Navigation

Create One Private Endpoint for One Provider

Note

Groups and projects are synonymous terms. Your {GROUP-ID} is the same as your project ID. For existing groups, your group/project ID remains the same. The resource and corresponding endpoints use the term groups.

Create one private endpoint for AWS or Azure in an Atlas project.

If the attempt to add an endpoint fails, delete it, then try to add a new one.

The Atlas API authenticates using HTTP Digest Authentication. Provide a programmatic API public key and corresponding private key as the username and password when constructing the HTTP request.

To learn how to configure API access for an Atlas project, see Configure Atlas API Access.

Prerequisites

You must complete the following steps for your cloud provider before you can create a private endpoint:

1

Create a private endpoint service.

Create One Private Endpoint Service for One Provider in the AWS region to which you want to deploy your private endpoint.

2

Create the private endpoint.

Create the endpoint in AWS with the following information:

Note the VpcEndpointId in the response from the CreateVpcEndpoint AWS CLI command. Include the value of this field as the id in the request body for /groups/{GROUP-ID}/privateEndpoint/{CLOUD-PROVIDER}/endpointService/{ENDPOINT-SERVICE-ID}/endpoint.

1

Create a private endpoint service.

Create One Private Endpoint Service for One Provider in the Azure region to which you want to deploy your private endpoint.

2

Disable the private endpoint policies.

Disable the private endpoint policies for your peer VNet’s subnet.

3

Create the private endpoint.

Create the endpoint in Azure with the following information:

Important

You must add the --manual-request true parameter to the Azure CLI command that you use to create the private endpoint.

If you receive the following error when you created the private endpoint, you ran the request without the --manual-request true parameter:

ServiceError: code: LinkedAuthorizationFailed - , The client has permission to perform action 'Microsoft.Network/privateLinkServices/PrivateEndpointConnectionsApproval/action' on scope '/subscriptions/<subscription-id>/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink', however the current tenant '<tenant-id>' is not authorized to access linked subscription '<tenant-id>'.

Required Roles

You must have at the Project Admin role for the project to successfully call this resource.

Request

Base URL: https://cloud.mongodb.com/api/atlas/v1.0

POST /groups/{GROUP-ID}/privateEndpoint/{CLOUD-PROVIDER}/endpointService/{ENDPOINT-SERVICE-ID}/endpoint

Request Path Parameters

Path Parameter Type Necessity Descriptionon
{GROUP-ID} string Required Unique identifier for the project for which you want to create a private endpoint.
{CLOUD-PROVIDER} string Required Cloud provider for which you want to create a private endpoint. Atlas accepts AWS or AZURE.
{ENDPOINT-SERVICE-ID} string Required Unique identifier of the private endpoint service for which you want to create a private endpoint.

Request Query Parameters

Name Type Necessity Description Default
pretty boolean Optional Flag indicating whether the response body should be in a prettyprint format. false
envelope boolean Optional

Flag indicating if Atlas should wrap the response in a JSON envelope.

This option may be needed for some API clients. These clients cannot access the HTTP response headers or status code. To remediate this, set envelope=true in the query.

For endpoints that return one result, the response body includes:

status HTTP response code
envelope Expected response body
false

Request Body Parameters

Body Parameter Type Necessity Description
id string Required Unique identifier of the private endpoint you created in your AWS VPC.
Body Parameter Type Necessity Description
id string Required

Unique identifier of the private endpoint you created in your Azure VNet.

