Manage Private Endpoints for Dedicated Clusters
On this page
Note
This feature is not available for any of the following deployments:
M0
clustersM2/M5
clustersFlex clusters
Atlas Kubernetes Operator supports managing private endpoints for dedicated clusters on the following platforms:
AWS using the AWS PrivateLink feature.
Azure using the Azure Private Link feature.
Google Cloud using the Private Service Connect feature.
Before you begin, see Manage Private Endpoints.
Procedure
To enable clients to connect to Atlas dedicated clusters using private endpoints:
Specify the spec.privateEndpoints
parameter.
Specify the spec.privateEndpoints
parameter for
the AtlasProject
Custom Resource. In the
spec.privateEndpoints.provider
field, specify
AWS
. Replace the placeholder {aws-region}
with the
AWS region information for
your private endpoints and run the following command:
cat <<EOF | kubectl apply -f - apiVersion: atlas.mongodb.com/v1 kind: AtlasProject metadata: name: my-project spec: name: Test Atlas Operator Project privateEndpoints: - provider: "AWS" region: "{aws-region}" EOF
Atlas creates the VPC resources in the region you selected. This might take several minutes to complete.
Find the service names for your private endpoints.
Run the following command:
kubectl get atlasproject my-project -o yaml Note the service name string for each private endpoint within the
status.privateEndpoints.serviceName
field of theAtlasProject
Custom Resource.
Use the AWS CLI to configure each private endpoint.
To create your application VPC interface endpoint:
Copy the following command:
aws ec2 create-vpc-endpoint --vpc-id {your-application-vpc-id} --region {aws-region} --service-name {service-name-string} --vpc-endpoint-type Interface --subnet-ids {your-application-subnet-ids} Replace the following placeholders with the details about your AWS VPC:
your-application-vpc-id
Unique string that identifies the peer AWS VPC. Find this value on the VPC dashboard in your AWS account.aws-region
Label that identifies the AWS region of the private endpoint.service-name-string
Unique string that identifies the service name for your private endpoint. Find this value within thestatus.privateEndpoints.serviceName
field of theAtlasProject
Custom Resource.your-application-subnet-ids
Unique strings that identify the subnets your AWS VPC uses. Separate each subnet with a space. Find these values on the Subnet dashboard in your AWS account.
IMPORTANT: You must specify at least one subnet. If you don't, AWS won't provision a interface endpoint in your VPC. An interface endpoint is required for clients in your VPC to send traffic to the private endpoint.
Run the command with the AWS CLI.
Note the
VpcEndpointId
value in the output.Example
"VpcEndpoint": { "VpcEndpointId": "vpce-XXXXXX", "VpcEndpointType": "Interface", "VpcId": "vpc-XXXXX", "ServiceName": "com.amazonaws.vpce.{aws-region}.vpce-svc-XXXX", "State": "pendingAcceptance",
To learn more, see Creating an Interface Endpoint in the AWS documentation.
Update the spec.privateEndpoints
parameter.
Update the spec.privateEndpoints
parameter for
the AtlasProject
Custom Resource. Specify the
AWS region and replace vpce-id
with
the VpcEndpointId
values for your private endpoints and
run the following command:
Note
You can find the unique identifier of the peer AWS VPC on the VPC dashboard in your AWS account.
cat <<EOF | kubectl apply -f - apiVersion: atlas.mongodb.com/v1 kind: AtlasProject metadata: name: my-project spec: name: Test Atlas Operator Project privateEndpoints: - provider: "AWS" region: "{aws-region}" id: "{vpce-id}" EOF
Retrieve the secret that Atlas Kubernetes Operator created to connect to the cluster.
Copy the following command:
Important
The following command requires
jq
1.6 or higher.kubectl get secret {my-project}-{my-atlas-cluster}-{my-database-user} -o json | jq -r '.data | with_entries(.value |= @base64d)'; Replace the following placeholders with the details for your custom resources:
my-project
Specify the value of themetadata
field of yourAtlasProject
Custom Resource.my-atlas-cluster
Specify the value of themetadata
field of yourAtlasDeployment
Custom Resource.my-database-user
Specify the value of themetadata
field of yourAtlasDatabaseUser
Custom Resource.Run the command.
