Navigation

Set up a Network Peering Connection

Feature unavailable in Free and Shared-Tier Clusters

This feature is not available for M0 (Free Tier), M2, and M5 clusters. To learn more about which features are unavailable, see Atlas M0 (Free Tier), M2, and M5 Limitations.

Atlas supports Network Peering connections for AWS, GCP, and Azure-backed clusters.

Important

To set up a Network Peering connection, you must have either the Project Owner or Organization Owner role.

Configure an Atlas Network Peering Connection

To configure Atlas Network Peering for a cluster, perform the procedure on the tab corresponding to your cluster’s cloud provider. You also configure the Atlas VPC CIDR during this procedure.

See Create a New Network Peering Container to configure the Atlas CIDR separately without configuring Network Peering. You must use the API to configure the Atlas CIDR separately.

  1. In the Security section of the left navigation, click Network Access.

  2. In the Peering tab, click plus icon New Peering Connection.

  3. Enable DNS hostnames and DNS resolution in AWS:

    1. Log in to your AWS account.
    2. Go to the VPC dashboard.
    3. Open your list of VPC resources.
    4. Select the VPC you want to peer with.
    5. Enable DNS hostnames and DNS resolution. To learn more about how to enable these options, see Updating DNS Support for Your VPC.

    Note

    If DNS hostnames and DNS resolution are disabled and the VPC is accessible to the internet, the DNS resolves to the public IP address rather than the internal IP address. In addition, enabling these settings results in faster VPC peering.

  4. Go to Network Access view in Atlas.

    In the Security section of the left navigation, click Network Access.

  5. Click the Peering tab.

  6. Click New Peering Connection.

  7. In the Peering Connection modal, select AWS and click Next.

  8. To create the Network Peering connection in the Peering Connection modal.

    Field Notes
    Account ID AWS Account ID of the owner of the peer VPC. Refer to the dialog for instructions on finding your AWS Account ID.
    VPC ID Unique identifier of the peer VPC. Refer to the dialog for instructions on finding your VPC ID.
    VPC CIDR

    AWS VPC CIDR block or subset. Must not overlap with your Atlas CIDR Block or any other Network Peering connection VPC CIDR.

    The CIDR block must be in one of the following private networks:

    • 10.0.0.0 - 10.255.255.255 (10/8 prefix)
    • 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
    • 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

    You can choose to add the VPC CIDR block address (or a subset) to the whitelist. For Network Peering connections, you can also add the Security Group associated with the AWS VPC instead of the CIDR block. See Configure Whitelist Entries.

    To learn more about CIDR blocks, see RFC 4632.

    Atlas uses the specified CIDR block for all other Network Peering connections created in the project. The Atlas CIDR block must be at least a /24 and at most a /21 in one of the following private networks.

    Lower Bound Upper Bound Prefix
    10.0.0.0 10.255.255.255 10/8
    172.16.0.0 172.31.255.255 172.16/12
    192.168.0.0 192.168.255.255 192.168/16

    Atlas locks this value if an M10+ cluster or a Network Peering connection already exists. To modify the CIDR block, ensure there are no M10+ clusters in the project and no other VPC peering connections in the project.

    Alternatively, create a new project and create a Network Peering Connection to set the desired Atlas VPC CIDR block for that project.

    Important

    Atlas limits the number of MongoDB nodes per Network Peering connection based on the CIDR block and the region selected for the project.

    Example

    A project in an AWS region supporting 3 availability zones and a Atlas CIDR VPC block of /24 is limited to the equivalent of 27 three-node replica sets.

    Contact MongoDB Support for any questions on Atlas limits of MongoDB nodes per VPC.

    Application VPC Region AWS region where the AWS VPC resides.
    VPC CIDR AWS VPC CIDR block. Must not overlap with the Atlas VPC CIDR block.
    Atlas VPC Region

    AWS region where the Atlas VPC resides. Atlas creates a VPC for the Atlas project in this region if no M10+ clusters or VPC peering connections exist for the selected Region.

    Uncheck Same as application VPC region to select a different region than where the application VPC resides.

  9. Click Initiate Peering.

  10. Wait for approval of peering connection request

    The owner of the peer VPC must approve the VPC peering connection request. Ensure that the owner approves the request.

