Set Up a Private Endpoint for a Dedicated Cluster
On this page
Note
This feature is not available for M0
Free clusters, M2
, and
M5
clusters. To learn more about which features are unavailable,
see Atlas M0 (Free Cluster), M2, and M5 Limits.
Follow these steps to enable a client to connect to a Atlas dedicated cluster using private endpoints.
To learn more about using private endpoints with Atlas, see Learn About Private Endpoints in Atlas.
To set up a private endpoint for a Serverless instance, see Set Up a Private Endpoint for a Serverless Instance.
Required Access
To set up a private endpoint for a dedicated cluster, you must have
Organization Owner
or Project Owner
access to
the project.
Prerequisites, Considerations, and Limitations
To learn the prerequisites, considerations, and limitations for setting up a private endpoint, see the following resources:
Follow These Steps
To set up AWS PrivateLink through the Atlas CLI, install the Atlas CLI and connect from the Atlas CLI. Then, complete the following steps:
Create the private endpoint service in Atlas.
Run the Atlas CLI command to initiate the setup of AWS PrivateLink in Atlas. Atlas represents these resources in the form of a private endpoint service. Ensure that the value of
--region
matches the region where you deployed your cluster:atlas privateEndpoints aws create [options] To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints aws create.
If you have a multi-region or multi-cloud cluster and you don't enable regionalized private endpoints, you must provision an endpoint for each provider and region.
Note the private endpoint service's ID in the response. In this example, the ID is
6344ac8f51b94c6356527881
.Private endpoint '6344ac8f51b94c6356527881' created.
Retrieve the private endpoint service name.
Note
It might take Atlas some time to provision the private endpoint. Wait 1-2 minutes before you complete this step.
Run the Atlas CLI command to describe the private endpoint using its ID:
atlas privateEndpoints aws describe <privateEndpointId> [options] To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints aws describe.
Note the value for
ENDPOINT SERVICE
in the response, which shows the name of the private endpoint service associated with this private endpoint. In this example, the endpoint service name iscom.amazonaws.vpce.us-east-1.vpce-svc-0705499aae25ac77c
:ID ENDPOINT SERVICE STATUS ERROR 6344ac8f51b94c6356527881 com.amazonaws.vpce.us-east-1.vpce-svc-0705499aae25ac77c AVAILABLE If the
STATUS
value isINITIATING
, wait 1-2 more minutes for Atlas to provision the private endpoint. Then, try this step again.
Create the interface endpoint in AWS.
Run the command in the AWS CLI, replacing the following placeholders with your values:
PlaceholderDescription{VPC-ID}Unique string that identifies the peer AWS VPC. Find this value on the VPC dashboard in your AWS account.{REGION}AWS region in which your cluster resides.{SUBNET-IDS}Unique string that identifies the subnets that your AWS VPC uses. Find these values on the Subnet dashboard in your AWS account.
IMPORTANT: You must specify at least one subnet. If you don't, AWS won't provision an interface endpoint in your VPC. An interface endpoint is required for clients in your VPC to send traffic to the private endpoint.
{SERVICE-NAME}Unique string identifying the private endpoint service that you retrieved previously.aws ec2 create-vpc-endpoint --vpc-id {VPC-ID} \ --region {REGION} --service-name {SERVICE-NAME} \ --vpc-endpoint-type Interface --subnet-ids {SUBNET-IDS} To learn more about the AWS CLI, see Creating an Interface Endpoint.
Note the value in the response for the field
VpcEndpointId
. This is a 22-character alphanumeric string that identifies your private endpoint. You can also find this value on the AWS VPC Dashboard under Endpoints > VPC ID.
Update your private endpoint with the VPC Endpoint ID.
Run the Atlas CLI command to provide the interface endpoint info to Atlas using the Atlas endpoint service ID and the VPC Endpoint ID. In this example, you would set the following parameters:
ParameterTypeExample ValueendpointServiceId
Argument6344ac8f51b94c6356527881
privateEndpointId
Optionvpce-00713b5e644e830a3
atlas privateEndpoints aws interfaces create <endpointServiceId> [options] To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints aws interfaces create.
Configure your resources' security groups to send traffic to and receive traffic from the interface endpoint.
For each resource that needs to connect to your Atlas clusters using AWS PrivateLink, the resource's security group must allow outbound traffic to the interface endpoint's private IP addresses on all ports.
See Adding Rules to a Security Group for more information.
Create a security group for your interface endpoint to allow resources to access it.
This security group must allow inbound traffic on all ports from each resource that needs to connect to your Atlas clusters using AWS PrivateLink:
In the AWS console, navigate to the VPC Dashboard.
Click Security Groups, then click Create security group.
Use the wizard to create a security group. Make sure you select your VPC from the VPC list.
Select the security group you just created, then click the Inbound Rules tab.
Click Edit Rules.
Add rules to allow all inbound traffic from each resource in your VPC that you want to connect to your Atlas cluster.
Click Save Rules.
Click Endpoints, then click the endpoint for your VPC.
Click the Security Groups tab, then click Edit Security Groups.
Add the security group you just created, then click Save.
To learn more about VPC security groups, see the AWS documentation.
Verify the private endpoint's availability.
You can connect to the cluster using the AWS PrivateLink private endpoint after Atlas finishes configuring all of the resources and the private endpoint becomes available.
To verify that the AWS private endpoint is available:
Run the Atlas CLI command to describe the interface endpoint using its ID. In this example, you would set the following parameters:
ParameterTypeExample ValueinterfaceEndpointId
Argumentvpce-00713b5e644e830a3
endpointServiceId
Option6344ac8f51b94c6356527881
atlas privateEndpoints aws interfaces describe <interfaceEndpointId> [options] To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints aws interfaces describe.
