Docs Menu
Docs Home
/ /
Atlas Access
Docs Home
/ /
Atlas Kubernetes Operator
/
Atlas Access
Docs Home
/
Management
/
Atlas Kubernetes Operator
/
Atlas Kubernetes Operator
/
Atlas Access

Configure Network Peering

Note

This feature is not available for any of the following deployments:

  • Serverless instances

  • M0 clusters

  • M2/M5 clusters

  • Flex clusters

Atlas supports network peering connections for dedicated clusters hosted on AWS, Google Cloud, and Azure, and on multi-cloud sharded clusters.

Network peering establishes a private connection between your Atlas VPC and your cloud provider's VPC. The connection isolates traffic from public networks for added security.

Atlas doesn't support network peering between clusters you deploy in a single region on different cloud providers.

To manage your network peering connections with Atlas Kubernetes Operator, you can specify and update the spec.networkPeers parameter for the AtlasProject Custom Resource. Each time you change the spec field in any of the supported custom resources, Atlas Kubernetes Operator creates or updates the corresponding Atlas configuration.

Prerequisites

To configure network peering using Atlas Kubernetes Operator, you require:

  • A running Kubernetes cluster with Atlas Kubernetes Operator deployed.

  • The Project Owner or Organization Owner role in Atlas.

  • If you have not already done so, create your VPC in AWS. To learn more, see Get Started with Amazon VPC.

  • A network traffic rule for outbound traffic.

    Create the following network traffic rule on your AWS security group attached to your resources that connect to Atlas:

    Permission
    Direction
    Port
    Target

    Allow

    outbound

    27015-27017 inclusive

    to your Atlas CIDR

  • A running Kubernetes cluster with Atlas Kubernetes Operator deployed.

  • The Project Owner or Organization Owner role in Atlas.

  • If you have not already done so, create your VNet in Azure. To learn more, see Create a virtual network using the Azure portal.

  • Azure roles required to configure a network peering connection.

    To learn more, see the Azure Permissions.

  • A service principal for the Atlas peering application ID.

    Note

    For details about how Atlas creates Network Peering connections with Azure VPCs, see the Azure tab in Set Up a Network Peering Connection.

    You must complete the following steps before you create each Azure network peering connection:

    1. Run the following Azure CLI command to create a service principal using the specified Atlas peering application ID:

      az ad sp create --id e90a1407-55c3-432d-9cb1-3638900a9d22

      You only have to do this once for each subscription. If you receive the following message, the service principal with the Atlas peering application ID already exists. Proceed to the next step.

      Another object with the same value for property servicePrincipalNames already exists.

    2. Copy the following example peering-role.json file and save it to your current working directory:

      1{
      2  "Name":"AtlasPeering/<azureSubscriptionId>/<resourceGroupName>/<vnetName>",
      3  "IsCustom":true,
      4  "Description":"Grants MongoDB access to manage peering connections on network /subscriptions/<azureSubscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Network/virtualNetworks/<vnetName>",
      5  "Actions":[
      6      "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
      7      "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",
      8      "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete",
      9      "Microsoft.Network/virtualNetworks/peer/action"
      10  ],
      11  "AssignableScopes":[
      12      "/subscriptions/<azureSubscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Network/virtualNetworks/<vnetName>"
      13  ]
      14}

    3. Replace the variables in the peering-role.json with details about the Azure VNet to which you want to create a peering connection:

      Variable
      Description

      azureSubscriptionId

      Unique identifer of the Azure subscription in which the VNet resides.

      resourceGroupName

      Name of your Azure resource group.

      vnetName

      Name of your Azure VNet.

    4. Run the following Azure CLI command to create the role definition using the peering-role.json file:

      az role definition create --role-definition peering-role.json

    5. Run the Azure CLI command shown below to assign the role you created to the service principal.

      Replace the variables with the same values you used in the peering-role.json file.

      az role assignment create  \
      --role "AtlasPeering/<azureSubscriptionId>/<resourceGroupName>/<vnetName>" \
      --assignee "e90a1407-55c3-432d-9cb1-3638900a9d22" \
      --scope "/subscriptions/<azureSubscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Network/virtualNetworks/<vnetName>"

Procedure

Enable clients to connect to Atlas clusters using a network peering connection with the following procedure:

1

Specify the spec.networkPeers parameter.

