Configure Network Peering
On this page
Note
This feature is not available for
M0
free clusters,M2
, andM5
clusters. To learn more, see Atlas M0 (Free Cluster), M2, and M5 Limits.This feature is not supported on Serverless instances at this time. To learn more, see Serverless Instance Limitations.
Atlas supports network peering connections for dedicated clusters hosted on AWS, Google Cloud, and Azure, and on multi-cloud sharded clusters.
Network peering establishes a private connection between your Atlas VPC and your cloud provider's VPC. The connection isolates traffic from public networks for added security.
Atlas doesn't support network peering between clusters you deploy in a single region on different cloud providers.
To manage your network peering connections with Atlas Kubernetes Operator, you can
specify and update the spec.networkPeers
parameter for the
AtlasProject
Custom Resource. Each time you change the spec
field in any of the supported custom resources, Atlas Kubernetes Operator
creates or updates the
corresponding Atlas configuration.
Prerequisites
To configure network peering using Atlas Kubernetes Operator, you require:
A running Kubernetes cluster with Atlas Kubernetes Operator deployed.
The
Project Owner
orOrganization Owner
role in Atlas.If you have not already done so, create your VPC in AWS. To learn more, see Get Started with Amazon VPC.
A network traffic rule for outbound traffic.
Create the following network traffic rule on your AWS security group attached to your resources that connect to Atlas:
PermissionDirectionPortTargetAllowoutbound27015-27017 inclusiveto your Atlas CIDR
A running Kubernetes cluster with Atlas Kubernetes Operator deployed.
The
Project Owner
orOrganization Owner
role in Atlas.If you have not already done so, create your VNet in Azure. To learn more, see Create a virtual network using the Azure portal.
Azure roles required to configure a network peering connection.
To learn more, see the Azure Permissions.
A service principal for the Atlas peering application ID.
Note
For details about how Atlas creates Network Peering connections with Azure VPCs, see the
Azure
tab in Set Up a Network Peering Connection.You must complete the following steps before you create each Azure network peering connection:
Run the following Azure CLI command to create a service principal using the specified Atlas peering application ID:
az ad sp create --id e90a1407-55c3-432d-9cb1-3638900a9d22 You only have to do this once for each subscription. If you receive the following message, the service principal with the Atlas peering application ID already exists. Proceed to the next step.
Another object with the same value for property servicePrincipalNames already exists. Copy the following example
peering-role.json
file and save it to your current working directory:1 { 2 "Name":"AtlasPeering/<azureSubscriptionId>/<resourceGroupName>/<vnetName>", 3 "IsCustom":true, 4 "Description":"Grants MongoDB access to manage peering connections on network /subscriptions/<azureSubscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Network/virtualNetworks/<vnetName>", 5 "Actions":[ 6 "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read", 7 "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write", 8 "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete", 9 "Microsoft.Network/virtualNetworks/peer/action" 10 ], 11 "AssignableScopes":[ 12 "/subscriptions/<azureSubscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Network/virtualNetworks/<vnetName>" 13 ] 14 } Replace the variables in the
peering-role.json
with details about the Azure VNet to which you want to create a peering connection:VariableDescriptionazureSubscriptionId
Unique identifer of the Azure subscription in which the VNet resides.resourceGroupName
Name of your Azure resource group.vnetName
Name of your Azure VNet.Run the following Azure CLI command to create the role definition using the
peering-role.json
file:az role definition create --role-definition peering-role.json Run the Azure CLI command shown below to assign the role you created to the service principal.
Replace the variables with the same values you used in the
peering-role.json
file.az role assignment create \ --role "AtlasPeering/<azureSubscriptionId>/<resourceGroupName>/<vnetName>" \ --assignee "e90a1407-55c3-432d-9cb1-3638900a9d22" \ --scope "/subscriptions/<azureSubscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Network/virtualNetworks/<vnetName>"
A running Kubernetes cluster with Atlas Kubernetes Operator deployed.
