Note
This feature is not available for any of the following deployments:
M0clustersM2/M5clustersFlex clusters
Atlas Kubernetes Operator supports managing private endpoints for dedicated clusters on AWS using the AWS PrivateLink feature.
Prerequisites
To enable connections with Atlas Kubernetes Operator to Atlas using private endpoints, you must:
- Deploy Atlas Kubernetes Operator on a running Kubernetes cluster.
Have either the
Project OwnerorOrganization Ownerrole in Atlas.Have an AWS user account with an IAM user policy that grants permissions to create, modify, describe, and delete endpoints. For more information on controlling the use of interface endpoints, see the AWS Documentation.
(Recommended): Install the AWS CLI.
If you have not already done so, create your VPC and EC2 instances in AWS. See the AWS documentation for guidance.
Procedure
To enable clients to connect to Atlas dedicated clusters using private endpoints:
Find the service name for your private endpoint.
Use the following table to find the service name that corresponds to the AWS region for your private endpoint:
AWS Region | Service Name |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Use the AWS CLI to configure each private endpoint.
To create your application VPC interface endpoint:
Copy the following command:
aws ec2 create-vpc-endpoint --vpc-id {your-application-vpc-id} --region {aws-region} --service-name {service-name} --vpc-endpoint-type Interface --subnet-ids {your-application-subnet-ids} Replace the following placeholders with the details about your AWS VPC:
your-application-vpc-idUnique string that identifies the peer AWS VPC. Find this value on the VPC dashboard in your AWS account.
aws-regionLabel that identifies the AWS region of the private endpoint.
service-nameUnique string that identifies the service for your private endpoint. This is the service name value you retrieved in the previous step.
your-application-subnet-idsUnique strings that identify the subnets your AWS VPC uses. Separate each subnet with a space. Find these values on the Subnet dashboard in your AWS account.
IMPORTANT: You must specify at least one subnet. If you don't, AWS won't provision a interface endpoint in your VPC. An interface endpoint is required for clients in your VPC to send traffic to the private endpoint.
Run the command with the AWS CLI.
Note the
VpcEndpointIdvalue in the output.Example
"VpcEndpoint": { "VpcEndpointId": "vpce-XXXXXX”, "VpcEndpointType": "Interface", "VpcId": "vpc-XXXXX”, "ServiceName": "com.amazonaws.vpce.{aws-region}.vpce-svc-XXXX”, "State": "pendingAcceptance", }
To learn more, see Creating an Interface Endpoint in the AWS documentation.
Specify the spec.privateEndpoints parameter.
Specify the spec.privateEndpoints parameter for the AtlasDataFederation Custom Resource. Replace vpce-id with the VpcEndpointId value from the previous step and run the following command:
Note
You can find the unique identifier of the peer AWS VPC on the VPC dashboard in your AWS account.
cat <<EOF | kubectl apply -f - apiVersion: atlas.mongodb.com/v1 kind: AtlasDataFederation metadata: name: my-federated-deployment spec: name: my-fdi privateEndpoints: - endpointId: {vpce-id} provider: AWS type: DATA_LAKE EOF