Docs Menu
Docs Home
/ /
MongoDB Atlas Kubernetes Operator
/

Configure Network Peering

On this page

  • Prerequisites
  • Procedure

Note

  • This feature is not available for M0 free clusters, M2, and M5 clusters. To learn more, see Atlas M0 (Free Cluster), M2, and M5 Limits.

  • This feature is not supported on Serverless instances at this time. To learn more, see Serverless Instance Limitations.

Atlas supports network peering connections for dedicated clusters hosted on AWS, Google Cloud, and Azure, and on multi-cloud sharded clusters.

Network peering establishes a private connection between your Atlas VPC and your cloud provider's VPC. The connection isolates traffic from public networks for added security.

Atlas doesn't support network peering between clusters you deploy in a single region on different cloud providers.

To manage your network peering connections with Atlas Kubernetes Operator, you can specify and update the spec.networkPeers parameter for the AtlasProject Custom Resource. Each time you change the spec field in any of the supported custom resources, Atlas Kubernetes Operator creates or updates the corresponding Atlas configuration.

To configure network peering using Atlas Kubernetes Operator, you require:

  • A running Kubernetes cluster with Atlas Kubernetes Operator deployed.

  • The Project Owner or Organization Owner role in Atlas.

  • If you have not already done so, create your VPC in AWS. To learn more, see Get Started with Amazon VPC.

  • A network traffic rule for outbound traffic.

    Create the following network traffic rule on your AWS security group attached to your resources that connect to Atlas:

    Permission
    Direction
    Port
    Target
    Allow
    outbound
    27015-27017 inclusive
    to your Atlas CIDR
  • A running Kubernetes cluster with Atlas Kubernetes Operator deployed.

  • The Project Owner or Organization Owner role in Atlas.

  • If you have not already done so, create your VNet in Azure. To learn more, see Create a virtual network using the Azure portal.

  • Azure roles required to configure a network peering connection.

    To learn more, see the Azure Permissions.

  • A service principal for the Atlas peering application ID.

    Note

    For details about how Atlas creates Network Peering connections with Azure VPCs, see the Azure tab in Set Up a Network Peering Connection.

    You must complete the following steps before you create each Azure network peering connection:

    1. Run the following Azure CLI command to create a service principal using the specified Atlas peering application ID:

      az ad sp create --id e90a1407-55c3-432d-9cb1-3638900a9d22

      You only have to do this once for each subscription. If you receive the following message, the service principal with the Atlas peering application ID already exists. Proceed to the next step.

      Another object with the same value for property servicePrincipalNames already exists.
    2. Copy the following example peering-role.json file and save it to your current working directory:

      1{
      2 "Name":"AtlasPeering/<azureSubscriptionId>/<resourceGroupName>/<vnetName>",
      3 "IsCustom":true,
      4 "Description":"Grants MongoDB access to manage peering connections on network /subscriptions/<azureSubscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Network/virtualNetworks/<vnetName>",
      5 "Actions":[
      6 "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
      7 "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",
      8 "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete",
      9 "Microsoft.Network/virtualNetworks/peer/action"
      10 ],
      11 "AssignableScopes":[
      12 "/subscriptions/<azureSubscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Network/virtualNetworks/<vnetName>"
      13 ]
      14}
    3. Replace the variables in the peering-role.json with details about the Azure VNet to which you want to create a peering connection:

      Variable
      Description
      azureSubscriptionId
      Unique identifer of the Azure subscription in which the VNet resides.
      resourceGroupName
      Name of your Azure resource group.
      vnetName
      Name of your Azure VNet.
    4. Run the following Azure CLI command to create the role definition using the peering-role.json file:

      az role definition create --role-definition peering-role.json
    5. Run the Azure CLI command shown below to assign the role you created to the service principal.

      Replace the variables with the same values you used in the peering-role.json file.

      az role assignment create \
      --role "AtlasPeering/<azureSubscriptionId>/<resourceGroupName>/<vnetName>" \
      --assignee "e90a1407-55c3-432d-9cb1-3638900a9d22" \
      --scope "/subscriptions/<azureSubscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Network/virtualNetworks/<vnetName>"

Enable clients to connect to Atlas clusters using a network peering connection with the following procedure:

1

You can configure network peering to use an existing container or a new container.

