Docs Menu

Set up Private Service Connect using the API

On this page

  • Overview
  • Connection Workflow
  • Considerations
  • High Availability
  • IP Access Lists and Network Peering Connections with Private Endpoints
  • Procedures
Note
Feature unavailable in Free and Shared-Tier Clusters

This feature is not available for M0 free clusters, M2, and M5 clusters. To learn more about which features are unavailable, see Atlas M0 (Free Cluster), M2, and M5 Limitations.

Important
Serverless Instances are in Preview

Serverless instances are in preview and do not support this feature at this time. To learn more, see Serverless Instance Limitations.

You can create and manage private endpoints for GCP using Private Service Connect. Atlas currently supports the use of Private Service Connect via the Atlas API. Full UI support for GCP Private Service Connect is coming soon.

Connecting to Atlas clusters with private endpoints helps to ensure your perceived network trust boundary is not extended. These one-way connections prevent Atlas VPCs from initiating connections back to your GCP VPCs.

Atlas uses internal load balancers and service attachments to connect your clusters to your VPC. Private Service Connect uses one load balancer per node. To ensure the availability of resources for both current and future clusters, Atlas creates all the service attachments and internal load balancers for a region when you activate Private Service Connect for that region.

  1. Create the endpoint service for a region in Atlas to enable the feature. After you enable Private Service Connect, Atlas does the following actions:

    • Creates its own VPC. If Atlas is already using a VPC for GCP resources, Atlas will use the existing VPC.
    • Creates 50 load balancers and service attachments for that region.
    • Places existing clusters within the region behind a network load balancer in the Atlas VPC. Atlas creates a separate load balancer for each node within every cluster.
    • Reserves any remaining load balancers and service attachments for your future clusters within that region.
  2. Get the endpoint service for the region in Atlas to retrieve the service attachment names.

    Note

    You can't retrieve the service attachment names or complete the next steps until Atlas finishes creating the endpoint service. Wait for the Status value to become AVAILABLE when you get the endpoint service for the region before proceeding.

  3. Follow GCP's steps for configuring Private Service Connect to access services, including the following steps:

    • Create private endpoints. Each private endpoint reserves an IP address within your GCP VPC and forwards traffic from the endpoints' IP addresses to the service attachments. You must create an equal number of private endpoints to the number of service attachments. The default number of service attachments is 50.
  4. Create a private endpoint group in Atlas, which represents the collection of 50 forwarding rules. You must specify the following items:

    • Static IP addresses you reserved.
    • Names of the forwarding rules you created.

    When creating private endpoint groups, you can:

    • Create multiple endpoint groups in a region. This allows you to create multiple connection strings for a cluster.
    • Create one endpoint group per region for a single multi-region cluster.
    Note

    You can't use multiple endpoint groups per region and multi-region clusters with Private Service Connect at the same time.

  5. Atlas uses the forwarding rules to provide a secure one-way connection from your GCP VPC to the network load balancers in the Atlas VPC. You can retrieve the connection string from the connect modal.

The following considerations apply to GCP private endpoints:

You don't need to take additional actions to ensure that GCP private endpoint connections to Atlas can withstand an availability zone outage.

When you enable private endpoints, you can still enable access to your Atlas clusters using other methods, such as adding public IPs to IP access lists and network peering.

To enable connections through Private Service Connect, complete the prerequisites and create the endpoint group using the Atlas API.

Give Feedback
© 2021 MongoDB, Inc.

About

  • Careers
  • Legal Notices
  • Privacy Notices
  • Security Information
  • Trust Center
© 2021 MongoDB, Inc.