Navigation

Set up a Network Peering Connection

Info With Circle IconCreated with Sketch.Note
Feature unavailable in Free and Shared-Tier Clusters

This feature is not available for M0 (Free Tier), M2, and M5 clusters. To learn more about which features are unavailable, see Atlas M0 (Free Tier), M2, and M5 Limitations.

Atlas supports Network Peering connections for AWS , GCP , and Azure -backed and multi-cloud clusters.

Important With Circle IconCreated with Sketch.Important

To set up a Network Peering connection, you must have either the Project Owner or Organization Owner role.

To configure Atlas Network Peering for a cluster, perform the procedure on the tab corresponding to your cluster's cloud provider. You also configure the Atlas VPC CIDR during this procedure.

To configure the Atlas CIDR without configuring Network Peering, see Create a New Network Peering Container. You must use the API to configure the Atlas CIDR without Network Peering.

  • Create the following network traffic rule on your AWS CIDR :

    Permission
    Direction
    Port
    Target
    Allow
    outbound
    27015-27017 inclusive
    to your Atlas CIDR

To configure Atlas VPC Peering for an AWS -backed cluster:

1
  1. Log in to your AWS account.
  2. Go to the VPC dashboard.
  3. Open your list of VPC resources.
  4. Select the VPC you want to peer with.
  5. Enable DNS hostnames and DNS resolution to ensure that the cluster's hostnames in standard connection strings automatically resolve to private instead of public IP addresses when the Atlas cluster is accessed from within the VPC.

    If DNS hostnames and DNS resolution are disabled and the VPC is accessible to the internet, the DNS resolves the cluster's hostnames to their public IP address rather than their internal IP address.

    To learn more about how to enable these options, see Updating DNS Support for Your VPC.

    Info With Circle IconCreated with Sketch.Note

    If the applications deployed within AWS use custom DNS services and VPC peering with Atlas, see FAQ for more information on how to connect using private connection strings.

2
  1. If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
  2. If it is not already displayed, select your desired project from the Projects menu in the navigation bar.
  3. Click Network Access in the sidebar.
  4. In the Peering tab, click Add Peering Connection.
3
  1. In the Peering Connection modal, select AWS and click Next.
  2. To create the VPC Peering connection, fill in the requested information in the Peering Connection modal:

    Field
    Notes
    Account ID
    AWS Account ID of the owner of the peer VPC . Refer to the dialog for instructions on finding your AWS Account ID.
    VPC ID
    Unique identifier of the peer VPC . Refer to the dialog for instructions on finding your VPC ID.
    VPC CIDR

    AWS VPC CIDR block or subset. Must not overlap with your Atlas CIDR Block or any other Network Peering connection VPC CIDR.

    The CIDR block must be in one of the following private networks:

    • 10.0.0.0 - 10.255.255.255 (10/8 prefix)
    • 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
    • 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

    You can choose to add the VPC CIDR block address (or a subset) to the IP access list. For Network Peering connections, you can also add the Security Group associated with the AWS VPC instead of the CIDR block. See Configure IP Access List Entries.

    To learn more about CIDR blocks, see RFC 4632.

    Atlas uses the specified CIDR block for all other Network Peering connections created in the project. The Atlas CIDR block must be at least a /24 and at most a /21 in one of the following private networks.

    Lower Bound
    Upper Bound
    Prefix
    10.0.0.0
    10.255.255.255
    10/8
    172.16.0.0
    172.31.255.255
    172.16/12
    192.168.0.0
    192.168.255.255
    192.168/16

    Atlas locks this value if an M10+ cluster or a Network Peering connection already exists. To modify the CIDR block, ensure there are no M10+ clusters in the project and no other VPC peering connections in the project.

    Alternatively, create a new project and create a Network Peering Connection to set the desired Atlas VPC CIDR block for that project.

    Important With Circle IconCreated with Sketch.Important

    Atlas limits the number of MongoDB nodes per Network Peering connection based on the CIDR block and the region selected for the project.

    Beaker IconExample

    A project in an AWS region supporting 3 availability zones and a Atlas CIDR VPC block of /24 is limited to the equivalent of 27 three-node replica sets.

    Contact MongoDB Support for any questions on Atlas limits of MongoDB nodes per VPC .

    Application VPC Region
    AWS region where the AWS VPC resides.
    VPC CIDR
    AWS VPC CIDR block. Must not overlap with the Atlas VPC CIDR block.
    Atlas VPC Region

    AWS region where the Atlas VPC resides. Atlas creates a VPC for the Atlas project in this region if no M10+ clusters or VPC peering connections exist for the selected Region.

