Set up Private Service Connect using the API¶
On this page
This feature is not available for
M0 free clusters,
M5 clusters. To learn more about which features are unavailable,
see Atlas M0 (Free Cluster), M2, and M5 Limitations.
Serverless instances are in preview and do not support this feature at this time. To learn more, see Serverless Instance Limitations.
You can create and manage private endpoints for GCP using Private Service Connect. Atlas currently supports the use of Private Service Connect via the Atlas API. Full UI support for GCP Private Service Connect is coming soon.
Connecting to Atlas clusters with private endpoints helps to ensure your perceived network trust boundary is not extended. These one-way connections prevent Atlas VPCs from initiating connections back to your GCP VPCs.
Atlas uses internal load balancers and service attachments to connect your clusters to your VPC. Private Service Connect uses one load balancer per node. To ensure the availability of resources for both current and future clusters, Atlas creates all the service attachments and internal load balancers for a region when you activate Private Service Connect for that region.
Create the endpoint service for a region in Atlas to enable the feature. After you enable Private Service Connect, Atlas does the following actions:
- Creates its own VPC. If Atlas is already using a VPC for GCP resources, Atlas will use the existing VPC.
- Creates 50 load balancers and service attachments for that region.
- Places existing clusters within the region behind a network load balancer in the Atlas VPC. Atlas creates a separate load balancer for each node within every cluster.
- Reserves any remaining load balancers and service attachments for your future clusters within that region.
Get the endpoint service for the region in Atlas to retrieve the service attachment names.Note
You can't retrieve the service attachment names or complete the next steps until Atlas finishes creating the endpoint service. Wait for the
Statusvalue to become
AVAILABLEwhen you get the endpoint service for the region before proceeding.
Follow GCP's steps for configuring Private Service Connect to access services, including the following steps:
- Create private endpoints. Each private endpoint reserves an IP address within your GCP VPC and forwards traffic from the endpoints' IP addresses to the service attachments. You must create an equal number of private endpoints to the number of service attachments. The default number of service attachments is 50.
Create a private endpoint group in Atlas, which represents the collection of 50 forwarding rules. You must specify the following items:
- Static IP addresses you reserved.
- Names of the forwarding rules you created.
When creating private endpoint groups, you can:
- Create multiple endpoint groups in a region. This allows you to create multiple connection strings for a cluster.
- Create one endpoint group per region for a single multi-region cluster.
You can't use multiple endpoint groups per region and multi-region clusters with Private Service Connect at the same time.
- Atlas uses the forwarding rules to provide a secure one-way connection from your GCP VPC to the network load balancers in the Atlas VPC. You can retrieve the connection string from the connect modal.
The following considerations apply to GCP private endpoints:
You don't need to take additional actions to ensure that GCP private endpoint connections to Atlas can withstand an availability zone outage.
IP Access Lists and Network Peering Connections with Private Endpoints¶
To enable connections through Private Service Connect, complete the prerequisites and create the endpoint group using the Atlas API.