Docs Menu
Docs Home
/ /
MongoDB Atlas Kubernetes Operator
/ /

Manage Private Endpoints for Dedicated Clusters

On this page

  • Procedure

Note

This feature is not available for any of the following deployments:

  • M0 clusters

  • M2/M5 clusters

  • Flex clusters

Atlas Kubernetes Operator supports managing private endpoints for dedicated clusters on the following platforms:

  • AWS using the AWS PrivateLink feature.

  • Azure using the Azure Private Link feature.

  • Google Cloud using the Private Service Connect feature.

Before you begin, see Manage Private Endpoints.

To enable clients to connect to Atlas dedicated clusters using private endpoints:

1

Specify the spec.privateEndpoints parameter for the AtlasProject Custom Resource. In the spec.privateEndpoints.provider field, specify AWS. Replace the placeholder {aws-region} with the AWS region information for your private endpoints and run the following command:

cat <<EOF | kubectl apply -f -
apiVersion: atlas.mongodb.com/v1
kind: AtlasProject
metadata:
name: my-project
spec:
name: Test Atlas Operator Project
privateEndpoints:
- provider: "AWS"
region: "{aws-region}"
EOF

Atlas creates the VPC resources in the region you selected. This might take several minutes to complete.

2
  1. Run the following command:

    kubectl get atlasproject my-project -o yaml
  2. Note the service name string for each private endpoint within the status.privateEndpoints.serviceName field of the AtlasProject Custom Resource.

3

To create your application VPC interface endpoint:

  1. Copy the following command:

    aws ec2 create-vpc-endpoint --vpc-id {your-application-vpc-id} --region {aws-region} --service-name {service-name-string} --vpc-endpoint-type Interface --subnet-ids {your-application-subnet-ids}
  2. Replace the following placeholders with the details about your AWS VPC:

    your-application-vpc-id
    Unique string that identifies the peer AWS VPC. Find this value on the VPC dashboard in your AWS account.
    aws-region
    Label that identifies the AWS region of the private endpoint.
    service-name-string
    Unique string that identifies the service name for your private endpoint. Find this value within the status.privateEndpoints.serviceName field of the AtlasProject Custom Resource.
    your-application-subnet-ids

    Unique strings that identify the subnets your AWS VPC uses. Separate each subnet with a space. Find these values on the Subnet dashboard in your AWS account.

    IMPORTANT: You must specify at least one subnet. If you don't, AWS won't provision a interface endpoint in your VPC. An interface endpoint is required for clients in your VPC to send traffic to the private endpoint.

  3. Run the command with the AWS CLI.

  4. Note the VpcEndpointId value in the output.

    Example

    "VpcEndpoint": {
    "VpcEndpointId": "vpce-XXXXXX",
    "VpcEndpointType": "Interface",
    "VpcId": "vpc-XXXXX",
    "ServiceName": "com.amazonaws.vpce.{aws-region}.vpce-svc-XXXX",
    "State": "pendingAcceptance",

To learn more, see Creating an Interface Endpoint in the AWS documentation.

4

Update the spec.privateEndpoints parameter for the AtlasProject Custom Resource. Specify the AWS region and replace vpce-id with the VpcEndpointId values for your private endpoints and run the following command:

Note

You can find the unique identifier of the peer AWS VPC on the VPC dashboard in your AWS account.

cat <<EOF | kubectl apply -f -
apiVersion: atlas.mongodb.com/v1
kind: AtlasProject
metadata:
name: my-project
spec:
name: Test Atlas Operator Project
privateEndpoints:
- provider: "AWS"
region: "{aws-region}"
id: "{vpce-id}"
EOF
5

Run the following command:

kubectl get atlasproject my-project -o yaml
6
  1. Copy the following command:

    Important

    The following command requires jq 1.6 or higher.

    kubectl get secret {my-project}-{my-atlas-cluster}-{my-database-user} -o json | jq -r '.data | with_entries(.value |= @base64d)';
  2. Replace the following placeholders with the details for your custom resources:

    my-project
    Specify the value of the metadata field of your AtlasProject Custom Resource.
    my-atlas-cluster
    Specify the value of the metadata field of your AtlasDeployment Custom Resource.
    my-database-user
    Specify the value of the metadata field of your AtlasDatabaseUser Custom Resource.
  3. Run the command.

    Note

    Your connection strings will differ from the following example. If you have multiple private endpoints, the secret contains multiple connectionStringPrivate and connectionStringPrivateSvr fields with the appropriate numeric suffix (for example, connectionStringPrivate1, connectionStringPrivate2, and so on).