    Atlas provides instructions for approving the connection request.

    Important

    Requests expire after 7 days.

  11. Add to route table

    1. In the VPC Dashboard, click Route Tables.

    2. Select the Route Table for your VPC.

    3. Click the Routes tab.

    4. Click Edit Routes.

    5. Click Add route.

    6. Add the Atlas VPC’s CIDR block to the Destination column.

    7. Add the AWS Peering Connection ID to the Target column.

      This value is prefixed with pcx-.

    8. Click Save.

      Note

      Each Atlas project may have a maximum of 50 peering connections in total. This total includes a maximum of 25 pending peering connections.

      Once set up, you can edit or terminate VPC peering connection from the Peering table.

      You must add your VPC CIDR block address (or subset) or the Security Group associated with the peer VPC to the whitelist before your new VPC peer can connect to your Atlas cluster.

Azure VNet Peering Limitations

Azure-backed clusters configured for Atlas Network Peering cannot:

  • Be accessed from any network other than the peered VNets in the same cloud provider region.
  • Use MongoDB Stitch apps.
  • Use Live Migration.

Azure VNet Peering Prerequisites

You must enable Connect via Peering Only mode for a project before you create an Azure peering connection in that project. Only Azure network peers can access clusters in a project with Connect via Peering Only mode enabled. These clusters are not accessible through the public internet.

Note

You can only enable Connect via Peering Only mode in an Atlas project that does not yet have any dedicated clusters. Please file a support ticket if you already have an Azure-backed cluster in a project and want to set up network peering.

To enable Connect via Peering Only mode:

  1. Click Settings in the navigation menu.

  2. Toggle Connect via Peering Only (GCP and Azure) to On.

    Important

    You cannot disable Connect via Peering Only mode for a project after enabling it and adding a Azure-backed cluster or peering connection to the project.

Configure Network Peering for an Azure-backed Cluster

To configure Network Peering for an Azure-backed cluster:

  1. In the Security section of the left navigation, click Network Access.

  2. In the Peering tab, click plus icon New Peering Connection.

  3. In the Peering Connection modal, select Azure and click Next.

  4. To create the Network Peering connection, fill in the requested information:

    Field Description
    Subscription ID Unique identifier for your Azure subscription. You can find this information on the Overview tab of your Azure Virtual networks dashboard.
    Directory ID Unique identifier of your Azure directory. You can find this information on the Properties tab of your Azure Active Directory dashboard.
    Resource Group Name Unique identifier of the Azure resource group to which the virtual network belongs. You can find this information on the Overview tab of your Azure virtual network.
    VNet Name Name of your Azure virtual network. You can find this information on the Virtual networks dashboard.
    Atlas CIDR

    CIDR block for your Atlas cluster.

    Atlas uses the specified CIDR block for all other Network Peering connections created in the project. The Atlas CIDR block must be at least /24 and at most /21 in one of the following private networks.

    Lower Bound Upper Bound Prefix
    10.0.0.0 10.255.255.255 10/8
    172.16.0.0 172.31.255.255 172.16/12
    192.168.0.0 192.168.255.255 192.168/16

    Atlas locks this value if an M10+ cluster or a Network Peering connection already exists. To modify the CIDR block, ensure there are no M10+ clusters in the project and no other Network Peering connections in the project.

    Alternatively, create a new project and create a Network Peering Connection to set the desired Atlas Network Peering CIDR block for that project.

    Important

    Atlas limits the number of MongoDB nodes per Network Peering connection based on the CIDR block and the region selected for the project.

    Contact MongoDB Support for any questions on Atlas limits of MongoDB nodes per Network Peer.

    Atlas VNet Region Azure region in which your Atlas cluster resides.
  5. Click Next.

  6. To create the peering request, you must grant Atlas the following permissions on the virtual network. You can revoke these permissions after the VNet peering has been established.

    • Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read
    • Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write
    • Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete
    • Microsoft.Network/virtualNetworks/peer/action

    To grant Atlas permission to create a peering connection with your Azure virtual network:

    1. Launch the Azure console.

    2. Run the commands from the Peering Connection modal to create a service principal, create a new custom role, and assign the custom role to the service principal.