Verify that the
STATUS
field's value isAVAILABLE
as shown in the following example:ID STATUS ERROR vpce-00713b5e644e830a3 AVAILABLE
To set up AWS PrivateLink through the Atlas UI:
In Atlas, go to the Network Access page for your project.
If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.
If it's not already displayed, select your project from the Projects menu in the navigation bar.
In the sidebar, click Network Access under the Security heading.
The Network Access page displays.
Configure your private endpoint.
Enter the following details about your AWS VPC:
Your VPC IDUnique identifier of the peer AWS VPC. Find this value on the VPC dashboard in your AWS account.Your Subnet IDsUnique identifiers of the subnets your AWS VPC uses.
Find these values on the Subnet dashboard in your AWS account.
IMPORTANT: You must specify at least one subnet. If you don't, AWS won't provision an interface endpoint in your VPC. An interface endpoint is required for lients in your VPC to send traffic to the private endpoint.
Copy the command the dialog box displays and run it using the AWS CLI.
Note
You can't copy the command until Atlas finishes creating VPC resources in the background.
See Creating an Interface Endpoint to perform this task using the AWS CLI.
Click Next.
Configure your resources' security groups to send traffic to and receive traffic from the interface endpoint.
For each resource that needs to connect to your Atlas clusters using AWS PrivateLink, the resource's security group must allow outbound traffic to the interface endpoint's private IP addresses on all ports.
See Adding Rules to a Security Group for more information.
Create a security group for your interface endpoint to allow resources to access it.
This security group must allow inbound traffic on all ports from each resource that needs to connect to your Atlas clusters using AWS PrivateLink:
In the AWS console, navigate to the VPC Dashboard.
Click Security Groups, then click Create security group.
Use the wizard to create a security group. Make sure you select your VPC from the VPC list.
Select the security group you just created, then click the Inbound Rules tab.
Click Edit Rules.
Add rules to allow all inbound traffic from each resource in your VPC that you want to connect to your Atlas cluster.
Click Save Rules.
Click Endpoints, then click the endpoint for your VPC.
Click the Security Groups tab, then click Edit Security Groups.
Add the security group you just created, then click Save.
To learn more about VPC security groups, see the AWS documentation.
In Atlas, go to the Network Access page for your project.
If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.
If it's not already displayed, select your project from the Projects menu in the navigation bar.
In the sidebar, click Network Access under the Security heading.
The Network Access page displays.
Verify that the private endpoint is available.
You can connect to an Atlas cluster using the AWS PrivateLink private endpoint when all of the resources are configured and the private endpoint becomes available.
To verify that the AWS PrivateLink private endpoint is available:
On the Private Endpoint tab, select a cluster type and verify the following statuses for the region that contains the cluster you want to connect to using AWS PrivateLink:
Atlas Endpoint Service Status | Available |
Endpoint Status | Available |
To learn more about possible status values, see Troubleshoot Private Endpoint Connection Issues.
If you do not see these statuses, see Troubleshoot Private Endpoint Connection Issues for additional information.
To set up AWS PrivateLink through the Atlas CLI, install the Atlas CLI and connect from the Atlas CLI. Then, complete the following steps:
Create the private endpoint service in Atlas.
Run the Atlas CLI command to create a private endpoint and private endpoint service in Atlas. Ensure that the value of
--region
matches the region where you deployed your cluster:atlas privateEndpoints azure create [options] To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints azure create.
If you have a multi-region or multi-cloud cluster and you don't enable regionalized private endpoints, you must provision an endpoint for each provider and region.
Note the private endpoint service's ID in the response. In this example, the ID is
6344ac8f51b94c6356527881
.Private endpoint '6344ac8f51b94c6356527881' created.
Retrieve the private endpoint service name.
Note
It might take Atlas some time to provision the private endpoint. Wait 1-2 minutes before you complete this step.
Run the Atlas CLI command to describe the private endpoint using its service ID:
atlas privateEndpoints azure describe <privateEndpointId> [options] To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints azure describe.
Note the value for
ENDPOINT SERVICE
in the response, which shows the endpoint service name. In this example, the endpoint service name ispls_6344ac8f51b94c6356527881
:ID ENDPOINT SERVICE STATUS ERROR 6344ac8f51b94c6356527881 pls_6344ac8f51b94c6356527881 AVAILABLE If the
STATUS
value isINITIATING
, wait 1-2 more minutes for Atlas to provision the private endpoint. Then, try this step again.
Create the endpoint in Azure.
Run the
az network private-endpoint create
command in the Azure CLI, replacing the following placeholders with your values:PlaceholderDescription{RESOURCE-GROUP-NAME}Name of the Azure resource group that contains the VNet that you want to use to connect to Atlas. You can find this value on the Resource Group Properties page on your Azure dashboard.{VIRTUAL-NETWORK-NAME}Name of the VNet that you want to use to connect to Atlas. You can find this value on the Virtual Network page on your Azure dashboard.{SUBNET-NAME}Name of the subnet in your Azure VNet. You can find this value on the Virtual Network Subnets page on your Azure dashboard.{PRIVATE-ENDPOINT-NAME}Human-readable label that identifies the private endpoint within your Azure resource group.{SUBSCRIPTION-ID}Unique string that identifies your subscription in Azure. You can find this value on the Subscriptions page in Azure.{RESOURCE-GROUP-ID}Unique string that identifies your Azure resource group on Atlas. You can find this value on under the Private Endpoint tab on the Network Access page in the Atlas UI.
This value begins with
rg_
and contains a combination of letters and numbers, that resemblesrg_65c66a56a3a43...