  1. Specify the spec.networkPeers parameter in the AtlasProject Custom Resource. Replace the following placeholders with your values:

    Placeholder
    Description
    spec.networkPeers.providerName
    Cloud provider name. Specify AWS.
    spec.networkPeers.containerId
    Unique identifier for the network peering container you want to use. If you don't specify containerId, you must set atlasCIDRblock. To learn more, see the Create New Container section in this procedure.
    spec.networkPeers.accepterRegionName
    AWS region for your VPC.
    spec.networkPeers.awsAccountId
    Unique identifier for your AWS account. AWS displays the account ID when you click the account name in the top right corner of the console home page.
    spec.networkPeers.routeTableCidrBlock
    CIDR block for your AWS VPC. AWS displays the CIDR block on your VPC's details page.
    spec.networkPeers.vpcId
    Unique identifier for your AWS VPC. AWS displays the VPC ID on your VPC's details page.
  2. Run the following command:

    cat <<EOF | kubectl apply -f -
    apiVersion: atlas.mongodb.com/v1
    kind: AtlasProject
    metadata:
    name: my-project
    spec:
    name: Test Atlas Operator Project
    networkPeers:
    - providerName: "AWS"
    containerID: "6dc5f17280eef56a459fa3fb"
    accepterRegionName: "us-east-2"
    awsAccountId: "12345678"
    routeTableCidrBlock: "10.0.0.0/24"
    vpcId: "vpc-12345678"
    EOF
  1. Specify the spec.networkPeers parameter in the AtlasProject Custom Resource. Replace the following placeholders with your values:

    Placeholder
    Description
    spec.networkPeers.providerName
    Cloud provider name. Specify AWS.
    spec.networkPeers.atlasCidrBlock
    Atlas CIDR block for which Atlas Kubernetes Operator creates a new container. If you don't specify atlasCidrBlock, you must specify the containerId of an existing container. To learn more, see the Use Existing Container section in this procedure.
    spec.networkPeers.containerRegion
    (Optional) AWS region in which Atlas Kubernetes Operator creates a new container. If you don't specify either a containerRegion or a containerId, Atlas Kubernetes Operator creates a new container in the same region as the accepterRegionName.
    spec.networkPeers.accepterRegionName
    AWS region for your VPC.
    spec.networkPeers.awsAccountId
    Unique identifier for your AWS account. AWS displays the account ID when you click the account name in the top right corner of the console home page.
    spec.networkPeers.routeTableCidrBlock
    CIDR block for your AWS VPC. AWS displays the CIDR block on your VPC's details page.
    spec.networkPeers.vpcId
    Unique identifier for your AWS VPC. AWS displays the VPC ID on your VPC's details page.
  2. Run the following command:

    cat <<EOF | kubectl apply -f -
    apiVersion: atlas.mongodb.com/v1
    kind: AtlasProject
    metadata:
    name: my-project
    spec:
    name: Test Atlas Operator Project
    networkPeers:
    - providerName: "AWS"
    atlasCidrBlock: "10.8.0.0/21"
    containerRegion: "us-west-1"
    accepterRegionName: "us-east-2"
    awsAccountId: "12345678"
    routeTableCidrBlock: "10.0.0.0/24"
    vpcId: "vpc-12345678"
    EOF
2
  1. Run the following command:

    kubectl get atlasprojects my-project -o=jsonpath='{.status.networkPeers.statusName}'
    WAITING FOR USER
  2. If the statusName value is WAITING FOR USER, proceed to the next step. If the statusName is not WAITING FOR USER, wait a few minutes and try this step again.

3

To learn more, see Accept a VPC peering connection.

4

Run the following command again to check the status of the VPC connection. Atlas Kubernetes Operator returns READY when the network peering connection is complete.

kubectl get atlasprojects my-project -o=jsonpath='{.status.networkPeers.statusName}'
READY
1

You can configure network peering to use an existing container or a new container.