      Note

      Run the first command to create a service principal only once for all Azure VNets from the same Azure subscription.

    3. Click Validate.

    4. Click Initiate Peering.

      Note

      Each Atlas project may have a maximum of 50 peering connections in total. This total includes a maximum of 25 pending peering connections.

      You must add the CIDR block address (or subset) associated with the peer VNet to the whitelist before your network peer can connect to your Atlas cluster.

GCP VPC Peering Limitations

GCP-backed clusters configured for Atlas Network Peering cannot:

  • Be accessed by using the Atlas hostname from outside the peered VPC. Note that database hosts’ public IPs can be reached over the network if the client’s IP address is on the IP whitelist.
  • Use MongoDB Stitch apps.
  • Use Live Migration.

GCP VPC Peering Prerequisites

You must enable Connect via Peering Only mode for a project before you create a GCP peering connection in that project. Only peered networks can access clusters in a project with Connect via Peering Only mode enabled. These clusters are not accessible through the public internet.

Note

You can only enable Connect via Peering Only mode in an Atlas project that does not yet have any dedicated clusters. Please file a support ticket if you already have a GCP-backed cluster in a project and want to set up Network Peering.

To enable Connect via Peering Only mode:

  1. Click Settings in the navigation menu.

  2. Toggle Connect via Peering Only (GCP and Azure) to On.

    Important

    You cannot disable Connect via Peering Only mode for a project after enabling it and adding a GCP-backed cluster or peering connection to the project.

Configure VPC Peering for a GCP-backed Cluster

To configure Atlas VPC Peering for a GCP-backed cluster:

  1. In the Security section of the left navigation, click Network Access.

  2. In the Peering tab, click plus icon New Peering Connection.

  3. In the Peering Connection modal, select Google Cloud Platform and click Next.

  4. Enter the required information in the Peering Connection modal.

    To create the VPC Peering connection, fill in the requested information:

    Field Description
    Project ID GCP Project ID of the peer VPC. Refer to the dialog for instructions on finding your GCP Project ID.
    VPC Name Name of the peer VPC. Refer to the dialog for instructions on finding your VPC Name.
    Atlas CIDR

    CIDR block for your Atlas cluster.

    Atlas uses the specified CIDR block for all other Network Peering connections created in the project. The Atlas CIDR block must be at least a /18 in one of the following private networks.

    Lower Bound Upper Bound Prefix
    10.0.0.0 10.255.255.255 10/8
    172.16.0.0 172.31.255.255 172.16/12
    192.168.0.0 192.168.255.255 192.168/16

    Atlas locks this value if an M10+ cluster or a Network Peering connection already exists. To modify the CIDR block, ensure there are no M10+ clusters in the project and no other Network Peering connections in the project.

    Alternatively, create a new project and create a Network Peering Connection to set the desired Atlas Network Peering CIDR block for that project.

    Important

    Atlas limits the number of MongoDB nodes per Network Peering connection based on the CIDR block and the region selected for the project.

    Example

    A project with an Atlas VPC CIDR block of /18 is limited to approximately 80 three-node replica sets per GCP region.

    Contact MongoDB Support for any questions on Atlas limits of MongoDB nodes per Network Peering connection.

  5. Click Initiate Peering.

  6. In the Google Cloud Console, click VPC network peering.

  7. Click Create Connection.

  8. Click Continue.

  9. In Name, enter a name for your peering connection.

  10. In Your VPC Network, enter the name of your GCP VPC network.

  11. In Peered VPC network, select In another project.

  12. In Project ID, enter your Atlas Project ID.

    You can find this name in the VPC Peering view. In the Security section of the left navigation, click Network Access and then click the the Peering tab.

  13. In VPC network name, enter your Atlas VPC Name.

    You can find this name in the VPC Peering view. In the Security section of the left navigation, click Network Access and then click the the Peering tab.

Note

Each Atlas project may have a maximum of 50 peering connections in total. This total includes a maximum of 25 pending peering connections.

You must add your VPC CIDR block address (or subset) associated with the peer VPC to the whitelist before your new VPC peer can connect to your Atlas cluster. To learn about for Auto mode IP ranges that GCP uses, see Auto mode IP ranges.