Navigation

Set up a Network Peering Connection

Info With Circle IconCreated with Sketch.Note
Feature unavailable in Free and Shared-Tier Clusters

This feature is not available for M0 (Free Tier), M2, and M5 clusters. To learn more about which features are unavailable, see Atlas M0 (Free Tier), M2, and M5 Limitations.

Important With Circle IconCreated with Sketch.Important
Feature incompatible with Multi-Cloud Clusters

Atlas doesn't support this feature in multi-cloud clusters at this time.

Atlas supports Network Peering connections for AWS , GCP , and Azure -backed clusters.

Important With Circle IconCreated with Sketch.Important

To set up a Network Peering connection, you must have either the Project Owner or Organization Owner role.

To configure Atlas Network Peering for a cluster, perform the procedure on the tab corresponding to your cluster's cloud provider. You also configure the Atlas VPC CIDR during this procedure.

To configure the Atlas CIDR without configuring Network Peering, see Create a New Network Peering Container. You must use the API to configure the Atlas CIDR without Network Peering.

  • Create the following network traffic rule on your AWS CIDR :

    PermissionDirectionPortTarget
    Allowoutbound27015-27017 inclusiveto your Atlas CIDR

To configure Atlas VPC Peering for an AWS -backed cluster:

1
  1. Log in to your AWS account.
  2. Go to the VPC dashboard.
  3. Open your list of VPC resources.
  4. Select the VPC you want to peer with.
  5. Enable DNS hostnames and DNS resolution to ensure that the cluster's hostnames in standard connection strings automatically resolve to private instead of public IP addresses when the Atlas cluster is accessed from within the VPC.

    If DNS hostnames and DNS resolution are disabled and the VPC is accessible to the internet, the DNS resolves the cluster's hostnames to their public IP address rather than their internal IP address.

    To learn more about how to enable these options, see Updating DNS Support for Your VPC.

    Info With Circle IconCreated with Sketch.Note

    If the applications deployed within AWS use custom DNS services and VPC peering with Atlas, see FAQ for more information on how to connect using private connection strings.

2
  1. If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
  2. If it is not already displayed, select your desired project from the Projects menu in the navigation bar.
  3. Click Network Access in the sidebar.
  4. In the Peering tab, click Add Peering Connection.
3
  1. In the Peering Connection modal, select AWS and click Next.
  2. To create the VPC Peering connection, fill in the requested information in the Peering Connection modal:

    FieldNotes
    Account IDAWS Account ID of the owner of the peer VPC . Refer to the dialog for instructions on finding your AWS Account ID.
    VPC IDUnique identifier of the peer VPC . Refer to the dialog for instructions on finding your VPC ID.
    VPC CIDR

    AWS VPC CIDR block or subset. Must not overlap with your Atlas CIDR Block or any other Network Peering connection VPC CIDR.

    The CIDR block must be in one of the following private networks:

    • 10.0.0.0 - 10.255.255.255 (10/8 prefix)
    • 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
    • 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

    You can choose to add the VPC CIDR block address (or a subset) to the IP access list. For Network Peering connections, you can also add the Security Group associated with the AWS VPC instead of the CIDR block. See Configure IP Access List Entries.

    To learn more about CIDR blocks, see RFC 4632.

    Atlas uses the specified CIDR block for all other Network Peering connections created in the project. The Atlas CIDR block must be at least a /24 and at most a /21 in one of the following private networks.

    Lower BoundUpper BoundPrefix
    10.0.0.010.255.255.25510/8
    172.16.0.0172.31.255.255172.16/12
    192.168.0.0192.168.255.255192.168/16

    Atlas locks this value if an M10+ cluster or a Network Peering connection already exists. To modify the CIDR block, ensure there are no M10+ clusters in the project and no other VPC peering connections in the project.

    Alternatively, create a new project and create a Network Peering Connection to set the desired Atlas VPC CIDR block for that project.

    Important With Circle IconCreated with Sketch.Important

    Atlas limits the number of MongoDB nodes per Network Peering connection based on the CIDR block and the region selected for the project.

    Beaker IconExample

    A project in an AWS region supporting 3 availability zones and a Atlas CIDR VPC block of /24 is limited to the equivalent of 27 three-node replica sets.

    Contact MongoDB Support for any questions on Atlas limits of MongoDB nodes per VPC .

    Application VPC RegionAWS region where the AWS VPC resides.
    VPC CIDRAWS VPC CIDR block. Must not overlap with the Atlas VPC CIDR block.
    Atlas VPC Region

    AWS region where the Atlas VPC resides. Atlas creates a VPC for the Atlas project in this region if no M10+ clusters or VPC peering connections exist for the selected Region.

