Docs Menu
Docs Home
/
MongoDB Atlas
/
Atlas Stream Processing

Manage VPC Peering Connections

On this page

  • Prerequisites
  • Create Outbound VPC Peering Connections
  • Generate an Incoming VPC Peering Connection Request from Confluent
  • Get AWS Account ID and VPC ID for a Project
  • List Inbound VPC Peering Connections
  • Accept an Inbound VPC Peering Connection
  • Reject an Inbound VPC Peering Connection
  • Delete an Inbound VPC Peering Connection

Note

This feature is not available for any of the following deployments:

  • Serverless instances

  • M0 clusters

  • M2/M5 clusters

  • Flex clusters

To learn more, see Limits.

Atlas supports network peering connections for dedicated clusters hosted on AWS, Google Cloud, and Azure, and on multi-cloud sharded clusters.

Network peering establishes a private connection between your Atlas VPC and your cloud provider's VPC. The connection isolates traffic from public networks for added security. Atlas Stream Processing supports two types of network peering connection:

  • Outbound: A VPC connection in which your stream processing instance sends the peering request to your cloud provider VPC. This connection type is suitable for scenarios in which you have full administrative access to the external VPC and can approve connection requests on it.

  • Inbound: A VPC connection in which your cloud provider VPC sends the peering request to your stream processing instance. This connection type is suitable for scenarios in which you don't have full administrative access to your cloud provider VPC, as it requires approval only within your Atlas VPC.

Warning

Atlas does not support Network Peering between clusters deployed in a single region on different cloud providers. For example, you cannot set up Network Peering between an Atlas cluster hosted in a single region on AWS and an application hosted in a single region on GCP.

The procedures on this page walk you through creating an outbound VPC connection, as well as creating, accepting, rejecting, and deleting an inbound VPC peering connection to your stream processing instance instances.

Prerequisites

To create and configure connections, you must have the following:

  • An Atlas project

  • An Atlas user with the Project Owner or the Project Stream Processing Owner role to manage a connection registry

    Note

    The Project Owner role allows you to create database deployments, manage project access and project settings, manage IP Access List entries, and more.

    The Project Stream Processing Owner role enables Atlas Stream Processing actions such as viewing, creating, deleting, and editing stream processing instances, and creating, updating, and deleting VPC Peering connections in the connection registry.

    See Project Roles to learn more about the differences between the two roles.

  • An Atlas cluster

Create Outbound VPC Peering Connections

To create outbound VPC peering connections to your stream processing instance:

To create outbound VPC peering connections from your stream processing instance to your cloud provider VPC using the Atlas UI, see Add an Apache Kafka Connection.

To create outbound VPC peering connections to your stream processing instance using the API, see Return All Network Peering Connections in One Project.

Generate an Incoming VPC Peering Connection Request from Confluent

To set up and configure an AWS VPC peering connection initiated from a Confluent account:

1

Generate an API key to use the Atlas Cloud API.

  1. In Atlas, go to the Project Access Manager page.

  2. If it's not already displayed, select your desired organization from the Organizations menu in the navigation bar.

  3. If it's not already displayed, select your desired project from the Projects menu in the navigation bar.

  4. Do one of the following steps:

    • Select Project Access from the Access Manager menu in the navigation bar.

    • Next to the Projects menu, expand the Options menu, click Project Settings, and click Access Manager in the sidebar.

    The Project Access Manager page displays.

  5. Click Applications.

  6. Click Create API Key.

  7. On the Create API Key page, enter your API Key information.

  8. Save your API Key information.

  9. Click Done.

2

Retrieve the Atlas Cloud AWS Account ID, the VPC ID, and the CIDR block.

A sample API request resembles the following:

curl \
-s --user "ajarafoc:a98a3a67-7400-4d6f-94b2-20a64118524d" \
--digest \
--header 'Accept: application/vnd.atlas.2024-11-13+json' \
--header 'Content-Type: application/json' \
--request GET \ "https://cloud.mongodb.com/api/atlas/v2/groups/671a86f4cfc9da7d7c31b14f/streams/accountDetails?cloudProvider=aws&regionName=US_EAST_1"

Note the following example parameter values:

Parameter values
Description

ajarafoc:a98a3a67-7400-4d6f-94b2-20a64118524d

The API public key and private key

671a86f4cfc9da7d7c31b14f

The Atlas project Id

AWS

The Cloud provider

US_EAST_1

The AWS region name

A sample output resembles the following:

{
   "awsAccountId": "974404375205",
   "cidrBlock": "192.168.248.0/21",
   "vpcId": "vpc-0ef7efa5ceca36e2f"
}
3

Configure a network configuration.

A Confluent Network Configuration that supports VPC peering is required before you create a VPC peering connection. If a network configuration doesn't yet exist in your account, then select AWS as your cloud provider and select a region from the Add Network Configuration field in Confluent Cloud.

Note

If a Confluent VPC Peering Network Configuration already exists in your account, then proceed to Step 7.

4

Click Continue and select VPC Peering in the next page.

Select three different Zones and the CIDR block for the Confluent AWS VPC.

5

Click Add Network Connection.

6

Open the Confluent VPC Peering Network Configuration, and click VPC Peering.

7

Provide the connection with a name, an Atlas AWS Account ID, a VPC ID, and the CIDR block from Step 2, and click Add.

8

The VPC peering connection request displays in Atlas after a potential delay.