Run the az network private-endpoint list Azure CLI command to retrieve this value:

az network private-endpoint list

The response looks similar to the following:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
[
  {
    "customDnsConfigs": [],
    "etag": "W/\"00000000-0000-0000-0000-000000000000\"",
    "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink",
    "location": "eastus2",
    "manualPrivateLinkServiceConnections": [
      {
        "etag": "W/\"00000000-0000-0000-0000-000000000000\"",
        "groupIds": null,
        "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink/manualPrivateLinkServiceConnections/pls_5f860388d432510d5a6e1a3e",
        "name": "pls_5f860388d432510d5a6e1a3e",
        "privateLinkServiceConnectionState": {
          "actionsRequired": "None",
          "description": "Connection deleted by service provider",
          "status": "Disconnected"
        },
        "privateLinkServiceId": "pls_5f860388d432510d5a6e1a3e.00000000-0000-0000-0000-000000000000.eastus2.azure.privatelinkservice",
        "provisioningState": "Succeeded",
        "requestMessage": null,
        "resourceGroup": "privatelink",
        "type": "Microsoft.Network/privateEndpoints/manualPrivateLinkServiceConnections"
      }
    ],
    "name": "privatelink",
    "networkInterfaces": [
      {
        "dnsSettings": null,
        "dscpConfiguration": null,
        "enableAcceleratedNetworking": null,
        "enableIpForwarding": null,
        "etag": null,
        "hostedWorkloads": null,
        "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000",
        "ipConfigurations": null,
        "location": null,
        "macAddress": null,
        "name": null,
        "networkSecurityGroup": null,
        "primary": null,
        "privateEndpoint": null,
        "provisioningState": null,
        "resourceGroup": "privatelink",
        "resourceGuid": null,
        "tags": null,
        "tapConfigurations": null,
        "type": null,
        "virtualMachine": null
      }
    ],
    "privateLinkServiceConnections": [],
    "provisioningState": "Succeeded",
    "resourceGroup": "privatelink",
    "subnet": {
      "addressPrefix": null,
      "addressPrefixes": null,
      "delegations": null,
      "etag": null,
      "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/virtualNetworks/privatelink/subnets/privatelink",
      "ipAllocations": null,
      "ipConfigurationProfiles": null,
      "ipConfigurations": null,
      "name": null,
      "natGateway": null,
      "networkSecurityGroup": null,
      "privateEndpointNetworkPolicies": null,
      "privateEndpoints": null,
      "privateLinkServiceNetworkPolicies": null,
      "provisioningState": null,
      "purpose": null,
      "resourceGroup": "privatelink",
      "resourceNavigationLinks": null,
      "routeTable": null,
      "serviceAssociationLinks": null,
      "serviceEndpointPolicies": null,
      "serviceEndpoints": null
    },
    "tags": null,
    "type": "Microsoft.Network/privateEndpoints"
  }
]
privateEndpointIPAddress string Required

Private IP address of the private endpoint network interface you created in your Azure VNet.

To retrieve this value:

  1. Run the az network private-endpoint list Azure CLI command to retrieve the networkInterface.id for your private endpoint:
az network private-endpoint list