The
Project Owner
orOrganization Owner
role in Atlas.A Google Cloud user account with an IAM user policy and a Compute Network Admin role that grants permissions to create, modify, and delete networking resources. To learn more about managing private endpoints and connections in Google Cloud, see Create and Modify Virtual Private Cloud (VPC) Networks.
If you have not already done so, create your VPC in Google Cloud. To learn more, see the GCP documentation.
Procedure
Enable clients to connect to Atlas clusters using a network peering connection with the following procedure:
Specify the spec.networkPeers
parameter.
You can configure network peering to use an existing container or a new container.
Use an Existing Container
Specify the
spec.networkPeers
parameter in theAtlasProject
Custom Resource. Replace the following placeholders with your values:PlaceholderDescriptionspec.networkPeers.providerName
Cloud provider name. SpecifyAWS
.spec.networkPeers.containerId
Unique identifier for the network peering container you want to use. If you don't specifycontainerId
, you must setatlasCIDRblock
. To learn more, see the Create New Container section in this procedure.spec.networkPeers.accepterRegionName
AWS region for your VPC.spec.networkPeers.awsAccountId
Unique identifier for your AWS account. AWS displays the account ID when you click the account name in the top right corner of the console home page.spec.networkPeers.routeTableCidrBlock
CIDR block for your AWS VPC. AWS displays the CIDR block on your VPC's details page.spec.networkPeers.vpcId
Unique identifier for your AWS VPC. AWS displays the VPC ID on your VPC's details page.Run the following command:
cat <<EOF | kubectl apply -f - apiVersion: atlas.mongodb.com/v1 kind: AtlasProject metadata: name: my-project spec: name: Test Atlas Operator Project networkPeers: - providerName: "AWS" containerID: "6dc5f17280eef56a459fa3fb" accepterRegionName: "us-east-2" awsAccountId: "12345678" routeTableCidrBlock: "10.0.0.0/24" vpcId: "vpc-12345678" EOF
Create a New Container
Specify the
spec.networkPeers
parameter in theAtlasProject
Custom Resource. Replace the following placeholders with your values:PlaceholderDescriptionspec.networkPeers.providerName
Cloud provider name. SpecifyAWS
.spec.networkPeers.atlasCidrBlock
Atlas CIDR block for which Atlas Kubernetes Operator creates a new container. If you don't specifyatlasCidrBlock
, you must specify thecontainerId
of an existing container. To learn more, see the Use Existing Container section in this procedure.spec.networkPeers.containerRegion
(Optional) AWS region in which Atlas Kubernetes Operator creates a new container. If you don't specify either acontainerRegion
or acontainerId
, Atlas Kubernetes Operator creates a new container in the same region as theaccepterRegionName
.spec.networkPeers.accepterRegionName
AWS region for your VPC.spec.networkPeers.awsAccountId
Unique identifier for your AWS account. AWS displays the account ID when you click the account name in the top right corner of the console home page.spec.networkPeers.routeTableCidrBlock
CIDR block for your AWS VPC. AWS displays the CIDR block on your VPC's details page.spec.networkPeers.vpcId
Unique identifier for your AWS VPC. AWS displays the VPC ID on your VPC's details page.Run the following command:
cat <<EOF | kubectl apply -f - apiVersion: atlas.mongodb.com/v1 kind: AtlasProject metadata: name: my-project spec: name: Test Atlas Operator Project networkPeers: - providerName: "AWS" atlasCidrBlock: "10.8.0.0/21" containerRegion: "us-west-1" accepterRegionName: "us-east-2" awsAccountId: "12345678" routeTableCidrBlock: "10.0.0.0/24" vpcId: "vpc-12345678" EOF
Check for the WAITING FOR USER
status.
Run the following command:
kubectl get atlasprojects my-project -o=jsonpath='{.status.networkPeers.statusName}' WAITING FOR USER If the
statusName
value isWAITING FOR USER
, proceed to the next step. If thestatusName
is notWAITING FOR USER
, wait a few minutes and try this step again.
Accept the VPC peering connection in AWS.
To learn more, see Accept a VPC peering connection.
Check the status of your VPC connection using Atlas Kubernetes Operator.