You can configure network peering to use an existing container or a new container.

Use an Existing Container

  1. Specify the spec.networkPeers parameter in the AtlasProject Custom Resource. Replace the following placeholders with your values:

    Placeholder
    Description

    spec.networkPeers.providerName

    Cloud provider name. Specify AWS.

    spec.networkPeers.containerId

    Unique identifier for the network peering container you want to use. If you don't specify containerId, you must set atlasCIDRblock. To learn more, see the Create New Container section in this procedure.

    spec.networkPeers.accepterRegionName

    AWS region for your VPC.

    spec.networkPeers.awsAccountId

    Unique identifier for your AWS account. AWS displays the account ID when you click the account name in the top right corner of the console home page.

    spec.networkPeers.routeTableCidrBlock

    CIDR block for your AWS VPC. AWS displays the CIDR block on your VPC's details page.

    spec.networkPeers.vpcId

    Unique identifier for your AWS VPC. AWS displays the VPC ID on your VPC's details page.

  2. Run the following command:

    cat <<EOF | kubectl apply -f -
    apiVersion: atlas.mongodb.com/v1
    kind: AtlasProject
    metadata:
      name: my-project
    spec:
      name: Test Atlas Operator Project
      networkPeers:
      - providerName: "AWS"
        containerID: "6dc5f17280eef56a459fa3fb"
        accepterRegionName: "us-east-2"
        awsAccountId: "12345678"
        routeTableCidrBlock: "10.0.0.0/24"
        vpcId: "vpc-12345678"
    EOF

Create a New Container

  1. Specify the spec.networkPeers parameter in the AtlasProject Custom Resource. Replace the following placeholders with your values:

    Placeholder
    Description

    spec.networkPeers.providerName

    Cloud provider name. Specify AWS.

    spec.networkPeers.atlasCidrBlock

    Atlas CIDR block for which Atlas Kubernetes Operator creates a new container. If you don't specify atlasCidrBlock, you must specify the containerId of an existing container. To learn more, see the Use Existing Container section in this procedure.

    spec.networkPeers.containerRegion

    (Optional) AWS region in which Atlas Kubernetes Operator creates a new container. If you don't specify either a containerRegion or a containerId, Atlas Kubernetes Operator creates a new container in the same region as the accepterRegionName.

    spec.networkPeers.accepterRegionName

    AWS region for your VPC.

    spec.networkPeers.awsAccountId

    Unique identifier for your AWS account. AWS displays the account ID when you click the account name in the top right corner of the console home page.

    spec.networkPeers.routeTableCidrBlock

    CIDR block for your AWS VPC. AWS displays the CIDR block on your VPC's details page.

    spec.networkPeers.vpcId

    Unique identifier for your AWS VPC. AWS displays the VPC ID on your VPC's details page.

  2. Run the following command:

    cat <<EOF | kubectl apply -f -
    apiVersion: atlas.mongodb.com/v1
    kind: AtlasProject
    metadata:
      name: my-project
    spec:
      name: Test Atlas Operator Project
      networkPeers:
      - providerName: "AWS"
        atlasCidrBlock: "10.8.0.0/21"
        containerRegion: "us-west-1"
        accepterRegionName: "us-east-2"
        awsAccountId: "12345678"
        routeTableCidrBlock: "10.0.0.0/24"
        vpcId: "vpc-12345678"
    EOF
2

Check for the WAITING FOR USER status.

  1. Run the following command:

    kubectl get atlasprojects my-project -o=jsonpath='{.status.networkPeers.statusName}'
    WAITING FOR USER

  2. If the statusName value is WAITING FOR USER, proceed to the next step. If the statusName is not WAITING FOR USER, wait a few minutes and try this step again.

3

Accept the VPC peering connection in AWS.

To learn more, see Accept a VPC peering connection.

4

Check the status of your VPC connection using Atlas Kubernetes Operator.