The response looks similar to the following:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
[
  {
    "customDnsConfigs": [],
    "etag": "W/\"00000000-0000-0000-0000-000000000000\"",
    "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink",
    "location": "eastus2",
    "manualPrivateLinkServiceConnections": [
      {
        "etag": "W/\"00000000-0000-0000-0000-000000000000\"",
        "groupIds": null,
        "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink/manualPrivateLinkServiceConnections/pls_5f860388d432510d5a6e1a3e",
        "name": "pls_5f860388d432510d5a6e1a3e",
        "privateLinkServiceConnectionState": {
          "actionsRequired": "None",
          "description": "Connection deleted by service provider",
          "status": "Disconnected"
        },
        "privateLinkServiceId": "pls_5f860388d432510d5a6e1a3e.00000000-0000-0000-0000-000000000000.eastus2.azure.privatelinkservice",
        "provisioningState": "Succeeded",
        "requestMessage": null,
        "resourceGroup": "privatelink",
        "type": "Microsoft.Network/privateEndpoints/manualPrivateLinkServiceConnections"
      }
    ],
    "name": "privatelink",
    "networkInterfaces": [
      {
        "dnsSettings": null,
        "dscpConfiguration": null,
        "enableAcceleratedNetworking": null,
        "enableIpForwarding": null,
        "etag": null,
        "hostedWorkloads": null,
        "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000",
        "ipConfigurations": null,
        "location": null,
        "macAddress": null,
        "name": null,
        "networkSecurityGroup": null,
        "primary": null,
        "privateEndpoint": null,
        "provisioningState": null,
        "resourceGroup": "privatelink",
        "resourceGuid": null,
        "tags": null,
        "tapConfigurations": null,
        "type": null,
        "virtualMachine": null
      }
    ],
    "privateLinkServiceConnections": [],
    "provisioningState": "Succeeded",
    "resourceGroup": "privatelink",
    "subnet": {
      "addressPrefix": null,
      "addressPrefixes": null,
      "delegations": null,
      "etag": null,
      "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/virtualNetworks/privatelink/subnets/privatelink",
      "ipAllocations": null,
      "ipConfigurationProfiles": null,
      "ipConfigurations": null,
      "name": null,
      "natGateway": null,
      "networkSecurityGroup": null,
      "privateEndpointNetworkPolicies": null,
      "privateEndpoints": null,
      "privateLinkServiceNetworkPolicies": null,
      "provisioningState": null,
      "purpose": null,
      "resourceGroup": "privatelink",
      "resourceNavigationLinks": null,
      "routeTable": null,
      "serviceAssociationLinks": null,
      "serviceEndpointPolicies": null,
      "serviceEndpoints": null
    },
    "tags": null,
    "type": "Microsoft.Network/privateEndpoints"
  }
]
  1. Run the az network nic show –id {networkInterface.id} Azure CLI command to retrieve the ipConfigurations.privateIPAddress for the private endpoint network interface. The value of this field is your privateEndpointIPAddress:
az network nic show --id /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000

The response looks similar to the following:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
{
  "dnsSettings": {
    "appliedDnsServers": [],
    "dnsServers": [],
    "internalDnsNameLabel": null,
    "internalDomainNameSuffix": "<>.cx.internal.cloudapp.net",
    "internalFqdn": null
  },
  "dscpConfiguration": null,
  "enableAcceleratedNetworking": false,
  "enableIpForwarding": false,
  "etag": "W/\"00000000-0000-0000-0000-000000000000\"",
  "hostedWorkloads": [],
  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000",
  "ipConfigurations": [
    {
      "applicationGatewayBackendAddressPools": null,
      "applicationSecurityGroups": null,
      "etag": "W/\"00000000-0000-0000-0000-000000000000\"",
      "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000/ipConfigurations/privateEndpointIpConfig",
      "loadBalancerBackendAddressPools": null,
      "loadBalancerInboundNatRules": null,
      "name": "privateEndpointIpConfig",
      "primary": true,
      "privateIpAddress": "10.0.0.4",
      "privateIpAddressVersion": "IPv4",
      "privateIpAllocationMethod": "Dynamic",
      "privateLinkConnectionProperties": {
        "fqdns": [],
        "groupId": "",
        "requiredMemberName": ""
      },
      "provisioningState": "Succeeded",
      "publicIpAddress": null,
      "resourceGroup": "privatelink",
      "subnet": {
        "addressPrefix": null,
        "addressPrefixes": null,
        "delegations": null,
        "etag": null,
        "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/virtualNetworks/privatelink/subnets/privatelink",
        "ipAllocations": null,
        "ipConfigurationProfiles": null,
        "ipConfigurations": null,
        "name": null,
        "natGateway": null,
        "networkSecurityGroup": null,
        "privateEndpointNetworkPolicies": null,
        "privateEndpoints": null,
        "privateLinkServiceNetworkPolicies": null,
        "provisioningState": null,
        "purpose": null,
        "resourceGroup": "privatelink",
        "resourceNavigationLinks": null,
        "routeTable": null,
        "serviceAssociationLinks": null,
        "serviceEndpointPolicies": null,
        "serviceEndpoints": null
      },
      "type": "Microsoft.Network/networkInterfaces/ipConfigurations",
      "virtualNetworkTaps": null
    }
  ],
  "location": "eastus2",
  "macAddress": "",
  "name": "privatelink.nic.00000000-0000-0000-0000-000000000000",
  "networkSecurityGroup": null,
  "primary": null,
  "privateEndpoint": {
    "customDnsConfigs": null,
    "etag": null,
    "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink",
    "location": null,
    "manualPrivateLinkServiceConnections": null,
    "name": null,
    "networkInterfaces": null,
    "privateLinkServiceConnections": null,
    "provisioningState": null,
    "resourceGroup": "privatelink",
    "subnet": null,
    "tags": null,
    "type": null
  },
  "provisioningState": "Succeeded",
  "resourceGroup": "privatelink",
  "resourceGuid": "00000000-0000-0000-0000-000000000000",
  "tags": null,
  "tapConfigurations": [],
  "type": "Microsoft.Network/networkInterfaces",
  "virtualMachine": null
}