Run the following command again to check the status of the
VPC connection. Atlas Kubernetes Operator returns READY
when the network peering connection is complete.
kubectl get atlasprojects my-project -o=jsonpath='{.status.networkPeers.statusName}'
READY
Specify the spec.networkPeers
parameter.
You can configure network peering to use an existing container or a new container.
Use an Existing Container
Specify the
spec.networkPeers
parameter in theAtlasProject
Custom Resource. Replace the following placeholders with your values:PlaceholderDescriptionspec.networkPeers.providerName
Cloud provider name. SpecifyAZURE
.spec.networkPeers.containerId
Unique identifier for the network peering container you want to use. If you don't specifycontainerId
, you must setatlasCIDRblock
. To learn more, see the Create New Container section in this procedure.spec.networkPeers.accepterRegionName
Azure region for your VPC.spec.networkPeers.azureSubscriptionId
Unique identifier for your Azure subscription. Azure displays the subscription ID on the subscription's details page.spec.networkPeers.resourceGroupName
Human-readable label that identifies the Azure resource group that contains the VPC. Azure displays the resource group name on the resource group's details page.spec.networkPeers.azureDirectoryId
Unique identifier for your Azure Active Directory tenant. Azure displays this as theTenant ID
on the tenant properties page.spec.networkPeers.vnetName
Human-readable label that identifies your Azure VNET. Azure displays the VNET name on your VNET's details page.Run the following command:
cat <<EOF | kubectl apply -f - apiVersion: atlas.mongodb.com/v1 kind: AtlasProject metadata: name: my-project spec: name: Test Atlas Operator Project networkPeers: - providerName: "AZURE" containerID: "6dc5f17280eef56a459fa3fb" atlasCidrBlock: "10.8.0.0/21" containerRegion: "US_WEST" accepterRegionName: "US_EAST_2" azureSubscriptionId: "12345678" resourceGroupName: "my-group" azureDirectoryId: "x0xxx10-00x0-0x01-0xxx-x0x0x01xx100" vnetName: "my-vnet" EOF
Create a New Container
Specify the
spec.networkPeers
parameter in theAtlasProject
Custom Resource. Replace the following placeholders with your values:PlaceholderDescriptionspec.networkPeers.providerName
Cloud provider name. SpecifyAZURE
.spec.networkPeers.atlasCidrBlock
Atlas CIDR block for which Atlas Kubernetes Operator creates a new container. If you don't specifyatlasCidrBlock
, you must specify thecontainerId
of an existing container. To learn more, see the Use Existing Container section in this procedure.spec.networkPeers.containerRegion
(Optional) Azure region in which Atlas Kubernetes Operator creates a new container. If you don't specify either acontainerRegion
or acontainerId
, Atlas Kubernetes Operator creates a new container in the same region as theaccepterRegionName
.spec.networkPeers.accepterRegionName
Azure region for your VPC.spec.networkPeers.azureSubscriptionId
Unique identifier for your Azure subscription. Azure displays the subscription ID on the subscription's details page.spec.networkPeers.resourceGroupName
Human-readable label that identifies the Azure resource group that contains the VPC. Azure displays the resource group name on the resource group's details page.spec.networkPeers.azureDirectoryId
Unique identifier for your Azure active directory tenant. Azure displays this as theTenant ID
on the tenant properties page.spec.networkPeers.vnetName
Human-readable label that identifies your Azure VNET. Azure displays the VNET name on your VNET's details page.Run the following command:
cat <<EOF | kubectl apply -f - apiVersion: atlas.mongodb.com/v1 kind: AtlasProject metadata: name: my-project spec: name: Test Atlas Operator Project networkPeers: - providerName: "AZURE" atlasCidrBlock: "10.8.0.0/21" containerRegion: "US_WEST" accepterRegionName: "US_EAST_2" azureSubscriptionId: "12345678" resourceGroupName: "my-group" azureDirectoryId: "x0xxx10-00x0-0x01-0xxx-x0x0x01xx100" vnetName: "my-vnet" EOF
Check the status of your VPC connection using Atlas Kubernetes Operator.