    Uncheck Same as application VPC region to select a different region than where the application VPC resides.

  3. Click Initiate Peering.
  4. Wait for approval of peering connection request.

    The owner of the peer VPC must approve the VPC peering connection request. Ensure that the owner approves the request.

    Atlas provides instructions for approving the connection request.

    Important With Circle IconCreated with Sketch.Important
    Requests expire after 7 days.
4
  1. In the VPC Dashboard, click Route Tables.
  2. Select the Route Table for your VPC .
  3. Click the Routes tab.
  4. Click Edit Routes.
  5. Click Add route.
  6. Add the Atlas VPC 's CIDR block to the Destination column.
  7. Add the AWS Peering Connection ID to the Target column.

    This value is prefixed with pcx-.

  8. Click Save.

    Info With Circle IconCreated with Sketch.Note

    Each Atlas project may have a maximum of 50 peering connections in total. This total includes a maximum of 25 pending peering connections.

    Once set up, you can edit or terminate VPC peering connection from the Peering table.

You must add your VPC CIDR block address (or subset) or the Security Group associated with the peer VPC to the whitelist before your new VPC peer can connect to your Atlas cluster.

Bulb IconTip
Info With Circle IconCreated with Sketch.Note
Using Custom DNS

Effective 31 March 2020, Atlas has removed the connection limitations for all existing and new AWS clusters using custom DNS .

Bulb IconTip
See also:

Multiple cloud-hosted applications might need to connect securely to the same Atlas project.

Consider a case where two applications use virtual networks (VPC, VNet) with identical IP CIDR blocks. You want both applications to securely connect to the same Atlas cluster via VPC peering. To achieve this, create one network peering connection between each application's virtual network and your Atlas cluster.

Cloud provider virtual networks can’t peer to each other if they have identical CIDR blocks. However, you can peer each of the applications' virtual networks with the Atlas virtual network if the Atlas virtual network includes two non-overlapping CIDR blocks. Configure each of the peering connections to have non-overlapping route-back CIDR blocks in the Atlas virtual network.

Follow this general process:

  1. Before you deploy any clusters, create a network peering connection for each virtual network that you want to peer with Atlas. You do this by creating a CIDR block in the Atlas virtual network for each application's virtual network.
  2. In the virtual network's configuration for your cloud provider, establish routing between each of your application's virtual networks and their respective Atlas CIDR blocks.
  3. Deploy your Atlas cluster.
Beaker IconExample

Consider two applications in the same AWS account in the same region. Each application has its own VPC . The VPC s have identical CIDR blocks. These VPCs can't peer with each other. You must configure each application's VPC as a peer to the Atlas VPC .

Application's VPC name
CIDR block
Subnet
app-tier-vpc-1
10.4.0.0/16
subnet1: 10.5.0.0./16
app-tier-vpc-2
10.4.0.0/16
subnet2: 10.6.0.0/16

To peer each application's VPC to the Atlas VPC before you deploy your Atlas cluster:

  1. Create a network peering connection to peer Atlas with your first application's VPC .

    1. Click the Peering tab.
    2. Select Peering Connection.
    3. Select AWS and click Next.
    4. Complete the AWS VPC fields and enter details for the first application's VPC :

      • Account ID
      • VPC ID
      • VPC CIDR
      • Application VPC Region.
    5. Type the first CIDR block, 10.5.0.0/24, into the VPC CIDR field in the Atlas VPC section.
    6. Click Initiate Peering.
  2. Create a network peering connection to peer Atlas with your second application's VPC .

    1. Click the Peering tab.
    2. Select Peering Connection.
    3. Select AWS and click Next.
    4. Complete the AWS VPC fields and enter details for the second application's VPC :

      • Account ID
      • VPC ID
      • VPC CIDR
      • Application VPC Region.
    5. Type the second CIDR block, 10.6.0.0/24, into the VPC CIDR field in the Atlas VPC section.
    6. Click Initiate Peering.
  3. In AWS , configure each of your application's VPC s to route back to their respective CIDR blocks in Atlas. For information, see Updating your route tables for a VPC peering connection.

    • app-vpc-1 with CIDR 10.4.0.0/16 routes back to subnet1 in the CIDR 10.5.0.0/24
    • app-vpc-2 with CIDR 10.4.0.0/16 routes back to subnet2 in the CIDR 10.6.0.0/24

When complete, the routes for app-vpc-1 and app-vpc-2 should match the following table:

Network
Destination
Origin
app-vpc-1
10.4.0.0/16
local
10.5.0.0/16
peer to the Atlas VPC
app-vpc-2
10.4.0.0/16
local
10.6.0.0/16
peer to the Atlas VPC
Give Feedback