Run the following command again to check the status of the VPC connection. Atlas Kubernetes Operator returns READY when the network peering connection is complete.

kubectl get atlasprojects my-project -o=jsonpath='{.status.networkPeers.statusName}'
READY
1

Specify the spec.networkPeers parameter.

You can configure network peering to use an existing container or a new container.

Use an Existing Container

  1. Specify the spec.networkPeers parameter in the AtlasProject Custom Resource. Replace the following placeholders with your values:

    Placeholder
    Description

    spec.networkPeers.providerName

    Cloud provider name. Specify AZURE.

    spec.networkPeers.containerId

    Unique identifier for the network peering container you want to use. If you don't specify containerId, you must set atlasCIDRblock. To learn more, see the Create New Container section in this procedure.

    spec.networkPeers.accepterRegionName

    Azure region for your VPC.

    spec.networkPeers.azureSubscriptionId

    Unique identifier for your Azure subscription. Azure displays the subscription ID on the subscription's details page.

    spec.networkPeers.resourceGroupName

    Human-readable label that identifies the Azure resource group that contains the VPC. Azure displays the resource group name on the resource group's details page.

    spec.networkPeers.azureDirectoryId

    Unique identifier for your Azure Active Directory tenant. Azure displays this as the Tenant ID on the tenant properties page.

    spec.networkPeers.vnetName

    Human-readable label that identifies your Azure VNET. Azure displays the VNET name on your VNET's details page.

  2. Run the following command:

    cat <<EOF | kubectl apply -f -
    apiVersion: atlas.mongodb.com/v1
    kind: AtlasProject
    metadata:
      name: my-project
    spec:
      name: Test Atlas Operator Project
      networkPeers:
      - providerName: "AZURE"
        containerID: "6dc5f17280eef56a459fa3fb"
        accepterRegionName: "US_EAST_2"
        azureSubscriptionId: "12345678"
        resourceGroupName: "my-group"
        azureDirectoryId: "x0xxx10-00x0-0x01-0xxx-x0x0x01xx100"
        vnetName: "my-vnet"
    EOF

Create a New Container

  1. Specify the spec.networkPeers parameter in the AtlasProject Custom Resource. Replace the following placeholders with your values:

    Placeholder
    Description

    spec.networkPeers.providerName

    Cloud provider name. Specify AZURE.

    spec.networkPeers.atlasCidrBlock

    Atlas CIDR block for which Atlas Kubernetes Operator creates a new container. If you don't specify atlasCidrBlock, you must specify the containerId of an existing container. To learn more, see the Use Existing Container section in this procedure.

    spec.networkPeers.containerRegion

    (Optional) Azure region in which Atlas Kubernetes Operator creates a new container. If you don't specify either a containerRegion or a containerId, Atlas Kubernetes Operator creates a new container in the same region as the accepterRegionName.

    spec.networkPeers.accepterRegionName

    Azure region for your VPC.

    spec.networkPeers.azureSubscriptionId

    Unique identifier for your Azure subscription. Azure displays the subscription ID on the subscription's details page.

    spec.networkPeers.resourceGroupName

    Human-readable label that identifies the Azure resource group that contains the VPC. Azure displays the resource group name on the resource group's details page.

    spec.networkPeers.azureDirectoryId

    Unique identifier for your Azure active directory tenant. Azure displays this as the Tenant ID on the tenant properties page.

    spec.networkPeers.vnetName

    Human-readable label that identifies your Azure VNET. Azure displays the VNET name on your VNET's details page.

  2. Run the following command:

    cat <<EOF | kubectl apply -f -
    apiVersion: atlas.mongodb.com/v1
    kind: AtlasProject
    metadata:
      name: my-project
    spec:
      name: Test Atlas Operator Project
      networkPeers:
      - providerName: "AZURE"
        atlasCidrBlock: "10.8.0.0/21"
        containerRegion: "US_WEST"
        azureSubscriptionId: "12345678"
        resourceGroupName: "my-group"
        azureDirectoryId: "x0xxx10-00x0-0x01-0xxx-x0x0x01xx100"
        vnetName: "my-vnet"
    EOF
2

Check the status of your VPC connection using Atlas Kubernetes Operator.