  1. Specify the spec.networkPeers parameter in the AtlasProject Custom Resource. Replace the following placeholders with your values:

    Placeholder
    Description
    spec.networkPeers.providerName
    Cloud provider name. Specify AZURE.
    spec.networkPeers.containerId
    Unique identifier for the network peering container you want to use. If you don't specify containerId, you must set atlasCIDRblock. To learn more, see the Create New Container section in this procedure.
    spec.networkPeers.accepterRegionName
    Azure region for your VPC.
    spec.networkPeers.azureSubscriptionId
    Unique identifier for your Azure subscription. Azure displays the subscription ID on the subscription's details page.
    spec.networkPeers.resourceGroupName
    Human-readable label that identifies the Azure resource group that contains the VPC. Azure displays the resource group name on the resource group's details page.
    spec.networkPeers.azureDirectoryId
    Unique identifier for your Azure Active Directory tenant. Azure displays this as the Tenant ID on the tenant properties page.
    spec.networkPeers.vnetName
    Human-readable label that identifies your Azure VNET. Azure displays the VNET name on your VNET's details page.
  2. Run the following command:

    cat <<EOF | kubectl apply -f -
    apiVersion: atlas.mongodb.com/v1
    kind: AtlasProject
    metadata:
    name: my-project
    spec:
    name: Test Atlas Operator Project
    networkPeers:
    - providerName: "AZURE"
    containerID: "6dc5f17280eef56a459fa3fb"
    atlasCidrBlock: "10.8.0.0/21"
    containerRegion: "US_WEST"
    accepterRegionName: "US_EAST_2"
    azureSubscriptionId: "12345678"
    resourceGroupName: "my-group"
    azureDirectoryId: "x0xxx10-00x0-0x01-0xxx-x0x0x01xx100"
    vnetName: "my-vnet"
    EOF
  1. Specify the spec.networkPeers parameter in the AtlasProject Custom Resource. Replace the following placeholders with your values:

    Placeholder
    Description
    spec.networkPeers.providerName
    Cloud provider name. Specify AZURE.
    spec.networkPeers.atlasCidrBlock
    Atlas CIDR block for which Atlas Kubernetes Operator creates a new container. If you don't specify atlasCidrBlock, you must specify the containerId of an existing container. To learn more, see the Use Existing Container section in this procedure.
    spec.networkPeers.containerRegion
    (Optional) Azure region in which Atlas Kubernetes Operator creates a new container. If you don't specify either a containerRegion or a containerId, Atlas Kubernetes Operator creates a new container in the same region as the accepterRegionName.
    spec.networkPeers.accepterRegionName
    Azure region for your VPC.
    spec.networkPeers.azureSubscriptionId
    Unique identifier for your Azure subscription. Azure displays the subscription ID on the subscription's details page.
    spec.networkPeers.resourceGroupName
    Human-readable label that identifies the Azure resource group that contains the VPC. Azure displays the resource group name on the resource group's details page.
    spec.networkPeers.azureDirectoryId
    Unique identifier for your Azure active directory tenant. Azure displays this as the Tenant ID on the tenant properties page.
    spec.networkPeers.vnetName
    Human-readable label that identifies your Azure VNET. Azure displays the VNET name on your VNET's details page.
  2. Run the following command:

    cat <<EOF | kubectl apply -f -
    apiVersion: atlas.mongodb.com/v1
    kind: AtlasProject
    metadata:
    name: my-project
    spec:
    name: Test Atlas Operator Project
    networkPeers:
    - providerName: "AZURE"
    atlasCidrBlock: "10.8.0.0/21"
    containerRegion: "US_WEST"
    accepterRegionName: "US_EAST_2"
    azureSubscriptionId: "12345678"
    resourceGroupName: "my-group"
    azureDirectoryId: "x0xxx10-00x0-0x01-0xxx-x0x0x01xx100"
    vnetName: "my-vnet"
    EOF
2

Run the following command to check the status of the VPC connection. Atlas Kubernetes Operator returns READY when the network peering connection is complete.

kubectl get atlasprojects my-project -o=jsonpath='{.status.networkPeers.status}'
READY
1

You can configure network peering to use an existing container or a new container.