.{ENDPOINT-SERVICE-NAME}Unique string that identifies the endpoint service. This is the endpoint service name returned in a previous step.az network private-endpoint create --resource-group {RESOURCE-GROUP-NAME} --name {PRIVATE-ENDPOINT-NAME} --vnet-name {VIRTUAL-NETWORK-NAME} --subnet {SUBNET-NAME} --private-connection-resource-id /subscriptions/{SUBSCRIPTION-ID}/resourceGroups/{RESOURCE-GROUP-ID}/providers/Microsoft.Network/privateLinkServices/{ENDPOINT-SERVICE-NAME} --connection-name {ENDPOINT-SERVICE-NAME} --manual-request true To learn more about the Azure CLI, see Create a Private Endpoint by Using the Azure CLI.
Copy and save the following values:
Resource IDUnique string that identifies the private endpoint in your Azure VNet. Find this value in one of the following ways:
Use the Azure dashboard to retrieve this value. The Properties page for your private endpoint on your Azure dashboard displays this property in the Resource ID field.
Use the output from the following command, which returns the highlighted value in the
id
field:1 azure network private-endpoint create 1 { 2 "customDnsConfigs": [], 3 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 4 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink", 5 "location": "eastus2", 6 "manualPrivateLinkServiceConnections": [ 7 { 8 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 9 "groupIds": null, 10 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink/manualPrivateLinkServiceConnections/pls_5f860388d432510d5a6e1a3e", 11 "name": "pls_5f860388d432510d5a6e1a3e", 12 "privateLinkServiceConnectionState": { 13 "actionsRequired": "None", 14 "description": "Connection deleted by service provider", 15 "status": "Disconnected" 16 }, 17 "privateLinkServiceId": "pls_5f860388d432510d5a6e1a3e.00000000-0000-0000-0000-000000000000.eastus2.privatelinkservice", 18 "provisioningState": "Succeeded", 19 "requestMessage": null, 20 "resourceGroup": "privatelink", 21 "type": "Microsoft.Network/privateEndpoints/manualPrivateLinkServiceConnections" 22 } 23 ], 24 "name": "privatelink", 25 "networkInterfaces": [ 26 { 27 "dnsSettings": null, 28 "dscpConfiguration": null, 29 "enableAcceleratedNetworking": null, 30 "enableIpForwarding": null, 31 "etag": null, 32 "hostedWorkloads": null, 33 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000", 34 "ipConfigurations": null, 35 "location": null, 36 "macAddress": null, 37 "name": null, 38 "networkSecurityGroup": null, 39 "primary": null, 40 "privateEndpoint": null, 41 "provisioningState": null, 42 "resourceGroup": "privatelink", 43 "resourceGuid": null, 44 "tags": null, 45 "tapConfigurations": null, 46 "type": null, 47 "virtualMachine": null 48 } 49 ], 50 "privateLinkServiceConnections": [], 51 "provisioningState": "Succeeded", 52 "resourceGroup": "privatelink", 53 "subnet": { 54 "addressPrefix": null, 55 "addressPrefixes": null, 56 "delegations": null, 57 "etag": null, 58 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/virtualNetworks/privatelink/subnets/privatelink", 59 "ipAllocations": null, 60 "ipConfigurationProfiles": null, 61 "ipConfigurations": null, 62 "name": null, 63 "natGateway": null, 64 "networkSecurityGroup": null, 65 "privateEndpointNetworkPolicies": null, 66 "privateEndpoints": null, 67 "privateLinkServiceNetworkPolicies": null, 68 "provisioningState": null, 69 "purpose": null, 70 "resourceGroup": "privatelink", 71 "resourceNavigationLinks": null, 72 "routeTable": null, 73 "serviceAssociationLinks": null, 74 "serviceEndpointPolicies": null, 75 "serviceEndpoints": null 76 }, 77 "tags": null, 78 "type": "Microsoft.Network/privateEndpoints" 79 } You can also return this value using the azure network private-endpoint list CLI command.
Private IPPrivate IP address of the private endpoint network interface you created in your Azure VNet. Find this value in one of the following ways:
Use the Azure dashboard to retrieve this value. The Overview page for your private endpoint on your Azure dashboard displays this property in the Private IP field.