Run the following command to check the status of the VPC connection. Atlas Kubernetes Operator returns READY when the network peering connection is complete.

kubectl get atlasprojects my-project -o=jsonpath='{.status.networkPeers.status}'
READY
1

Specify the spec.networkPeers parameter.

You can configure network peering to use an existing container or a new container.

Use an Existing Container

  1. Specify the spec.networkPeers parameter in the AtlasProject Custom Resource. Replace the following placeholders with your values:

    Placeholder
    Description

    spec.networkPeers.providerName

    Cloud provider name. Specify GCP.

    spec.networkPeers.containerId

    Unique identifier for the network peering container you want to use. If you don't specify containerId, you must set atlasCIDRblock and containerRegion. To learn more, see the Create New Container section in this procedure.

    spec.networkPeers.gcpProjectId

    Unique identifier for your Google Cloud project. Google Cloud displays the project ID on the project's details page.

    spec.networkPeers.routeTableCidrBlock

    CIDR block for your Google Cloud VPC. Google Cloud displays the CIDR block on your VPC's details page.

    spec.networkPeers.networkName

    Human-readable label for your Google Cloud VPC. Google Cloud displays the network name on your VPC's details page.

  2. Run the following command:

    cat <<EOF | kubectl apply -f -
    apiVersion: atlas.mongodb.com/v1
    kind: AtlasProject
    metadata:
        name: my-project
    spec:
      name: Test Atlas Operator Project
      networkPeers:
      - providerName: "GCP"
        containerId: "6dc5f17280eef56a459fa3fb"
        gcpProjectId: "12345678"
        networkName: "my-vpc"
    EOF

Create a New Container

  1. Specify the spec.networkPeers parameter in the AtlasProject Custom Resource. Replace the following placeholders with your values:

    Placeholder
    Description

    spec.networkPeers.providerName

    Cloud provider name. Specify GCP.

    spec.networkPeers.atlasCidrBlock

    Atlas CIDR block for which Atlas Kubernetes Operator creates a new container. If you don't specify atlasCidrBlock, you must specify the containerId of an existing container. To learn more, see the Use Existing Container section in this procedure.

    spec.networkPeers.containerRegion

    Google Cloud region for your VPC.

    spec.networkPeers.containerRegion

    Google Cloud region in which Atlas Kubernetes Operator creates a new container. If you don't specify containerRegion, you must specify the containerId of an existing container. To learn more, see the Use Existing Container section in this procedure.

    spec.networkPeers.gcpProjectId

    Unique identifier for your Google Cloud project. Google Cloud displays the project ID on the project's details page.

    spec.networkPeers.routeTableCidrBlock

    CIDR block for your Google Cloud VPC. Google Cloud displays the CIDR block on your VPC's details page.

    spec.networkPeers.networkName

    Human-readable label for your Google Cloud VPC. Google Cloud displays the network name on your VPC's details page.

  2. Run the following command:

    cat <<EOF | kubectl apply -f -
    apiVersion: atlas.mongodb.com/v1
    kind: AtlasProject
    metadata:
        name: my-project
    spec:
      name: Test Atlas Operator Project
      networkPeers:
      - providerName: "GCP"
        atlasCidrBlock: "10.8.0.0/21"
        gcpProjectId: "12345678"
        networkName: "my-vpc"
    EOF
2

Check for the PENDING ACCEPTANCE status.

  1. Run the following command:

    kubectl get atlasprojects my-project -o=jsonpath='{.status.networkPeers.status}'
    PENDING ACCEPTANCE

  2. If the status value is PENDING ACCEPTANCE, proceed to the next step. If the status is not PENDING ACCEPTANCE, wait a few minutes and try this step again.

3

Create the VPC peering connection in Google Cloud.

To learn more, see Using VPC Network Peering.

4

Check the status of your VPC connection using Atlas Kubernetes Operator.

Run the following command again to check the status of the VPC connection. Atlas Kubernetes Operator returns READY when the network peering connection is complete.

kubectl get atlasprojects my-project -o=jsonpath='{.status.networkPeers.status}'
READY

Back

Secret Storage

Next

Private Endpoints

On this page