  1. Specify the spec.networkPeers parameter in the AtlasProject Custom Resource. Replace the following placeholders with your values:

    Placeholder
    Description
    spec.networkPeers.providerName
    Cloud provider name. Specify GCP.
    spec.networkPeers.containerId
    Unique identifier for the network peering container you want to use. If you don't specify containerId, you must set atlasCIDRblock and containerRegion. To learn more, see the Create New Container section in this procedure.
    spec.networkPeers.gcpProjectId
    Unique identifier for your Google Cloud project. Google Cloud displays the project ID on the project's details page.
    spec.networkPeers.routeTableCidrBlock
    CIDR block for your Google Cloud VPC. Google Cloud displays the CIDR block on your VPC's details page.
    spec.networkPeers.networkName
    Human-readable label for your Google Cloud VPC. Google Cloud displays the network name on your VPC's details page.
  2. Run the following command:

    cat <<EOF | kubectl apply -f -
    apiVersion: atlas.mongodb.com/v1
    kind: AtlasProject
    metadata:
    name: my-project
    spec:
    name: Test Atlas Operator Project
    networkPeers:
    - providerName: "GCP"
    containerId: "6dc5f17280eef56a459fa3fb"
    gcpProjectId: "12345678"
    routeTableCidrBlock: "10.0.0.0/24"
    networkName: "my-vpc"
    EOF
  1. Specify the spec.networkPeers parameter in the AtlasProject Custom Resource. Replace the following placeholders with your values:

    Placeholder
    Description
    spec.networkPeers.providerName
    Cloud provider name. Specify GCP.
    spec.networkPeers.atlasCidrBlock
    Atlas CIDR block for which Atlas Kubernetes Operator creates a new container. If you don't specify atlasCidrBlock, you must specify the containerId of an existing container. To learn more, see the Use Existing Container section in this procedure.
    spec.networkPeers.containerRegion
    Google Cloud region for your VPC.
    spec.networkPeers.containerRegion
    Google Cloud region in which Atlas Kubernetes Operator creates a new container. If you don't specify containerRegion, you must specify the containerId of an existing container. To learn more, see the Use Existing Container section in this procedure.
    spec.networkPeers.gcpProjectId
    Unique identifier for your Google Cloud project. Google Cloud displays the project ID on the project's details page.
    spec.networkPeers.routeTableCidrBlock
    CIDR block for your Google Cloud VPC. Google Cloud displays the CIDR block on your VPC's details page.
    spec.networkPeers.networkName
    Human-readable label for your Google Cloud VPC. Google Cloud displays the network name on your VPC's details page.
  2. Run the following command:

    cat <<EOF | kubectl apply -f -
    apiVersion: atlas.mongodb.com/v1
    kind: AtlasProject
    metadata:
    name: my-project
    spec:
    name: Test Atlas Operator Project
    networkPeers:
    - providerName: "GCP"
    atlasCidrBlock: "10.8.0.0/21"
    containerRegion: "us-east1"
    gcpProjectId: "12345678"
    routeTableCidrBlock: "10.0.0.0/24"
    networkName: "my-vpc"
    EOF
2
  1. Run the following command:

    kubectl get atlasprojects my-project -o=jsonpath='{.status.networkPeers.status}'
    PENDING ACCEPTANCE
  2. If the status value is PENDING ACCEPTANCE, proceed to the next step. If the status is not PENDING ACCEPTANCE, wait a few minutes and try this step again.

3

To learn more, see Using VPC Network Peering.

4

Run the following command again to check the status of the VPC connection. Atlas Kubernetes Operator returns READY when the network peering connection is complete.

kubectl get atlasprojects my-project -o=jsonpath='{.status.networkPeers.status}'
READY

Back

Secret Storage

Next

Private Endpoints