Note
Your connection strings will differ from the following example. If you have multiple private endpoints, the secret contains multiple
connectionStringPrivate
andconnectionStringPrivateSvr
fields with the appropriate numeric suffix (for example,connectionStringPrivate1
,connectionStringPrivate2
, and so on).{ "connectionStringPrivate": "mongodb://pl-0-eastus2.uzgh6.mongodb.net:1024,pl-0-eastus2.uzgh6.mongodb.net:1025,pl-0-eastus2.uzgh6.mongodb.net:1026/?ssl=truereplicaSet=atlas-18bndf-shard-0", "connectionStringPrivateSrv": "mongodb+srv://cluster0-pl-0.uzgh6.mongodb.net", "password": "P@@sword%", "username": "theuser" } You can use this secret in your application:
containers: - name: test-app env: - name: "CONNECTION_STRING" valueFrom: secretKeyRef: name: my-project-my-atlas-cluster-my-database-user key: connectionStringPrivate
Specify the spec.privateEndpoints
parameter.
Specify the spec.privateEndpoints
parameter for
the AtlasProject
Custom Resource. In the
spec.privateEndpoints.provider
field, specify
AZURE
. Replace the placeholder {azure-region}
with
the Azure region
information for your private endpoints and run the
following command:
cat <<EOF | kubectl apply -f - apiVersion: atlas.mongodb.com/v1 kind: AtlasProject metadata: name: my-project spec: name: Test Atlas Operator Project privateEndpoints: - provider: "AZURE" region: "{azure-region}" EOF
Atlas creates the VNET resources in the region you selected. This might take several minutes to complete.
Disable private endpoint network policies.
Atlas doesn't support network policies for private endpoints.
Copy the following command:
az network vnet subnet update --resource-group {resource-group-name} --vnet-name {vnet-name} --name {subnet-name} --disable-private-endpoint-network-policies true Replace the following placeholders with the details about your Azure VNet:
resource-group-name
Human-readable label for the resource group that contains the VNet that you want to use to connect to Atlas. Find this value on the Resource Group Properties page on your Azure dashboard.vnet-name
Human-readable label that identifies the VNet that you want to use to connect to Atlas. Find this value on the Virtual Network page on your Azure dashboard.subnet-name
Human-readable label that identifies the subnet in your Azure VNet. Find this value on the Virtual Network Subnets page on your Azure dashboard.Run the command with the Azure CLI.
To learn more, see the Manage network policies for private endpoints in the Azure documentation.
Find the service IDs and names for your private endpoints.
Run the following command:
kubectl get atlasproject my-project -o yaml Note the service resouce ID and service name for each private endpoint within the
status.privateEndpoints.serviceResourceId
andstatus.privateEndpoints.serviceName
fields of theAtlasProject
Custom Resource.
Use the Azure CLI to configure each private endpoint.
To create your private endpoint:
Copy the following command:
az network private-endpoint create --resource-group {resource-group-name} --name {endpoint-name} --vnet-name {vnet-name} --subnet {subnet-name} --private-connection-resource-id {serviceResourceId} --connection-name {serviceName} --manual-request true Replace the following placeholders with the details about your Azure VNet:
resource-group-name
Human-readable label for the resource group that contains the VNet that you want to use to connect to Atlas. Find this value on the Resource Group Properties page on your Azure dashboard.endpoint-name
Human-readable label that identifies your private endpoint. Specify this now.vnet-name
Human-readable label that identifies the VNet that you want to use to connect to Atlas. Find this value on the Virtual Network page on your Azure dashboard.subnet-name
Human-readable label that identifies the subnet in your Azure VNet. Find this value on the Virtual Network Subnets page on your Azure dashboard.serviceResourceId
Unique string that identifies the service resource for your private endpoint. Find this value within thestatus.privateEndpoints.serviceResourceId
field of theAtlasProject
Custom Resource.serviceName
Unique string that identifies the service name for your private endpoint. Find this value within thestatus.privateEndpoints.serviceName
field of theAtlasProject
Custom Resource.Run the command with the Azure CLI.
Update the spec.privateEndpoints
parameter.
Update the spec.privateEndpoints
parameter for
the AtlasProject
Custom Resource. Specify the
the Azure region, Resource ID, and
IP address information for your private endpoints and run
the following command:
Note
The Properties page on your Azure dashboard displays the unique identifier for the private endpoint that you created in the Resource ID field.
The Overview page on your Azure dashboard displays the private IP address of the private endpoint network interface that you created in the Private IP field.
cat <<EOF | kubectl apply -f - apiVersion: atlas.mongodb.com/v1 kind: AtlasProject metadata: name: my-project spec: name: Test Atlas Operator Project privateEndpoints: - provider: "Azure" region: "{azure-region}" id: "{resource-id}" ip: "{private-ip}" EOF
Retrieve the secret that Atlas Kubernetes Operator created to connect to the cluster.
Copy the following command:
Important
The following command requires
jq
1.6 or higher.kubectl get secret {my-project}-{my-atlas-cluster}-{my-database-user} -o json | jq -r '.data | with_entries(.value |= @base64d)'; Replace the following placeholders with the details for your custom resources:
my-project
Specify the value of themetadata
field of yourAtlasProject
Custom Resource.my-atlas-cluster
Specify the value of themetadata
field of yourAtlasDeployment
Custom Resource.my-database-user
Specify the value of themetadata
field of yourAtlasDatabaseUser
Custom Resource.Run the command.
