ap-southeast-2

    AP_SOUTHEAST_2

    Montreal, QC, Canada

    ca-central-1

    CA_CENTRAL_1

    The following table shows the service names for the various endpoints in each region:

    Region
    Service Name

    us-east-1

    com.amazonaws.vpce.us-east-1.vpce-svc-00e311695874992b4

    us-west-2

    com.amazonaws.vpce.us-west-2.vpce-svc-09d86b19e59d1b4bb

    eu-west-1

    com.amazonaws.vpce.eu-west-1.vpce-svc-0824460b72e1a420e

    eu-west-2

    com.amazonaws.vpce.eu-west-2.vpce-svc-052f1840aa0c4f1f9

    eu-central-1

    com.amazonaws.vpce.eu-central-1.vpce-svc-0ac8ce91871138c0d

    sa-east-1

    com.amazonaws.vpce.sa-east-1.vpce-svc-0b56e75e8cdf50044

    ap-southeast-2

    com.amazonaws.vpce.ap-southeast-2.vpce-svc-036f1de74d761706e

    ap-south-1

    com.amazonaws.vpce.ap-south-1.vpce-svc-03eb8a541f96d356d

    ca-central-1

    com.amazonaws.vpce.ca-central-1.vpce-svc-08564bb8ccae8ba64

    ap-northeast-1

    com.amazonaws.vpce.ap-northeast-1.vpce-svc-0b63834ecd618a332

    ap-southeast-1

    com.amazonaws.vpce.ap-southeast-1.vpce-svc-07728d2dfd2860efb

    To learn more, see Atlas Data Federation Regions.

  3. Click Next.

6

Configure your private endpoint.

Important

To avoid connection interruptions, you must specify the correct information. We recommend that you don't skip the commands and substeps in this step.

  1. Enter the following details about your AWS VPC:

    Tip

    You can click Show instruction for the following settings to display a screenshot of the AWS console where you can find the value for the setting.

    Your VPC ID

    Unique 22-character alphanumeric string that identifies the peer AWS VPC. Find this value on the VPC dashboard in your AWS account.

    Your Subnet IDs

    Unique strings that identify the subnets that your AWS VPC uses. Find these values on the Subnet dashboard in your AWS account.

    IMPORTANT: You must specify at least one subnet. If you don't, AWS won't provision an interface endpoint in your VPC. An interface endpoint is required for clients in your VPC to send traffic to the private endpoint.

  2. Copy the command the dialog box displays and run it using the AWS CLI.

    Note

    If you skip this step, the interface endpoint for the Private Endpoint service isn't created.

    You can't copy the command until Atlas finishes creating VPC resources in the background.

    See Creating an Interface Endpoint to perform this task using the AWS CLI.

  3. Enter the 22-character alphanumeric string that identifies your private endpoint in the VPC Endpoint ID field. Find this value on the AWS VPC Dashboard under Endpoints > VPC ID.

  4. Enter the alpha-numeric DNS hostname associated with your private endpoint on AWS in the Your VPC Endpoint DNS Name field.

    If you have multiple DNS names for your private endpoint, copy and paste the first name from your list. To learn more, see Manage DNS names for VPC endpoint services.

7

Modify the private DNS name to ensure that the hostname resolves to an address on your network.

To ensure that the hostname resolves to an address on your network:

  1. Copy the command the dialog box displays and run it using the AWS CLI.

  2. Optional. Add a comment to associate with this endpoint.

8

Click Finish endpoint creation.

9

Configure your resources' security groups to send traffic to and receive traffic from the interface endpoint.

For each resource that needs to connect to your federated database instance using AWS PrivateLink, the resource's security group must allow outbound traffic to the interface endpoint's private IP addresses on port 27017.

See Adding Rules to a Security Group for more information.

10

Create a security group for your interface endpoint to allow resources to access it.

This security group must allow inbound traffic on port 27017 from each resource that needs to connect to your federated database instance using AWS PrivateLink:

  1. In the AWS console, navigate to the VPC Dashboard.

  2. Click Security Groups, then click Create security group.

  3. Use the wizard to create a security group. Make sure you select your VPC from the VPC list.

  4. Select the security group you just created, then click the Inbound Rules tab.

  5. Click Edit Rules.

  6. Add rules to allow all inbound traffic from each resource in your VPC that you want to connect to your federated database instance.