Use the Azure CLI to retrieve this value:
Use the output from the following command, which returns the ID of the network interface in the highlighted
networkInterfaces.id
field:1 azure network private-endpoint create 1 { 2 "customDnsConfigs": [], 3 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 4 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink", 5 "location": "eastus2", 6 "manualPrivateLinkServiceConnections": [ 7 { 8 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 9 "groupIds": null, 10 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink/manualPrivateLinkServiceConnections/pls_5f860388d432510d5a6e1a3e", 11 "name": "pls_5f860388d432510d5a6e1a3e", 12 "privateLinkServiceConnectionState": { 13 "actionsRequired": "None", 14 "description": "Connection deleted by service provider", 15 "status": "Disconnected" 16 }, 17 "privateLinkServiceId": "pls_5f860388d432510d5a6e1a3e.00000000-0000-0000-0000-000000000000.eastus2.privatelinkservice", 18 "provisioningState": "Succeeded", 19 "requestMessage": null, 20 "resourceGroup": "privatelink", 21 "type": "Microsoft.Network/privateEndpoints/manualPrivateLinkServiceConnections" 22 } 23 ], 24 "name": "privatelink", 25 "networkInterfaces": [ 26 { 27 "dnsSettings": null, 28 "dscpConfiguration": null, 29 "enableAcceleratedNetworking": null, 30 "enableIpForwarding": null, 31 "etag": null, 32 "hostedWorkloads": null, 33 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000", 34 "ipConfigurations": null, 35 "location": null, 36 "macAddress": null, 37 "name": null, 38 "networkSecurityGroup": null, 39 "primary": null, 40 "privateEndpoint": null, 41 "provisioningState": null, 42 "resourceGroup": "privatelink", 43 "resourceGuid": null, 44 "tags": null, 45 "tapConfigurations": null, 46 "type": null, 47 "virtualMachine": null 48 } 49 ], 50 "privateLinkServiceConnections": [], 51 "provisioningState": "Succeeded", 52 "resourceGroup": "privatelink", 53 "subnet": { 54 "addressPrefix": null, 55 "addressPrefixes": null, 56 "delegations": null, 57 "etag": null, 58 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/virtualNetworks/privatelink/subnets/privatelink", 59 "ipAllocations": null, 60 "ipConfigurationProfiles": null, 61 "ipConfigurations": null, 62 "name": null, 63 "natGateway": null, 64 "networkSecurityGroup": null, 65 "privateEndpointNetworkPolicies": null, 66 "privateEndpoints": null, 67 "privateLinkServiceNetworkPolicies": null, 68 "provisioningState": null, 69 "purpose": null, 70 "resourceGroup": "privatelink", 71 "resourceNavigationLinks": null, 72 "routeTable": null, 73 "serviceAssociationLinks": null, 74 "serviceEndpointPolicies": null, 75 "serviceEndpoints": null 76 }, 77 "tags": null, 78 "type": "Microsoft.Network/privateEndpoints" 79 } Run the az network nic show --id {networkInterface.id} Azure CLI command with the value of the
networkInterfaces.id
field to retrieve theipConfigurations.privateIPAddress
for the private endpoint network interface. The value of this field is your Private IP. The input and output should look similar to the following. Note the highlighted value of the Private Endpoint IP Address field.1 az network nic show --id /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000 1 { 2 "dnsSettings": { 3 "appliedDnsServers": [], 4 "dnsServers": [], 5 "internalDnsNameLabel": null, 6 "internalDomainNameSuffix": "<>.cx.internal.cloudapp.net", 7 "internalFqdn": null 8 }, 9 "dscpConfiguration": null, 10 "enableAcceleratedNetworking": false, 11 "enableIpForwarding": false, 12 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 13 "hostedWorkloads": [], 14 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000", 15 "ipConfigurations": [ 16 { 17 "applicationGatewayBackendAddressPools": null, 18 "applicationSecurityGroups": null, 19 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 20 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000/ipConfigurations/privateEndpointIpConfig", 21 "loadBalancerBackendAddressPools": null, 22 "loadBalancerInboundNatRules": null, 23 "name": "privateEndpointIpConfig", 24 "primary": true, 25 "privateIpAddress": "10.0.0.4", 26 "privateIpAddressVersion": "IPv4", 27 "privateIpAllocationMethod": "Dynamic", 28 "privateLinkConnectionProperties": { 29 "fqdns": [], 30 "groupId": "", 31 "requiredMemberName": "" 32 }, 33 "provisioningState": "Succeeded", 34 "publicIpAddress": null, 35 "resourceGroup": "privatelink", 36 "subnet": { 37 "addressPrefix": null, 38 "addressPrefixes": null, 39 "delegations": null, 40 "etag": null, 41 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/virtualNetworks/privatelink/subnets/privatelink", 42 "ipAllocations": null, 43 "ipConfigurationProfiles": null, 44 "ipConfigurations": null, 45 "name": null, 46 "natGateway": null, 47 "networkSecurityGroup": null, 48 "privateEndpointNetworkPolicies": null, 49 "privateEndpoints": null, 50 "privateLinkServiceNetworkPolicies": null, 51 "provisioningState": null, 52 "purpose": null, 53 "resourceGroup": "privatelink", 54 "resourceNavigationLinks": null, 55 "routeTable": null, 56 "serviceAssociationLinks": null, 57 "serviceEndpointPolicies": null, 58 "serviceEndpoints": null 59 }, 60 "type": "Microsoft.Network/networkInterfaces/ipConfigurations", 61 "virtualNetworkTaps": null 62 } 63 ], 64 "location": "eastus2", 65 "macAddress": "", 66 "name": "privatelink.nic.00000000-0000-0000-0000-000000000000", 67 "networkSecurityGroup": null, 68 "primary": null, 69 "privateEndpoint": { 70 "customDnsConfigs": null, 71 "etag": null, 72 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink", 73 "location": null, 74 "manualPrivateLinkServiceConnections": null, 75 "name": null, 76 "networkInterfaces": null, 77 "privateLinkServiceConnections": null, 78 "provisioningState": null, 79 "resourceGroup": "privatelink", 80 "subnet": null, 81 "tags": null, 82 "type": null 83 }, 84 "provisioningState": "Succeeded", 85 "resourceGroup": "privatelink", 86 "resourceGuid": "00000000-0000-0000-0000-000000000000", 87 "tags": null, 88 "tapConfigurations": [], 89 "type": "Microsoft.Network/networkInterfaces", 90 "virtualMachine": null 91 }
Update your private endpoint with the Resource ID and Private IP.
Run the Atlas CLI command to create an interface endpoint in Atlas using the Atlas endpoint service ID, the Azure Resource ID, and the Azure Private IP. In this example, you would set the following parameters:
ParameterTypeExample ValueendpointServiceId
Argument6344ac8f51b94c6356527881
privateEndpointId
Option/subscriptions/4e133d35-e734-4385-a565-c0945567ae346/
resourceGroups/rg_95847a959b876e255dbb9b33_dfragd7w/
providers/Microsoft.Network/privateEndpoints/
test-endpoint
privateEndpointIpAddress
Option10.0.0.4
atlas privateEndpoints azure interfaces create <endpointServiceId> [options] To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints azure interfaces create.