To see your pending request in your Atlas account, execute an API request similar to:

curl \
-s --user "ojarafoc:1ecf4c70-98ea-4168-8e44-fd67dba0f3ba" \
--digest \
--header 'Accept: application/vnd.atlas.2023-02-01+json' \
--header 'Content-Type: application/json' \
--request GET \
"https://cloud-dev.mongodb.com/api/atlas/v2/groups/671a86f4cfc9da7d7c31b14f/streams/vpcPeeringConnections?requesterAccountId=417601102659"

Note the following example parameter values:

Parameter values
Description

ajarafoc:a98a3a67-7400-4d6f-94b2-20a64118524d

The API public key and private key

671a86f4cfc9da7d7c31b14f

The Atlas project Id

417601102659

The Confluent AWS Account ID obtained in Step 7

A sample output resembles the following:

{
   "links": [
      {
         "href": "https://cloud-dev.mongodb.com/api/atlas/v2/groups/671a86f4cfc9da7d7c31b14f/streams/vpcPeeringConnections?requesterAccountId=417601102659&pageNum=1&itemsPerPage=100",
         "rel": "self"
      }
   ],
   "results": [
      {
         "_id": "6759e61aa6cf0a5476e233d1",
         "accepterAccountId": "974404375205",
         "accepterVpcId": "vpc-0ddfd37072cc5ed61",
         "cloudStatus": "pending-acceptance",
         "expirationTime": "2024-12-18T19:20:37Z",
         "groupId": "671a86f4cfc9da7d7c31b14f",
         "localStatus": "NONE",
         "name": "pcx-09277e1e81d0751c1",
         "requesterAccountId": "417601102659",
         "requesterCidr": "10.0.0.0/16",
         "requesterVpcId": "vpc-0d13eb6a2f0377854"
      }
   ],
   "totalCount": 1
}
9

Accept the incoming VPC Peering connection request.

Note that the cloudStatus value is pending-acceptance.

Execute the following API request:

curl \
-s --user "ojarafoc:1ecf4c70-98ea-4168-8e44-fd67dba0f3ba" \
--digest \
--header 'Accept: application/vnd.atlas.2023-02-01+json' \
--header 'Content-Type: application/json' \
-d '{"requesterVpcId": "vpc-0d13eb6a2f0377854", "requesterAccountId":"417601102659"}' \
--request POST \
"https://cloud-dev.mongodb.com/api/atlas/v2/groups/671a86f4cfc9da7d7c31b14f/streams/vpcPeeringConnections/pcx-09277e1e81d0751c1:accept"

Note the following example parameter values:

Parameter values
Description

ajarafoc:a98a3a67-7400-4d6f-94b2-20a64118524d

The API public key and private key

{"requesterVpcId": "vpc-0d13eb6a2f0377854", "requesterAccountId":"417601102659"}

This is the POST payload containing the “requester”s VPC ID, and the “requester”s AWS Account ID. In this case, the “requester” is Confluent.

671a86f4cfc9da7d7c31b14f

The Atlas project Id

pcx-09277e1e81d0751c1

The incoming VPC connection name obtained from the previous step

10

Verify that the connection was accepted.

To do this, repeat Step 9 and observe the cloudStatus field value. When the connection is finally accepted, the value should return active.

Get AWS Account ID and VPC ID for a Project

If you want to create inbound VPC peering connections to your stream processing instance, you first need to retrieve the AWS account ID, the AWS VPC ID, and the CIDR block associated with your Atlas project to initiate a VPC peering request from an external cloud environment.

To retrieve the AWS account ID, the AWS VPC ID, and the CIDR block for an Atlas project using the Atlas Administration API, see Returns the Account ID, and the VPC ID for the group and region specified.

List Inbound VPC Peering Connections

To list all inbound VPC peering connections to your stream processing instance using the Atlas Administration API, see Return All VPC Peering Connections.

Accept an Inbound VPC Peering Connection

To accept an inbound VPC peering connection to your stream processing instance using the Atlas Administration API, see Requests the acceptance of an incoming VPC Peering connection.

A sample API request resembles the following:

curl \
-s --user "ojarafoc:1ecf4c70-98ea-4168-8e44-fd67dba0f3ba" \
--digest \
--header 'Accept: application/vnd.atlas.2023-02-01+json' \
--header 'Content-Type: application/json' \
-d '{"requesterVpcId": "vpc-0d13eb6a2f0377854", "requesterAccountId":"417601102659"}' \
--request POST \
"https://cloud-dev.mongodb.com/api/atlas/v2/groups/671a86f4cfc9da7d7c31b14f/streams/vpcPeeringConnections/pcx-09277e1e81d0751c1:accept"

Note the following example parameter values:

Parameter values
Description

ajarafoc:a98a3a67-7400-4d6f-94b2-20a64118524d

The API public key and private key

{"requesterVpcId": "vpc-0d13eb6a2f0377854", "requesterAccountId":"417601102659"}

The POST payload containing the request's VPC ID and AWS Account ID

671a86f4cfc9da7d7c31b14f

The Atlas project Id

pcx-09277e1e81d0751c1

The incoming VPC connection name obtained from listing inbound VPC peering connections

Reject an Inbound VPC Peering Connection

To reject an inbound VPC peering connection to your stream processing instance using the Atlas Administration API, see Requests the rejection of an incoming VPC Peering connection.

Delete an Inbound VPC Peering Connection

To delete an inbound VPC peering connection to your stream processing instance using the Atlas Administration API, see Deletes an incoming VPC Peering connection.

Back

Manage Stream Processors

Next

Aggregation Expressions