Note
Your connection strings will differ from the following example. If you have multiple private endpoints, the secret contains multiple
connectionStringPrivate
andconnectionStringPrivateSvr
fields with the appropriate numeric suffix (for example,connectionStringPrivate1
,connectionStringPrivate2
, and so on).{ "connectionStringPrivate": "mongodb://pl-0-eastus2.uzgh6.mongodb.net:1024,pl-0-eastus2.uzgh6.mongodb.net:1025,pl-0-eastus2.uzgh6.mongodb.net:1026/?ssl=truereplicaSet=atlas-18bndf-shard-0", "connectionStringPrivateSrv": "mongodb+srv://cluster0-pl-0.uzgh6.mongodb.net", "password": "P@@sword%", "username": "theuser" } You can use this secret in your application:
containers: - name: test-app env: - name: "CONNECTION_STRING" valueFrom: secretKeyRef: name: my-project-my-atlas-cluster-my-database-user key: connectionStringPrivate
Specify the spec.privateEndpoints
parameter.
Specify the spec.privateEndpoints
parameter for
the AtlasProject
Custom Resource. In the
spec.privateEndpoints.provider
field, specify
GCP
. Replace the placeholder {gcp-region}
with the Google Cloud Platform region
information for your private endpoints and run the
following command:
cat <<EOF | kubectl apply -f - apiVersion: atlas.mongodb.com/v1 kind: AtlasProject metadata: name: my-project spec: name: Test Atlas Operator Project privateEndpoints: - provider: "GCP" region: "{gcp-region}" EOF
Atlas creates the VPC resources in the region you selected. This might take several minutes to complete.
Find the {unique-ID}
for your private endpoints.
Run the following command:
kubectl get atlasproject my-project -o yaml Note the
{unique-id}
that followsprojects/
in each service attachment name. The{unique-id}
in the following example isp-ogyvk1plka2anycnzl6znr9p
.Example
"serviceAttachmentNames": [ "projects/p-ogyvk1plka2anycnzl6znr9p/regions/us-east1/serviceAttachments/sa-us-east1-6274f45bcce0e51662a29b05-0", "projects/p-ogyvk1plka2anycnzl6znr9p/regions/us-east1/serviceAttachments/sa-us-east1-6274f45bcce0e51662a29b05-1", "projects/p-ogyvk1plka2anycnzl6znr9p/regions/us-east1/serviceAttachments/sa-us-east1-6274f45bcce0e51662a29b05-2", "projects/p-ogyvk1plka2anycnzl6znr9p/regions/us-east1/serviceAttachments/sa-us-east1-6274f45bcce0e51662a29b05-3", "projects/p-ogyvk1plka2anycnzl6znr9p/regions/us-east1/serviceAttachments/sa-us-east1-6274f45bcce0e51662a29b05-4", "projects/p-ogyvk1plka2anycnzl6znr9p/regions/us-east1/serviceAttachments/sa-us-east1-6274f45bcce0e51662a29b05-5" ]
Configure your private endpoints.
To edit the private endpoints and generate the necessary script with the Atlas UI, see Configure Private Endpoints.