Run the following command to check the status of the
VPC connection. Atlas Kubernetes Operator returns READY
when the network peering connection is complete.
kubectl get atlasprojects my-project -o=jsonpath='{.status.networkPeers.status}'
READY
Specify the spec.networkPeers
parameter.
You can configure network peering to use an existing container or a new container.
Use an Existing Container
Specify the
spec.networkPeers
parameter in theAtlasProject
Custom Resource. Replace the following placeholders with your values:PlaceholderDescriptionspec.networkPeers.providerName
Cloud provider name. SpecifyGCP
.spec.networkPeers.containerId
Unique identifier for the network peering container you want to use. If you don't specifycontainerId
, you must setatlasCIDRblock
andcontainerRegion
. To learn more, see the Create New Container section in this procedure.spec.networkPeers.gcpProjectId
Unique identifier for your Google Cloud project. Google Cloud displays the project ID on the project's details page.spec.networkPeers.routeTableCidrBlock
CIDR block for your Google Cloud VPC. Google Cloud displays the CIDR block on your VPC's details page.spec.networkPeers.networkName
Human-readable label for your Google Cloud VPC. Google Cloud displays the network name on your VPC's details page.Run the following command:
cat <<EOF | kubectl apply -f - apiVersion: atlas.mongodb.com/v1 kind: AtlasProject metadata: name: my-project spec: name: Test Atlas Operator Project networkPeers: - providerName: "GCP" containerId: "6dc5f17280eef56a459fa3fb" gcpProjectId: "12345678" routeTableCidrBlock: "10.0.0.0/24" networkName: "my-vpc" EOF
Create a New Container
Specify the
spec.networkPeers
parameter in theAtlasProject
Custom Resource. Replace the following placeholders with your values:PlaceholderDescriptionspec.networkPeers.providerName
Cloud provider name. SpecifyGCP
.spec.networkPeers.atlasCidrBlock
Atlas CIDR block for which Atlas Kubernetes Operator creates a new container. If you don't specifyatlasCidrBlock
, you must specify thecontainerId
of an existing container. To learn more, see the Use Existing Container section in this procedure.spec.networkPeers.containerRegion
Google Cloud region for your VPC.spec.networkPeers.containerRegion
Google Cloud region in which Atlas Kubernetes Operator creates a new container. If you don't specifycontainerRegion
, you must specify thecontainerId
of an existing container. To learn more, see the Use Existing Container section in this procedure.spec.networkPeers.gcpProjectId
Unique identifier for your Google Cloud project. Google Cloud displays the project ID on the project's details page.spec.networkPeers.routeTableCidrBlock
CIDR block for your Google Cloud VPC. Google Cloud displays the CIDR block on your VPC's details page.spec.networkPeers.networkName
Human-readable label for your Google Cloud VPC. Google Cloud displays the network name on your VPC's details page.Run the following command:
cat <<EOF | kubectl apply -f - apiVersion: atlas.mongodb.com/v1 kind: AtlasProject metadata: name: my-project spec: name: Test Atlas Operator Project networkPeers: - providerName: "GCP" atlasCidrBlock: "10.8.0.0/21" containerRegion: "us-east1" gcpProjectId: "12345678" routeTableCidrBlock: "10.0.0.0/24" networkName: "my-vpc" EOF
Check for the PENDING ACCEPTANCE
status.
Run the following command:
kubectl get atlasprojects my-project -o=jsonpath='{.status.networkPeers.status}' PENDING ACCEPTANCE If the
status
value isPENDING ACCEPTANCE
, proceed to the next step. If thestatus
is notPENDING ACCEPTANCE
, wait a few minutes and try this step again.
Create the VPC peering connection in Google Cloud.
To learn more, see Using VPC Network Peering.
Check the status of your VPC connection using Atlas Kubernetes Operator.
Run the following command again to check the status of the
VPC connection. Atlas Kubernetes Operator returns READY
when the network peering connection is complete.
kubectl get atlasprojects my-project -o=jsonpath='{.status.networkPeers.status}'
READY