Note the private endpoint's interface endpoint ID in the response. In this example, the ID is
/subscriptions/
4e133d35-e734-4385-a565-c0945567ae346/resourceGroups/
rg_95847a959b876e255dbb9b33_dfragd7w/providers/
Microsoft.Network/privateEndpoints/cli-test
.Interface endpoint '/subscriptions/4e133d35-e734-4385-a565-c0945567ae346/resourceGroups/rg_95847a959b876e255dbb9b33_dfragd7w/providers/Microsoft.Network/privateEndpoints/cli-test' created.
Verify the private endpoint's availability.
You can connect to the cluster using the Azure Private Link private endpoint after Atlas finishes configuring all of the resources and the private endpoint becomes available.
To verify that the Azure private endpoint is available:
Run the Atlas CLI command to describe the interface endpoint using its ID and the interface endpoint ID you retrieved in the previous step. In this example, you would set the following parameters:
ParameterTypeExample ValueprivateEndpointResourceId
Argument/subscriptions/4e133d35-e734-4385-a565-c0945567ae346/
resourceGroups/rg_95847a959b876e255dbb9b33_dfragd7w/
providers/Microsoft.Network/privateEndpoints/cli-test
endpointServiceId
Option6344ac8f51b94c6356527881
atlas privateEndpoints azure interfaces describe <privateEndpointResourceId> [options] To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints azure interfaces describe.
Verify that the
STATUS
field's value isAVAILABLE
as shown in the following example:ID STATUS ERROR pls_6344ac8f51b94c6356527881 AVAILABLE
To set up Azure Private Link through the Atlas UI:
In Atlas, go to the Network Access page for your project.
If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.
If it's not already displayed, select your project from the Projects menu in the navigation bar.
In the sidebar, click Network Access under the Security heading.
The Network Access page displays.
Configure your private endpoint.
Enter the following details about your Azure VNet:
Resource Group NameThe name of the resource group that contains the VNet that you want to use to connect to Atlas. Find this value on the Resource Group Properties page on your Azure dashboard.Virtual Network NameThe name of the VNet that you want to use to connect to Atlas. Find this value on the Virtual Network page on your Azure dashboard.Subnet NameThe name of the subnet in your Azure VNet. Find this value on the Virtual Network Subnets page on your Azure dashboard.Enter a unique name for your private endpoint in the Private Endpoint Name field.
Create the private endpoint in your VNet by copying the
az network private-endpoint create
command the dialog box displays and running it using the Azure CLI.Note
You can't copy the command until Atlas finishes creating VNet resources in the background.
For more information about this command, see the Azure documentation.
You might receive an error like the following when you create the private endpoint:
ServiceError: code: LinkedAuthorizationFailed - , The client has permission to perform action 'Microsoft.Network/privateLinkServices/PrivateEndpointConnectionsApproval/action' on scope '/subscriptions/<subscription-id>/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink', however the current tenant '<tenant-id>' is not authorized to access linked subscription '<tenant-id>'. If you receive this error, you must add the
--manual-request true
parameter to the Azure CLI command you used to create the private endpoint, then run the command again.Click Next.
Finalize your private endpoint connection.
Enter the following details about your private endpoint:
Private Endpoint Resource IDThe unique identifier of the private endpoint you created in your Azure VNet. Find this value in one of the following ways:
The Properties page for your private endpoint on your Azure dashboard displays this property in the Resource ID field.
The output from the following command that you ran earlier to create the private endpoint returns the highlighted value in the id field:
1 azure network private-endpoint create 1 { 2 "customDnsConfigs": [], 3 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 4 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink", 5 "location": "eastus2", 6 "manualPrivateLinkServiceConnections": [ 7 { 8 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 9 "groupIds": null, 10 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink/manualPrivateLinkServiceConnections/pls_5f860388d432510d5a6e1a3e", 11 "name": "pls_5f860388d432510d5a6e1a3e", 12 "privateLinkServiceConnectionState": { 13 "actionsRequired": "None", 14 "description": "Connection deleted by service provider", 15 "status": "Disconnected" 16 }, 17 "privateLinkServiceId": "pls_5f860388d432510d5a6e1a3e.00000000-0000-0000-0000-000000000000.eastus2.privatelinkservice", 18 "provisioningState": "Succeeded", 19 "requestMessage": null, 20 "resourceGroup": "privatelink", 21 "type": "Microsoft.Network/privateEndpoints/manualPrivateLinkServiceConnections" 22 } 23 ], 24 "name": "privatelink", 25 "networkInterfaces": [ 26 { 27 "dnsSettings": null, 28 "dscpConfiguration": null, 29 "enableAcceleratedNetworking": null, 30 "enableIpForwarding": null, 31 "etag": null, 32 "hostedWorkloads": null, 33 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000", 34 "ipConfigurations": null, 35 "location": null, 36 "macAddress": null, 37 "name": null, 38 "networkSecurityGroup": null, 39 "primary": null, 40 "privateEndpoint": null, 41 "provisioningState": null, 42 "resourceGroup": "privatelink", 43 "resourceGuid": null, 44 "tags": null, 45 "tapConfigurations": null, 46 "type": null, 47 "virtualMachine": null 48 } 49 ], 50 "privateLinkServiceConnections": [], 51 "provisioningState": "Succeeded", 52 "resourceGroup": "privatelink", 53 "subnet": { 54 "addressPrefix": null, 55 "addressPrefixes": null, 56 "delegations": null, 57 "etag": null, 58 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/virtualNetworks/privatelink/subnets/privatelink", 59 "ipAllocations": null, 60 "ipConfigurationProfiles": null, 61 "ipConfigurations": null, 62 "name": null, 63 "natGateway": null, 64 "networkSecurityGroup": null, 65 "privateEndpointNetworkPolicies": null, 66 "privateEndpoints": null, 67 "privateLinkServiceNetworkPolicies": null, 68 "provisioningState": null, 69 "purpose": null, 70 "resourceGroup": "privatelink", 71 "resourceNavigationLinks": null, 72 "routeTable": null, 73 "serviceAssociationLinks": null, 74 "serviceEndpointPolicies": null, 75 "serviceEndpoints": null 76 }, 77 "tags": null, 78 "type": "Microsoft.Network/privateEndpoints" 79 }
Private Endpoint IP AddressThe private IP address of the private endpoint network interface you created in your Azure VNet. Find this value in one of the following ways:
Use the Azure dashboard to retrieve this value. The Overview page for your private endpoint on your Azure dashboard displays this property in the Private IP field.