To configure your private endpoints manually:
Copy the following shell script:
!/bin/bash gcloud config set project {google-cloud-project-id} for i in {0..5} do gcloud compute addresses create {private-service-connect-endpoint-prefix}-ip-$i --region={gcp-region} --subnet={subnet-name} done for i in {0..5} do if [ $(gcloud compute addresses describe {private-service-connect-endpoint-prefix}-ip-$i --region={gcp-region} --format="value(status)") != "RESERVED" ]; then echo "{private-service-connect-endpoint-prefix}-ip-$i is not RESERVED"; exit 1; fi done for i in {0..5} do gcloud compute forwarding-rules create {private-service-connect-endpoint-prefix}-$i --region={gcp-region} --network={vpc-name} --address={private-service-connect-endpoint-prefix}-ip-$i --target-service-attachment=projects/{unique-ID}/regions/{gcp-region}/serviceAttachments/sa-{gcp-region}-{org-id}-$i done if [ $(gcloud compute forwarding-rules list --regions={gcp-region} --format="csv[no-heading](name)" --filter="name:{private-service-connect-endpoint-prefix}" | wc -l) -gt 50 ]; then echo "Project has too many forwarding rules that match prefix {endpoint-name}. Either delete the competing resources or choose another endpoint prefix." exit 2; fi gcloud compute forwarding-rules list --regions={gcp-region} --format="json(IPAddress,name)" --filter="name:{private-service-connect-endpoint-prefix}" > atlasEndpoints-{endpoint-name}.json Replace the following placeholders with the details about your Google Cloud VPC:
google-cloud-project-id
Unique ID that identifies your Google Cloud project. Find this value on the Dashboard page on your Google Cloud platform.private-service-connect-endpoint-prefix
Human-readable label that prefixes all endpoints created and identifies the endpoint group.gcp-region
Label that identifies the Google Cloud Platform region of the private endpoint.subnet-name
Human-readable label that identifies the subnet in your Google Cloud VPC. Find this value on the VPC Networks page on your Google Cloud dashboard.vpc-name
Human-readablle label that identifies the VPC that you want to use to connect to Atlas. Find this value on the VPC Networks page on your Google Cloud dashboard.unique-id
Unique string that you noted when you returned the project status.org-id
Unique 24-digit hexadecimal string that identifies the Atlas organization.Save the shell file as
setup_psc.sh
and run the script from the directory where you saved the file with the following command:sh setup_psc.sh The script creates an
atlasEndpoints-{endpoint-name}.json
output file that contains a list of IP addresses and forwarding rule names.Run the following commands to format the output for Atlas Kubernetes Operator:
yq e -P atlasEndpoints-{endpoint-name}.json > atlasEndpoints-user-private-endpoint.yaml awk 'sub("name","endpointName")sub("IPAddress","ipAddress")' atlasEndpoints-user-private-endpoint.yaml The output shoud resemble the following example:
- ipAddress: 10.0.0.00 endpointName: {endpoint-name}-0 - ipAddress: 10.0.0.01 endpointName: {endpoint-name}-1 - ipAddress: 10.0.0.02 endpointName: {endpoint-name}-2 - ipAddress: 10.0.0.03 endpointName: {endpoint-name}-3 - ipAddress: 10.0.0.04 endpointName: {endpoint-name}-4 - ipAddress: 10.0.0.05 endpointName: {endpoint-name}-5
Update the spec.privateEndpoints
parameter.
Update the spec.privateEndpoints
parameter for
the AtlasProject
Custom Resource. Specify the
Google Cloud Platform region, Google Cloud Project ID,
Private Service Endpoint Prefix, your output
information, and run the following command:
cat <<EOF | kubectl apply -f - apiVersion: atlas.mongodb.com/v1 kind: AtlasProject metadata: name: my-project spec: name: Test Atlas Operator Project privateEndpoints: - provider: "GCP" region: "{gcp-region}" gcpProjectId: "{project-id}" endpointGroupName: "{endpoint-name}" endpoints: - ipAddress: {ip-address} endpointName: {endpoint-name}-0 - ipAddress: {ip-address} endpointName: {endpoint-name}-1 - ipAddress: {ip-address} endpointName: {endpoint-name}-2 - ipAddress: {ip-address} endpointName: {endpoint-name}-3 - ipAddress: {ip-address} endpointName: {endpoint-name}-4 - ipAddress: {ip-address} endpointName: {endpoint-name}-5 EOF
Retrieve the secret that Atlas Kubernetes Operator created to connect to the cluster.
Copy the following command:
Important
The following command requires
jq
1.6 or higher.kubectl get secret {my-project}-{my-atlas-cluster}-{my-database-user} -o json | jq -r '.data | with_entries(.value |= @base64d)'; Replace the following placeholders with the details for your custom resources:
my-project
Specify the value of themetadata
field of yourAtlasProject
Custom Resource.my-atlas-cluster
Specify the value of themetadata
field of yourAtlasDeployment
Custom Resource.my-database-user
Specify the value of themetadata
field of yourAtlasDatabaseUser
Custom Resource.Run the command.
Note
Your connection strings will differ from the following example. If you have multiple private endpoints, the secret contains multiple
connectionStringPrivate
andconnectionStringPrivateSvr
fields with the appropriate numeric suffix (for example,connectionStringPrivate1
,connectionStringPrivate2
, and so on).{ "connectionStringPrivate": "mongodb://pl-0-eastus2.uzgh6.mongodb.net:1024,pl-0-eastus2.uzgh6.mongodb.net:1025,pl-0-eastus2.uzgh6.mongodb.net:1026/?ssl=truereplicaSet=atlas-18bndf-shard-0", "connectionStringPrivateSrv": "mongodb+srv://cluster0-pl-0.uzgh6.mongodb.net", "password": "P@@sword%", "username": "theuser" } You can use this secret in your application:
containers: - name: test-app env: - name: "CONNECTION_STRING" valueFrom: secretKeyRef: name: my-project-my-atlas-cluster-my-database-user key: connectionStringPrivate