Navigation

Set up VPC Peering Connection

Feature unavailable in Free and Shared Tier Clusters

This feature is not available for M0 (Free Tier), M2, and M5 clusters. To learn more about which features are unavailable, see Atlas M0 (Free Tier), M2, and M5 Limitations.

Atlas supports VPC peering connections for AWS and GCP-backed clusters. Atlas does not support VPC Peering for clusters deployed on Microsoft Azure. For Atlas clusters deployed on Azure, add the IP addresses of your Azure services to Atlas project IP whitelist to grant those services access to the cluster.

Important

To set up a VPC peering connection, you must be the project owner.

To configure VPC Peering for a cluster, select the tab corresponding to your cluster’s cloud provider.

  1. From the Clusters view, select the Security tab, then click Peering, then New Peering Connection.

  2. Enable DNS hostnames and DNS resolution in AWS.

    Enabling DNS hostnames and DNS resolution can result in faster VPC peering.

    Tip

    AWS VPC resolves hostnames in an Atlas cluster to their private IP addresses when you enable DNS resolution. You can use these DNS entries to connect to hosts in your Atlas cluster from the peered VPC since AWS handles resolving the peered hostnames automatically.

    1. Log in to your AWS account.
    2. Go to the VPC dashboard.
    3. Open your list of VPC resources.
    4. Select the VPC you want to peer with.
    5. Enable DNS hostnames and DNS resolution. See Updating DNS Support for Your VPC for further documentation on how to enable these options.
  3. Go to VPC Peering view.

    From the Clusters view, select the Security tab, then Peering.

  4. Click New Peering Connection.

  5. Enter the required information in the Peering Connection Dialog.

    To create the VPC Peering connection, fill in the requested information:

    Field Notes
    Account ID AWS Account ID of the owner of the peer VPC. Refer to the dialog for instructions on finding your AWS Account ID.
    VPC ID The ID of the peer VPC. Refer to the dialog for instructions on finding your VPC ID.
    VPC CIDR

    The peer VPC CIDR block or subset. Must not overlap with your Atlas CIDR Block or any other peering connection VPC CIDR.

    The CIDR block must be in one of the following private networks:

    • 10.0.0.0 - 10.255.255.255 (10/8 prefix)
    • 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
    • 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

    You can choose to add the VPC CIDR block address (or a subset) to the whitelist. For VPC peering connections, you can also add the Security Group associated with the peer VPC instead of the CIDR block. See Configure Whitelist Entries.

    See RFC 4632 for more information about CIDR blocks.

    Application VPC Region AWS region where the peer VPC resides.
    VPC CIDR Block

    The Atlas VPC CIDR block. Must not overlap with the peer VPC CIDR block.

    Atlas uses the specified CIDR block for all other VPC peering connections created in the project.

    The Atlas CIDR block must be at least a /24 and at most a /21 in one of the following private networks.

    The Atlas CIDR block must be at least a /18 in one of the following private networks.

    Lower Bound Upper Bound Prefix
    10.0.0.0 10.255.255.255 10/8
    172.16.0.0 172.31.255.255 172.16/12
    192.168.0.0 192.168.255.255 192.168/16

    Atlas locks this value if an M10+ cluster or a VPC peering connection already exists. To modify the CIDR block, ensure there are no M10+ clusters in the project and no other VPC peering connections in the project.

    Alternatively, create a new project and create a VPC Peering Connection to set the desired Atlas VPC CIDR block for that project.

    Important

    Atlas limits the number of MongoDB nodes per VPC based on the CIDR block and the region selected for the project.

    Example

    A project in an AWS region supporting 3 availability zones and a Atlas CIDR VPC block of /24 is limited to the equivalent of 27 three-node replica sets.

    A project with an Atlas VPC CIDR block of /18 is limited to approximately 80 three-node replica sets per GCP region.

    Contact MongoDB Support for any questions on Atlas limits of MongoDB nodes per VPC.

    Atlas VPC Region

    AWS region where the Atlas VPC resides. Atlas creates a VPC for the Atlas project in this region if no M10+ clusters or VPC peering connections exist for the selected Region.

    Uncheck Same as application VPC region to select a different region than where the application VPC resides.

  6. Click Initiate Peering.

  7. Wait for approval of peering connection request

    The owner of the peer VPC must approve the VPC peering connection request. Ensure that the owner approves the request.

    Atlas provides instructions for approving the connection request.

    Important

    Requests expire after 7 days.

  8. Add to route table

    1. In the VPC Dashboard, click Route Tables.

    2. Select the Route Table for your VPC.

    3. Click the Routes tab.

    4. Click Edit Routes.

    5. Click Add route.

    6. Add the Atlas VPC’s CIDR block to the Destination column.

    7. Add the AWS Peering Connection ID to the Target column.

      This value is prefixed with pcx-.

    8. Click Save.

      Once set up, you can edit or terminate VPC peering connection from the Peering table.

      You must add your VPC CIDR block address (or subset) or the Security Group associated with the peer VPC to the whitelist before your new VPC peer can connect to your Atlas cluster.

Limitations

GCP-backed clusters configured for VPC Peering cannot:

  • Be accessed from any network other than the peered VPCs.
  • Use MongoDB Stitch apps.
  • Use Live Migration.

Prerequisites

You must enable Connect via Peering Only mode for a project before you create a GCP peering connection in that project. Only peered VPCs can access clusters in a project with Connect via Peering Only mode enabled. These clusters are not accessible through the public internet.

Note

You can only enable Connect via Peering Only mode in an Atlas project that does not yet have any dedicated clusters. Please file a support ticket if you already have a GCP-backed cluster in a project and want to set up VPC peering.

To enable Connect via Peering Only mode:

  1. Click Settings in the navigation menu.

  2. Toggle Connect via Peering Only (GCP) to On.

    Important

    You cannot disable Connect via Peering Only mode for a project after enabling it and adding a GCP-backed cluster or peering connection to the project.

Procedure

To configure VPC Peering for a GCP-backed cluster:

  1. From the Clusters view, select the Security tab, then click Peering, then New Peering Connection.

  2. Enter the required information in the Peering Connection modal.

    To create the VPC Peering connection, fill in the requested information:

    Field Notes
    Project ID GCP Project ID of the peer VPC. Refer to the dialog for instructions on finding your GCP Project ID.
    VPC Name The name of the peer VPC. Refer to the dialog for instructions on finding your VPC Name.
  3. Click Initiate Peering.

  4. In the Google Cloud Console, click VPC network peering.

  5. Click Create Connection.

  6. Click Continue.

  7. In Name, enter a name for your peering connection.

  8. In Your VPC Network, enter the name of your GCP VPC network.

  9. In Peered VPC network, select In another project.

  10. In Project ID, enter your Atlas Project ID.

    You can find this name in the VPC Peering view. From the Clusters view in Atlas, click Security, and then Peering.

  11. In VPC network name, enter your Atlas VPC Name.

    You can find this name VPC Peering view. From the Clusters view in Atlas, click Security, and then Peering.

Note

Each Atlas project may have a maximum of 25 peering connections.

You must add your VPC CIDR block address (or subset) associated with the peer VPC to the whitelist before your new VPC peer can connect to your Atlas cluster. See Auto mode IP ranges for Auto mode IP ranges used by GCP.