    {
    "connectionStringPrivate": "mongodb://pl-0-eastus2.uzgh6.mongodb.net:1024,pl-0-eastus2.uzgh6.mongodb.net:1025,pl-0-eastus2.uzgh6.mongodb.net:1026/?ssl=truereplicaSet=atlas-18bndf-shard-0",
    "connectionStringPrivateSrv": "mongodb+srv://cluster0-pl-0.uzgh6.mongodb.net",
    "password": "P@@sword%",
    "username": "theuser"
    }

    You can use this secret in your application:

    containers:
    - name: test-app
    env:
    - name: "CONNECTION_STRING"
    valueFrom:
    secretKeyRef:
    name: my-project-my-atlas-cluster-my-database-user
    key: connectionStringPrivate
1

Specify the spec.privateEndpoints parameter for the AtlasProject Custom Resource. In the spec.privateEndpoints.provider field, specify AZURE. Replace the placeholder {azure-region} with the Azure region information for your private endpoints and run the following command:

cat <<EOF | kubectl apply -f -
apiVersion: atlas.mongodb.com/v1
kind: AtlasProject
metadata:
name: my-project
spec:
name: Test Atlas Operator Project
privateEndpoints:
- provider: "AZURE"
region: "{azure-region}"
EOF

Atlas creates the VNET resources in the region you selected. This might take several minutes to complete.

2

Atlas doesn't support network policies for private endpoints.

  1. Copy the following command:

    az network vnet subnet update --resource-group {resource-group-name} --vnet-name {vnet-name} --name {subnet-name} --disable-private-endpoint-network-policies true
  2. Replace the following placeholders with the details about your Azure VNet:

    resource-group-name
    Human-readable label for the resource group that contains the VNet that you want to use to connect to Atlas. Find this value on the Resource Group Properties page on your Azure dashboard.
    vnet-name
    Human-readable label that identifies the VNet that you want to use to connect to Atlas. Find this value on the Virtual Network page on your Azure dashboard.
    subnet-name
    Human-readable label that identifies the subnet in your Azure VNet. Find this value on the Virtual Network Subnets page on your Azure dashboard.
  3. Run the command with the Azure CLI.

To learn more, see the Manage network policies for private endpoints in the Azure documentation.

3
  1. Run the following command:

    kubectl get atlasproject my-project -o yaml
  2. Note the service resouce ID and service name for each private endpoint within the status.privateEndpoints.serviceResourceId and status.privateEndpoints.serviceName fields of the AtlasProject Custom Resource.

4

To create your private endpoint:

  1. Copy the following command:

    az network private-endpoint create --resource-group {resource-group-name} --name {endpoint-name} --vnet-name {vnet-name} --subnet {subnet-name} --private-connection-resource-id {serviceResourceId} --connection-name {serviceName} --manual-request true
  2. Replace the following placeholders with the details about your Azure VNet:

    resource-group-name
    Human-readable label for the resource group that contains the VNet that you want to use to connect to Atlas. Find this value on the Resource Group Properties page on your Azure dashboard.
    endpoint-name
    Human-readable label that identifies your private endpoint. Specify this now.
    vnet-name
    Human-readable label that identifies the VNet that you want to use to connect to Atlas. Find this value on the Virtual Network page on your Azure dashboard.
    subnet-name
    Human-readable label that identifies the subnet in your Azure VNet. Find this value on the Virtual Network Subnets page on your Azure dashboard.
    serviceResourceId
    Unique string that identifies the service resource for your private endpoint. Find this value within the status.privateEndpoints.serviceResourceId field of the AtlasProject Custom Resource.
    serviceName
    Unique string that identifies the service name for your private endpoint. Find this value within the status.privateEndpoints.serviceName field of the AtlasProject Custom Resource.
  3. Run the command with the Azure CLI.

5

Update the spec.privateEndpoints parameter for the AtlasProject Custom Resource. Specify the the Azure region, Resource ID, and IP address information for your private endpoints and run the following command:

Note

The Properties page on your Azure dashboard displays the unique identifier for the private endpoint that you created in the Resource ID field.

The Overview page on your Azure dashboard displays the private IP address of the private endpoint network interface that you created in the Private IP field.

cat <<EOF | kubectl apply -f -
apiVersion: atlas.mongodb.com/v1
kind: AtlasProject
metadata:
name: my-project
spec:
name: Test Atlas Operator Project
privateEndpoints:
- provider: "Azure"
region: "{azure-region}"
id: "{resource-id}"
ip: "{private-ip}"
EOF
6

Run the following command:

kubectl get atlasproject my-project -o yaml
7
  1. Copy the following command:

    Important

    The following command requires jq 1.6 or higher.

    kubectl get secret {my-project}-{my-atlas-cluster}-{my-database-user} -o json | jq -r '.data | with_entries(.value |= @base64d)';
  2. Replace the following placeholders with the details for your custom resources:

    my-project
    Specify the value of the metadata field of your AtlasProject Custom Resource.
    my-atlas-cluster
    Specify the value of the metadata field of your AtlasDeployment Custom Resource.
    my-database-user
    Specify the value of the metadata field of your AtlasDatabaseUser Custom Resource.
  3. Run the command.