Use the Azure CLI to retrieve this value:
The output from the following command that you ran earlier to create the private endpoint includes the ID of the network interface in the highlighted networkInterfaces.id field:
1 azure network private-endpoint create 1 { 2 "customDnsConfigs": [], 3 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 4 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink", 5 "location": "eastus2", 6 "manualPrivateLinkServiceConnections": [ 7 { 8 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 9 "groupIds": null, 10 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink/manualPrivateLinkServiceConnections/pls_5f860388d432510d5a6e1a3e", 11 "name": "pls_5f860388d432510d5a6e1a3e", 12 "privateLinkServiceConnectionState": { 13 "actionsRequired": "None", 14 "description": "Connection deleted by service provider", 15 "status": "Disconnected" 16 }, 17 "privateLinkServiceId": "pls_5f860388d432510d5a6e1a3e.00000000-0000-0000-0000-000000000000.eastus2.privatelinkservice", 18 "provisioningState": "Succeeded", 19 "requestMessage": null, 20 "resourceGroup": "privatelink", 21 "type": "Microsoft.Network/privateEndpoints/manualPrivateLinkServiceConnections" 22 } 23 ], 24 "name": "privatelink", 25 "networkInterfaces": [ 26 { 27 "dnsSettings": null, 28 "dscpConfiguration": null, 29 "enableAcceleratedNetworking": null, 30 "enableIpForwarding": null, 31 "etag": null, 32 "hostedWorkloads": null, 33 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000", 34 "ipConfigurations": null, 35 "location": null, 36 "macAddress": null, 37 "name": null, 38 "networkSecurityGroup": null, 39 "primary": null, 40 "privateEndpoint": null, 41 "provisioningState": null, 42 "resourceGroup": "privatelink", 43 "resourceGuid": null, 44 "tags": null, 45 "tapConfigurations": null, 46 "type": null, 47 "virtualMachine": null 48 } 49 ], 50 "privateLinkServiceConnections": [], 51 "provisioningState": "Succeeded", 52 "resourceGroup": "privatelink", 53 "subnet": { 54 "addressPrefix": null, 55 "addressPrefixes": null, 56 "delegations": null, 57 "etag": null, 58 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/virtualNetworks/privatelink/subnets/privatelink", 59 "ipAllocations": null, 60 "ipConfigurationProfiles": null, 61 "ipConfigurations": null, 62 "name": null, 63 "natGateway": null, 64 "networkSecurityGroup": null, 65 "privateEndpointNetworkPolicies": null, 66 "privateEndpoints": null, 67 "privateLinkServiceNetworkPolicies": null, 68 "provisioningState": null, 69 "purpose": null, 70 "resourceGroup": "privatelink", 71 "resourceNavigationLinks": null, 72 "routeTable": null, 73 "serviceAssociationLinks": null, 74 "serviceEndpointPolicies": null, 75 "serviceEndpoints": null 76 }, 77 "tags": null, 78 "type": "Microsoft.Network/privateEndpoints" 79 } Run the az network nic show --id {networkInterface.id} Azure CLI command with the value of the networkInterfaces.id field to retrieve the ipConfigurations.privateIPAddress for the private endpoint network interface. The value of this field is your Private Endpoint IP Address. The input and output should look similar to the following. Note the highlighted value of the Private Endpoint IP Address field.