    Uncheck Same as application VPC region to select a different region than where the application VPC resides.

  3. Click Initiate Peering.
  4. Wait for approval of peering connection request.

    The owner of the peer VPC must approve the VPC peering connection request. Ensure that the owner approves the request.

    Atlas provides instructions for approving the connection request.

    Important With Circle IconCreated with Sketch.Important
    Requests expire after 7 days.
4
  1. In the VPC Dashboard, click Route Tables.
  2. Select the Route Table for your VPC .
  3. Click the Routes tab.
  4. Click Edit Routes.
  5. Click Add route.
  6. Add the Atlas VPC 's CIDR block to the Destination column.
  7. Add the AWS Peering Connection ID to the Target column.

    This value is prefixed with pcx-.

  8. Click Save.

    Info With Circle IconCreated with Sketch.Note

    Each Atlas project may have a maximum of 50 peering connections in total. This total includes a maximum of 25 pending peering connections.

    Once set up, you can edit or terminate VPC peering connection from the Peering table.

You must add your VPC CIDR block address (or subset) or the Security Group associated with the peer VPC to the whitelist before your new VPC peer can connect to your Atlas cluster.

Bulb IconTip
Info With Circle IconCreated with Sketch.Note
Using Custom DNS

Effective 31 March 2020, Atlas has removed the connection limitations for all existing and new AWS clusters using custom DNS . To learn more about how to use these new features, see the FAQ on changes to AWS network peering.

Multiple cloud-hosted applications might need to connect securely to the same Atlas project.

Consider a case where two applications use virtual networks (VPC, VNet) with identical IP CIDR blocks. You want both applications to securely connect to the same Atlas cluster via VPC peering. To achieve this, create one network peering connection between each application's virtual network and your Atlas cluster.

Cloud provider virtual networks can’t peer to each other if they have identical CIDR blocks. However, you can peer each of the applications' virtual networks with the Atlas virtual network if the Atlas virtual network includes two non-overlapping CIDR blocks. Configure each of the peering connections to have non-overlapping route-back CIDR blocks in the Atlas virtual network.

Follow this general process:

  1. Before you deploy any clusters, create a network peering connection for each virtual network that you want to peer with Atlas. You do this by creating a CIDR block in the Atlas virtual network for each application's virtual network.
  2. In the virtual network's configuration for your cloud provider, establish routing between each of your application's virtual networks and their respective Atlas CIDR blocks.
  3. Deploy your Atlas cluster.
Beaker IconExample

Consider two applications in the same AWS account in the same region. Each application has its own VPC . The VPC s have identical CIDR blocks. These VPCs can't peer with each other. You must configure each application's VPC as a peer to the Atlas VPC .

Application's VPC nameCIDR blockSubnet
app-tier-vpc-110.4.0.0/16subnet1: 10.5.0.0./16
app-tier-vpc-210.4.0.0/16subnet2: 10.6.0.0/16

To peer each application's VPC to the Atlas VPC before you deploy your Atlas cluster:

  1. Create a network peering connection to peer Atlas with your first application's VPC .

    1. Click the Peering tab.
    2. Select Peering Connection.
    3. Select AWS and click Next.
    4. Complete the AWS VPC fields and enter details for the first application's VPC :

      • Account ID
      • VPC ID
      • VPC CIDR
      • Application VPC Region.
    5. Type the first CIDR block, 10.5.0.0/24, into the VPC CIDR field in the Atlas VPC section.
    6. Click Initiate Peering.
  2. Create a network peering connection to peer Atlas with your second application's VPC .

    1. Click the Peering tab.
    2. Select Peering Connection.
    3. Select AWS and click Next.
    4. Complete the AWS VPC fields and enter details for the second application's VPC :

      • Account ID
      • VPC ID
      • VPC CIDR
      • Application VPC Region.
    5. Type the second CIDR block, 10.6.0.0/24, into the VPC CIDR field in the Atlas VPC section.
    6. Click Initiate Peering.
  3. In AWS , configure each of your application's VPC s to route back to their respective CIDR blocks in Atlas. For information, see Updating your route tables for a VPC peering connection.

    • app-vpc-1 with CIDR 10.4.0.0/16 routes back to subnet1 in the CIDR 10.5.0.0/24
    • app-vpc-2 with CIDR 10.4.0.0/16 routes back to subnet2 in the CIDR 10.6.0.0/24

When complete, the routes for app-vpc-1 and app-vpc-2 should match the following table:

NetworkDestinationOrigin
app-vpc-110.4.0.0/16local
10.5.0.0/16peer to the Atlas VPC
app-vpc-210.4.0.0/16local
10.6.0.0/16peer to the Atlas VPC
Give Feedback