    Note

    Your connection strings will differ from the following example. If you have multiple private endpoints, the secret contains multiple connectionStringPrivate and connectionStringPrivateSvr fields with the appropriate numeric suffix (for example, connectionStringPrivate1, connectionStringPrivate2, and so on).

    {
    "connectionStringPrivate": "mongodb://pl-0-eastus2.uzgh6.mongodb.net:1024,pl-0-eastus2.uzgh6.mongodb.net:1025,pl-0-eastus2.uzgh6.mongodb.net:1026/?ssl=truereplicaSet=atlas-18bndf-shard-0",
    "connectionStringPrivateSrv": "mongodb+srv://cluster0-pl-0.uzgh6.mongodb.net",
    "password": "P@@sword%",
    "username": "theuser"
    }

    You can use this secret in your application:

    containers:
    - name: test-app
    env:
    - name: "CONNECTION_STRING"
    valueFrom:
    secretKeyRef:
    name: my-project-my-atlas-cluster-my-database-user
    key: connectionStringPrivate
1

Specify the spec.privateEndpoints parameter for the AtlasProject Custom Resource. In the spec.privateEndpoints.provider field, specify GCP. Replace the placeholder {gcp-region} with the Google Cloud Platform region information for your private endpoints and run the following command:

cat <<EOF | kubectl apply -f -
apiVersion: atlas.mongodb.com/v1
kind: AtlasProject
metadata:
name: my-project
spec:
name: Test Atlas Operator Project
privateEndpoints:
- provider: "GCP"
region: "{gcp-region}"
EOF

Atlas creates the VPC resources in the region you selected. This might take several minutes to complete.

2
  1. Run the following command:

    kubectl get atlasproject my-project -o yaml
  2. Note the {unique-id} that follows projects/ in each service attachment name. The {unique-id} in the following example is p-ogyvk1plka2anycnzl6znr9p.

    Example

    "serviceAttachmentNames": [
    "projects/p-ogyvk1plka2anycnzl6znr9p/regions/us-east1/serviceAttachments/sa-us-east1-6274f45bcce0e51662a29b05-0",
    "projects/p-ogyvk1plka2anycnzl6znr9p/regions/us-east1/serviceAttachments/sa-us-east1-6274f45bcce0e51662a29b05-1",
    "projects/p-ogyvk1plka2anycnzl6znr9p/regions/us-east1/serviceAttachments/sa-us-east1-6274f45bcce0e51662a29b05-2",
    "projects/p-ogyvk1plka2anycnzl6znr9p/regions/us-east1/serviceAttachments/sa-us-east1-6274f45bcce0e51662a29b05-3",
    "projects/p-ogyvk1plka2anycnzl6znr9p/regions/us-east1/serviceAttachments/sa-us-east1-6274f45bcce0e51662a29b05-4",
    "projects/p-ogyvk1plka2anycnzl6znr9p/regions/us-east1/serviceAttachments/sa-us-east1-6274f45bcce0e51662a29b05-5"
    ]
3

To edit the private endpoints and generate the necessary script with the Atlas UI, see Configure Private Endpoints.

To configure your private endpoints manually:

  1. Copy the following shell script:

    #!/bin/bash
    gcloud config set project {google-cloud-project-id}
    for i in {0..5}
    do
    gcloud compute addresses create {private-service-connect-endpoint-prefix}-ip-$i --region={gcp-region} --subnet={subnet-name}
    done
    for i in {0..5}
    do
    if [ $(gcloud compute addresses describe {private-service-connect-endpoint-prefix}-ip-$i --region={gcp-region} --format="value(status)") != "RESERVED" ]; then
    echo "{private-service-connect-endpoint-prefix}-ip-$i is not RESERVED";
    exit 1;
    fi
    done
    for i in {0..5}
    do
    gcloud compute forwarding-rules create {private-service-connect-endpoint-prefix}-$i --region={gcp-region} --network={vpc-name} --address={private-service-connect-endpoint-prefix}-ip-$i --target-service-attachment=projects/{unique-ID}/regions/{gcp-region}/serviceAttachments/sa-{gcp-region}-{org-id}-$i
    done
    if [ $(gcloud compute forwarding-rules list --regions={gcp-region} --format="csv[no-heading](name)" --filter="name:{private-service-connect-endpoint-prefix}" | wc -l) -gt 50 ]; then
    echo "Project has too many forwarding rules that match prefix {endpoint-name}. Either delete the competing resources or choose another endpoint prefix."
    exit 2;
    fi
    gcloud compute forwarding-rules list --regions={gcp-region} --format="json(IPAddress,name)" --filter="name:{private-service-connect-endpoint-prefix}" > atlasEndpoints-{endpoint-name}.json
  2. Replace the following placeholders with the details about your Google Cloud VPC:

    google-cloud-project-id
    Unique ID that identifies your Google Cloud project. Find this value on the Dashboard page on your Google Cloud platform.
    private-service-connect-endpoint-prefix
    Human-readable label that prefixes all endpoints created and identifies the endpoint group.
    gcp-region
    Label that identifies the Google Cloud Platform region of the private endpoint.
    subnet-name
    Human-readable label that identifies the subnet in your Google Cloud VPC. Find this value on the VPC Networks page on your Google Cloud dashboard.
    vpc-name
    Human-readablle label that identifies the VPC that you want to use to connect to Atlas. Find this value on the VPC Networks page on your Google Cloud dashboard.
    unique-id
    Unique string that you noted when you returned the project status.
    org-id
    Unique 24-digit hexadecimal string that identifies the Atlas organization.
  3. Save the shell file as setup_psc.sh and run the script from the directory where you saved the file with the following command:

    sh setup_psc.sh

    The script creates an atlasEndpoints-{endpoint-name}.json output file that contains a list of IP addresses and forwarding rule names.

  4. Run the following commands to format the output for Atlas Kubernetes Operator:

    yq e -P atlasEndpoints-{endpoint-name}.json > atlasEndpoints-user-private-endpoint.yaml
    awk 'sub("name","endpointName")sub("IPAddress","ipAddress")' atlasEndpoints-user-private-endpoint.yaml

    The output shoud resemble the following example:

    - ipAddress: 10.0.0.00
    endpointName: {endpoint-name}-0
    - ipAddress: 10.0.0.01
    endpointName: {endpoint-name}-1
    - ipAddress: 10.0.0.02
    endpointName: {endpoint-name}-2
    - ipAddress: 10.0.0.03
    endpointName: {endpoint-name}-3
    - ipAddress: 10.0.0.04
    endpointName: {endpoint-name}-4
    - ipAddress: 10.0.0.05
    endpointName: {endpoint-name}-5
4

Update the spec.privateEndpoints parameter for the AtlasProject Custom Resource. Specify the Google Cloud Platform region, Google Cloud Project ID, Private Service Endpoint Prefix, your output information, and run the following command:

cat <<EOF | kubectl apply -f -
apiVersion: atlas.mongodb.com/v1
kind: AtlasProject
metadata:
name: my-project
spec:
name: Test Atlas Operator Project
privateEndpoints:
- provider: "GCP"
region: "{gcp-region}"
gcpProjectId: "{project-id}"
endpointGroupName: "{endpoint-name}"
endpoints:
- ipAddress: {ip-address}
endpointName: {endpoint-name}-0
- ipAddress: {ip-address}
endpointName: {endpoint-name}-1
- ipAddress: {ip-address}
endpointName: {endpoint-name}-2
- ipAddress: {ip-address}
endpointName: {endpoint-name}-3
- ipAddress: {ip-address}
endpointName: {endpoint-name}-4
- ipAddress: {ip-address}
endpointName: {endpoint-name}-5
EOF
5

Run the following command:

kubectl get atlasproject my-project -o yaml
6
  1. Copy the following command:

    Important

    The following command requires jq 1.6 or higher.

    kubectl get secret {my-project}-{my-atlas-cluster}-{my-database-user} -o json | jq -r '.data | with_entries(.value |= @base64d)';
  2. Replace the following placeholders with the details for your custom resources:

    my-project
    Specify the value of the metadata field of your AtlasProject Custom Resource.
    my-atlas-cluster
    Specify the value of the metadata field of your AtlasDeployment Custom Resource.
    my-database-user
    Specify the value of the metadata field of your AtlasDatabaseUser Custom Resource.
  3. Run the command.

    Note

    Your connection strings will differ from the following example. If you have multiple private endpoints, the secret contains multiple connectionStringPrivate and connectionStringPrivateSvr fields with the appropriate numeric suffix (for example, connectionStringPrivate1, connectionStringPrivate2, and so on).

    {
    "connectionStringPrivate": "mongodb://pl-0-eastus2.uzgh6.mongodb.net:1024,pl-0-eastus2.uzgh6.mongodb.net:1025,pl-0-eastus2.uzgh6.mongodb.net:1026/?ssl=truereplicaSet=atlas-18bndf-shard-0",
    "connectionStringPrivateSrv": "mongodb+srv://cluster0-pl-0.uzgh6.mongodb.net",
    "password": "P@@sword%",
    "username": "theuser"
    }

    You can use this secret in your application:

    containers:
    - name: test-app
    env:
    - name: "CONNECTION_STRING"
    valueFrom:
    secretKeyRef:
    name: my-project-my-atlas-cluster-my-database-user
    key: connectionStringPrivate

Back

Private Endpoints

On this page