1 az network nic show --id /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000 1 { 2 "dnsSettings": { 3 "appliedDnsServers": [], 4 "dnsServers": [], 5 "internalDnsNameLabel": null, 6 "internalDomainNameSuffix": "<>.cx.internal.cloudapp.net", 7 "internalFqdn": null 8 }, 9 "dscpConfiguration": null, 10 "enableAcceleratedNetworking": false, 11 "enableIpForwarding": false, 12 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 13 "hostedWorkloads": [], 14 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000", 15 "ipConfigurations": [ 16 { 17 "applicationGatewayBackendAddressPools": null, 18 "applicationSecurityGroups": null, 19 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 20 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000/ipConfigurations/privateEndpointIpConfig", 21 "loadBalancerBackendAddressPools": null, 22 "loadBalancerInboundNatRules": null, 23 "name": "privateEndpointIpConfig", 24 "primary": true, 25 "privateIpAddress": "10.0.0.4", 26 "privateIpAddressVersion": "IPv4", 27 "privateIpAllocationMethod": "Dynamic", 28 "privateLinkConnectionProperties": { 29 "fqdns": [], 30 "groupId": "", 31 "requiredMemberName": "" 32 }, 33 "provisioningState": "Succeeded", 34 "publicIpAddress": null, 35 "resourceGroup": "privatelink", 36 "subnet": { 37 "addressPrefix": null, 38 "addressPrefixes": null, 39 "delegations": null, 40 "etag": null, 41 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/virtualNetworks/privatelink/subnets/privatelink", 42 "ipAllocations": null, 43 "ipConfigurationProfiles": null, 44 "ipConfigurations": null, 45 "name": null, 46 "natGateway": null, 47 "networkSecurityGroup": null, 48 "privateEndpointNetworkPolicies": null, 49 "privateEndpoints": null, 50 "privateLinkServiceNetworkPolicies": null, 51 "provisioningState": null, 52 "purpose": null, 53 "resourceGroup": "privatelink", 54 "resourceNavigationLinks": null, 55 "routeTable": null, 56 "serviceAssociationLinks": null, 57 "serviceEndpointPolicies": null, 58 "serviceEndpoints": null 59 }, 60 "type": "Microsoft.Network/networkInterfaces/ipConfigurations", 61 "virtualNetworkTaps": null 62 } 63 ], 64 "location": "eastus2", 65 "macAddress": "", 66 "name": "privatelink.nic.00000000-0000-0000-0000-000000000000", 67 "networkSecurityGroup": null, 68 "primary": null, 69 "privateEndpoint": { 70 "customDnsConfigs": null, 71 "etag": null, 72 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink", 73 "location": null, 74 "manualPrivateLinkServiceConnections": null, 75 "name": null, 76 "networkInterfaces": null, 77 "privateLinkServiceConnections": null, 78 "provisioningState": null, 79 "resourceGroup": "privatelink", 80 "subnet": null, 81 "tags": null, 82 "type": null 83 }, 84 "provisioningState": "Succeeded", 85 "resourceGroup": "privatelink", 86 "resourceGuid": "00000000-0000-0000-0000-000000000000", 87 "tags": null, 88 "tapConfigurations": [], 89 "type": "Microsoft.Network/networkInterfaces", 90 "virtualMachine": null 91 }
Enter an optional description for the endpoint.
Click Create.
In Atlas, go to the Network Access page for your project.
If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.
If it's not already displayed, select your project from the Projects menu in the navigation bar.
In the sidebar, click Network Access under the Security heading.
The Network Access page displays.
Verify that the private endpoint is available.
You can connect to an Atlas cluster using the Azure Private Link private endpoint when all of the resources are configured and the private endpoint becomes available.
To verify that the Azure Private Link private endpoint is available:
On the Private Endpoint tab, select a cluster type and verify the following statuses for the region that contains the cluster you want to connect to using Azure Private Link:
Atlas Endpoint Service Status | Available |
Endpoint Status | Available |
To learn more about possible status values, see Troubleshoot Private Endpoint Connection Issues.
If you do not see these statuses, see Troubleshoot Private Endpoint Connection Issues for additional information.
To set up GCP Private Service Connect in Google Cloud through the Atlas CLI, install the Atlas CLI and connect from the Atlas CLI. Then, complete the following steps:
Create the private endpoint in Atlas.
Run the Atlas CLI command to create a private endpoint in Atlas. Ensure that the value of
--region
matches the region where you deployed your cluster:atlas privateEndpoints gcp create [options] To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints gcp create.
If you have a multi-region or multi-cloud cluster and you don't enable regionalized private endpoints, you must provision an endpoint for each provider and region.
Note the private endpoint's ID in the response. In this example, the ID is
6344ac8f51b94c6356527881
.Private endpoint '6344ac8f51b94c6356527881' created.
Wait for the private endpoint to become available.
Note
It might take Atlas some time to provision the private endpoint. Wait 1-2 minutes before you complete this step.
Run the Atlas CLI command to describe the private endpoint using its ID:
atlas privateEndpoints gcp describe <privateEndpointId> [options]
To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints gcp describe.
The following shows a sample output:
ID GROUP NAME REGION STATUS ERROR 6344ac8f51b94c6356527881 N/A CENTRAL_US AVAILABLE
If the STATUS
value is INITIATING
, wait 1-2 more
minutes for Atlas to provision the private endpoint. Then, try this step again.
Create the endpoint in GCP.
Create a shell script file named
setup_psc.sh
.Copy and paste the following code into the
setup_psc.sh
file, replacing the following placeholders with your values:PlaceholderDescription{GCP-PROJECT-ID}Unique string that identifies your Google Cloud project in Google Cloud.{ATLAS-GCP-PROJECT-ID}Unique string that identifies the Google Cloud project in which Atlas deploys your resources.{ENDPOINT}Unique string that identifies your private endpoint. This is the prefix for all forwarding rules you create.{REGION}Google Cloud region in which your cluster resides.{SUBNET}When you create Private Service Connect endpoints, you specify a subnet in your VPC network; you may either create a new subnet to encapsulate your endpoints or use an existing one. This subnet needs to have at least 50 unassigned IP addresses.{VPC-NAME}Name of the VNet that you want to use to connect to Atlas. You can find this value on the VPC Network page on your Google Cloud dashboard.{GROUP-ID}Unique 24-character hexadecimal string that identifies your project in Atlas.!/bin/bash gcloud config set project {GCP-PROJECT-ID} for i in {0..49} do gcloud compute addresses create {ENDPOINT}-ip-$i --region={REGION} --subnet={SUBNET} done for i in {0..49} do if [ $(gcloud compute addresses describe {ENDPOINT}-ip-$i --region={REGION} --format="value(status)") != "RESERVED" ]; then echo "{ENDPOINT}-ip-$i is not RESERVED"; exit 1; fi done for i in {0..49} do gcloud compute forwarding-rules create {ENDPOINT}-$i --region={REGION} --network={VPC-NAME} --address={ENDPOINT}-ip-$i --target-service-attachment=projects/{ATLAS-GCP-PROJECT-ID}/regions/{REGION}/serviceAttachments/sa-{REGION}-{GROUP-ID}-$i done Run the shell file
sh setup_psc.sh Created [https://www.googleapis.com/compute/v1/projects/<PROJECT-ID>/regions/<REGION>/addresses/-ip-0]., Created [https://www.googleapis.com/compute/v1/projects/<PROJECT-ID>/regions/<REGION>/addresses/-ip-1]., ... Created [https://www.googleapis.com/compute/v1/projects/<PROJECT-ID>/regions/<REGION>/addresses/-ip-49]., Created [https://www.googleapis.com/compute/v1/projects/<PROJECT-ID>/regions/<REGION>/forwardingRules/-ip-0]., Created [https://www.googleapis.com/compute/v1/projects/<PROJECT-ID>/regions/<REGION>/forwardingRules/-ip-1]., ... Created [https://www.googleapis.com/compute/v1/projects/<PROJECT-ID>/regions/<REGION>/forwardingRules/-ip-49]. Run the following command to generate a list of your Google Cloud forwarding addresses and store them in a file called
atlasEndpoints.txt
, replacing the following placeholders from the previous step:PlaceholderDescription{REGION}Google Cloud region in which your cluster resides.{ENDPOINT}Unique string that identifies your private endpoint. This is the prefix for all forwarding rules you create.gcloud compute forwarding-rules list --regions={REGION} --format="csv(name,IPAddress)" --filter="name:({ENDPOINT}*)" > atlasEndpoints.txt
Update the format of the atlasEndpoints.txt
file.