  7. Click Save Rules.

  8. Click Endpoints, then click the endpoint for your VPC.

  9. Click the Security Groups tab, then click Edit Security Groups.

  10. Add the security group you just created, then click Save.

To learn more about VPC security groups, see the AWS documentation.

1

In Atlas, go to the Network Access page for your project.

Warning

Navigation Improvements In Progress

We're currently rolling out a new and improved navigation experience. If the following steps don't match your view in the Atlas UI, see the preview documentation.

  1. If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.

  2. If it's not already displayed, select your project from the Projects menu in the navigation bar.

  3. In the sidebar, click Network Access under the Security heading.

    The Network Access page displays.

2

Click the Private Endpoint tab and then the following tab for the resource.

Federated Database Instance / Online Archive to manage the private endpoint for your federated database instance or online archive.

3

Click the following button to set up the private endpoint.

Click Connect existing endpoint button.

4

Enter your VPC endpoint ID and DNS name.

  1. Enter the 22-character alphanumeric string that identifies your private endpoint in the Your VPC Endpoint ID field.

  2. Enter the alpha-numeric DNS hostname associated with your private endpoint on AWS in the Your VPC Endpoint DNS Name field.

    If you have multiple DNS names for your private endpoint, copy and paste the first name from your list. To learn more, see Manage DNS names for VPC endpoint services.

Tip

Click and expand Show more instructions in the dialog box for a visual clue as to where you can find the necessary information in the AWS console.

5

Add a comment to associate with this endpoint. You can enter your subnet ID, VPC ID, AWS region, and other information to associate with this endpoint here.

6

Click Confirm to add the existing private endpoint.

1

In Atlas, go to the Network Access page for your project.

Warning

Navigation Improvements In Progress

We're currently rolling out a new and improved navigation experience. If the following steps don't match your view in the Atlas UI, see the preview documentation.

  1. If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.

  2. If it's not already displayed, select your project from the Projects menu in the navigation bar.

  3. In the sidebar, click Network Access under the Security heading.

    The Network Access page displays.

2

Click the Private Endpoint tab.

3

Click the Federated Database Instance / Online Archive tab.

4

Click the Create New Endpoint button.

5

Choose a cloud provider and region.

  1. Click the Azure button.

  2. From the dropdown, select the region where you want to create the private endpoint.

    You can select one of the following regions:

    Data Federation Region
    Azure Region
    Atlas Region

    Virginia, USA

    eastus2

    US_EAST_2

    Sao Paulo, Brazil

    brazilsouth

    BRAZIL_SOUTH

    Netherlands

    westeurope

    EUROPE_WEST

    To learn more, see Atlas Data Federation Regions.

  3. Click Next.

6

Configure your private endpoint.

  1. Enter the following details about your Azure private endpoint:

    Tip

    You can click Show instruction in the Atlas UI for the following settings to display a screenshot of the Azure Dashboard where you can find the value for the setting.

    Resource Group Name

    Name of the Azure resource group that contains the VNet that you want to use to connect to Atlas. Find this value in your Azure account.

    Virtual Network Name

    Name of the VNet that you want to use to connect to Atlas. Find this value in your Azure account.

    Subnet ID

    Identifier of the subnet in your Azure VNet. Find this value in your Azure account.

    Private Endpoint Name

    Unique alphanumeric string that identifies the private endpoint within your Azure resource group. Any private endpoint name that exceeds 24 characters is automatically transformed into a unique identifier in your private endpoint URI connection string.

  2. Click Next.

  3. Copy the command the dialog box displays and run it using the Azure CLI.

    Note

    You can't copy the command until Atlas finishes creating virtual network resources in the background.

  4. Click Finish.

To verify whether the private endpoint setup is successful:

1

In Atlas, go to the Network Access page for your project.

Warning

Navigation Improvements In Progress

We're currently rolling out a new and improved navigation experience. If the following steps don't match your view in the Atlas UI, see the preview documentation.

  1. If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.

  2. If it's not already displayed, select your project from the Projects menu in the navigation bar.

  3. In the sidebar, click Network Access under the Security heading.

    The Network Access page displays.

2

Click the Private Endpoint tab.

3

Click the Federated Database Instance / Online Archive tab.

4

Review the details.

Review the Cloud Provider, Region, Endpoint Status, VPC ID / Virtual Network Name and Description.

To learn more, see View the List of Private Endpoints.

Back

IP Access Lists

Next

Database Users

On this page