Response Elements

Response Parameter Type Description
connectionStatus string

Status of the interface endpoint. Returns one of the following values:

Status Description
NONE Atlas created the network load balancer and VPC endpoint service, but AWS hasn’t yet created the VPC endpoint.
PENDING_ACCEPTANCE AWS has received the connection request from your VPC endpoint to the Atlas VPC endpoint service.
PENDING AWS is establishing the connection between your VPC endpoint and the Atlas VPC endpoint service.
AVAILABLE Atlas VPC resources are connected to the VPC endpoint in your VPC. You can connect to Atlas clusters in this region using AWS PrivateLink.
REJECTED AWS failed to establish a connection between Atlas VPC resources to the VPC endpoint in your VPC.
DELETING Atlas is removing the interface endpoint from the private endpoint connection.
deleteRequested boolean Flag that indicates whether Atlas received a request to remove the interface endpoint from the private endpoint connection.
errorMessage string Error message pertaining to the interface endpoint. Atlas returns null if there are no errors.
interfaceEndpointId string Unique identifier of the interface endpoint.
Response Parameter Type Description
deleteRequested boolean Flag that indicates whether Atlas received a request to remove the delete the private endpoint connection.
errorMessage string Error message pertaining to the private endpoint. Atlas returns null if there are no errors.
privateEndpointConnectionName string Name of the connection for this private endpoint that Atlas generates.
privateEndpointIpAddress string Private IP address of the private endpoint network interface.
privateEndpointResourceId string Unique identifier of the private endpoint.
status string

Status of the interface endpoint. Atlas returns one of the following values:

Status Description
FAILED Atlas failed to accept the connection your private endpoint.
INITIATING Atlas has not yet accepted the connection to your private endpoint.
AVAILABLE Atlas approved the connection to your private endpoint.
DELETING Atlas is removing the connection to your private endpoint from the Private Link service.

Example Request

1
2
3
4
5
6
7
8
curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \
     --header "Accept: application/json" \
     --header "Content-Type: application/json" \
     --request POST "https://cloud.mongodb.com/api/atlas/v1.0/groups/{GROUP-ID}/privateEndpoint/AWS/endpointService/{ENDPOINT-SERVICE-ID}/endpoint?pretty=true" \
     --data '
       {
         "id" : "vpce-0d00c26273372c6ef"
       }'
1
2
3
4
5
6
7
8
9
curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \
     --header "Accept: application/json" \
     --header "Content-Type: application/json" \
     --request POST "https://cloud.mongodb.com/api/atlas/v1.0/groups/{GROUP-ID}/privateEndpoint/AZURE/endpointService/{ENDPOINT-SERVICE-ID}/endpoint?pretty=true" \
     --data '
       {
         "id" : "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/test",
         "privateEndpointIPAddress" : "10.0.0.4"
       }'

Example Response

1
2
3
4
5
6
{
  "connectionStatus": "PENDING",
  "deleteRequested": false,
  "errorMessage": null,
  "interfaceEndpointId": "vpce-08fb7e9319909ec7b"
}
1
2
3
4
5
6
7
8
{
  "deleteRequested": false,
  "errorMessage": null,
  "privateEndpointConnectionName": null,
  "privateEndpointIPAddress": "10.0.0.4",
  "privateEndpointResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/test",
  "status": "INITIATING"
}