Run the following command to reformat the contents of
atlasEndpoints.txt
:
sed -i '' '1d' atlasEndpoints.txt tr -s ',' '@' <atlasEndpoints.txt>atlasEndpoints2.txt tr -s '\n' ',' <atlasEndpoints2.txt>atlasEndpoints.txt sed -i '' '$ s/.$//' atlasEndpoints.txt rm atlasEndpoints2.txt
Note
You use the contents of atlasEndpoints.txt
in the next step
as the value for the endpoint
parameter.
Update your private endpoint with the VPC Endpoint ID.
Run the Atlas CLI command to create an interface endpoint in Atlas using the Atlas endpoint ID and the VPC Endpoint ID. In this example, you would set the following parameters:
ParameterTypeExample ValueendpointGroupId
Argumenttester-1
endpointServiceId
Option6344ac8f51b94c6356527881
gcpProjectId
Optionatlascli-private-endpoints
endpoint
Optiontester-1@10.142.0.1,tester-2@10.142.0.2, ... , tester-49@10.142.0.49, tester-50@10.142.0.50
The
...
represents 46 other endpoints in between.To add a new interface for an Google Cloud private endpoint using the Atlas CLI, run the following command:
atlas privateEndpoints gcp interfaces create <endpointGroupId> [options] To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints gcp interfaces create.
Verify the private endpoint's availability.
You can connect to the cluster using the GCP Private Service Connect private endpoint after Atlas finishes configuring all of the resources and the private endpoint becomes available.
To verify that the Google Cloud private endpoint is available:
Run the Atlas CLI command to describe the interface endpoint using its ID. In this example, you would use the following parameters from the previous step:
ParameterTypeExample Valueid
Argumenttester-1
endpointServiceId
Option6344ac8f51b94c6356527881
To return the Google Cloud private endpoint interface that you specify. using the Atlas CLI, run the following command:
atlas privateEndpoints gcp interfaces describe <id> [options] To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints gcp interfaces describe.
Verify that the
STATUS
field's value isAVAILABLE
as shown in the following example:ENDPOINT STATUS DELETE REQUESTED tester-1 AVAILABLE false If the
STATUS
value isVERIFIED
, wait 1-2 more minutes for Atlas to make your private endpoint available.
To set up GCP Private Service Connect in Google Cloud through the Atlas UI:
In Atlas, go to the Network Access page for your project.
If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.
If it's not already displayed, select your project from the Projects menu in the navigation bar.
In the sidebar, click Network Access under the Security heading.
The Network Access page displays.
Configure your private endpoint.
Enter the following details about your Google Cloud VPC:
Google Cloud Project IDThe unique ID for your project. Find this value on the Dashboard page on your Google Cloud platform.VPC NameThe name of the VPC that you want to use to connect to Atlas. Find this value on the VPC Networks page on your Google Cloud dashboard.Subnet NameThe name of the subnet in your Google Cloud VPC. Find this value on the VPC Networks page on your Google Cloud dashboard.Enter a unique name for your private endpoint in the Private Service Connect Endpoint Prefix field. This will be the prefix for all endpoints created and the name of the endpoint group. Click Next.
Create the forwarding rules in your Google Cloud VPC by downloading the shell script and running it using the gcloud CLI. This will output a JSON file containing a list of IP addresses and endpoint names that you will need in the next step. Click Next.
Click Upload JSON File to select and upload the outputted JSON file.
Click Create Private Endpoint.
In Atlas, go to the Network Access page for your project.
If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.
If it's not already displayed, select your project from the Projects menu in the navigation bar.
In the sidebar, click Network Access under the Security heading.
The Network Access page displays.
Verify that the private endpoint is available.
You can connect to an Atlas cluster using the GCP Private Service Connect private endpoint when all of the resources are configured and the private endpoint becomes available.
To verify that the GCP Private Service Connect private endpoint is available:
On the Private Endpoint tab, verify the following statuses for the region that contains the cluster you want to connect to using GCP Private Service Connect:
Atlas Endpoint Service Status | Available |
Endpoint Status | Available |
To learn more about possible status values, see Troubleshoot Private Endpoint Connection Issues.
If you do not see these statuses, see Troubleshoot Private Endpoint Connection Issues for additional information.