Docs Menu
Docs Home
/
MongoDB Atlas
/
MongoDB Atlas Kubernetes Operator
/
Atlas Access
/
Private Endpoints

Manage Private Endpoints for Serverless Instances

On this page

  • Procedure

Atlas Kubernetes Operator supports managing private endpoints for Serverless instances on the following platforms:

  • AWS using the AWS PrivateLink feature.

  • Azure using the Azure Private Link feature.

Note

Serverless instances don't support Private Service Connect. If you need to set up Private Service Connect, use a dedicated cluster.

MongoDB plans to add support for more configurations and capabilities on Serverless instances over time. To learn which features MongoDB plans to support for Serverless instances in the future, see Serverless Instance Limits.

Before you begin, see Manage Private Endpoints.

Procedure

To enable clients to connect to Atlas Serverless instances using private endpoints:

1

Specify the spec.serverlessSpec.privateEndpoints parameter.

Specify the spec.serverlessSpec.privateEndpoints parameter for the AtlasDeployment Custom Resource. In the spec.serverlessSpec.privateEndpoints.name field, specify a unique label to identify the private endpoint and run the following command:

cat <<EOF | kubectl apply -f -
apiVersion: atlas.mongodb.com/v1
kind: AtlasDeployment
metadata:
  name: atlas-deployment-serverless
spec:
  projectRef:
    name: my-project
  serverlessSpec:
    name: serverless-instance
    tags:
    - key: "environment"
      value: "production"
    providerSettings:
      providerName: SERVERLESS
      backingProviderName: AWS
      regionName: US_EAST_1
    privateEndpoints:
    - name: "{unique-private-endpoint-label}"
EOF

Atlas creates the VPC resources. This might take several minutes to complete.

2

Find the service names for your private endpoints.

  1. Run the following command:

    kubectl get atlasdeployment atlas-deployment-serverless -o yaml

  2. Note the service name string for each private endpoint within the status.serverlessPrivateEndpoints.EndpointServiceName field of the AtlasDeployment Custom Resource.

3

Use the AWS CLI to configure each private endpoint.

To create your application VPC interface endpoint:

  1. Copy the following command:

    aws ec2 create-vpc-endpoint --vpc-id {your-application-vpc-id} --region {aws-region} --service-name {service-name-string} --vpc-endpoint-type Interface --subnet-ids {your-application-subnet-ids}

  2. Replace the following placeholders with the details about your AWS VPC:

    your-application-vpc-id
    Unique string that identifies the peer AWS VPC. Find this value on the VPC dashboard in your AWS account.
    aws-region
    Label that identifies the AWS region of the private endpoint.
    service-name-string
    Unique string that identifies the service name for your private endpoint. Find this value within the status.serverlessPrivateEndpoints.EndpointServiceName field of the AtlasDeployment Custom Resource.
    your-application-subnet-ids

    Unique strings that identify the subnets your AWS VPC uses. Separate each subnet with a space. Find these values on the Subnet dashboard in your AWS account.

    IMPORTANT: You must specify at least one subnet. If you don't, AWS won't provision a interface endpoint in your VPC. An interface endpoint is required for clients in your VPC to send traffic to the private endpoint.

  3. Run the command with the AWS CLI.

  4. Note the VpcEndpointId value in the output.

    Example

    "VpcEndpoint": {
             "VpcEndpointId": "vpce-XXXXXX",
             "VpcEndpointType": "Interface",
             "VpcId": "vpc-XXXXX",
             "ServiceName": "com.amazonaws.vpce.{aws-region}.vpce-svc-XXXX",
             "State": "pendingAcceptance",

To learn more, see Creating an Interface Endpoint in the AWS documentation.

4

Update the spec.serverlessSpec.privateEndpoints parameter.

Update the spec.serverlessSpec.privateEndpoints parameter for the AtlasDeployment Custom Resource. Replace the vpce-id with the VpcEndpointId values for your private endpoints and run the following command:

Note

You can find the unique identifier of the peer AWS VPC on the VPC dashboard in your AWS account.

cat <<EOF | kubectl apply -f -
apiVersion: atlas.mongodb.com/v1
kind: AtlasDeployment
metadata:
  name: atlas-deployment-serverless
spec:
  projectRef:
    name: my-project
  serverlessSpec:
    name: serverless-instance
    tags:
    - key: "environment"
      value: "production"
    providerSettings:
      providerName: SERVERLESS
      backingProviderName: AWS
      regionName: US_EAST_1
    privateEndpoints:
    - name: "{unique-private-endpoint-label}"
      cloudProviderEndpointID: "{vpce-id}"
EOF
5

Check the status of your private endpoints using Atlas Kubernetes Operator.

Run the following command:

kubectl get atlasdeployment atlas-deployment-serverless -o yaml
6

Retrieve the secret that Atlas Kubernetes Operator created to connect to the cluster.

  1. Copy the following command:

    Important

    The following command requires jq 1.6 or higher.

    kubectl get secret {my-project}-{my-atlas-cluster}-{my-database-user} -o json | jq -r '.data | with_entries(.value |= @base64d)';

  2. Replace the following placeholders with the details for your custom resources:

    my-project
    Specify the value of the metadata field of your AtlasProject Custom Resource.
    my-atlas-cluster
    Specify the value of the metadata field of your AtlasDeployment Custom Resource.
    my-database-user
    Specify the value of the metadata field of your AtlasDatabaseUser Custom Resource.

  3. Run the command.

    Note

    Your connection strings will differ from the following example. If you have multiple private endpoints, the secret contains multiple connectionStringPrivate and connectionStringPrivateSvr fields with the appropriate numeric suffix (for example, connectionStringPrivate1, connectionStringPrivate2, and so on).

    {
      "connectionStringPrivate": "mongodb://pl-0-eastus2.uzgh6.mongodb.net:1024,pl-0-eastus2.uzgh6.mongodb.net:1025,pl-0-eastus2.uzgh6.mongodb.net:1026/?ssl=truereplicaSet=atlas-18bndf-shard-0",
      "connectionStringPrivateSrv": "mongodb+srv://cluster0-pl-0.uzgh6.mongodb.net",
      "password": "P@@sword%",
      "username": "theuser"
     }

    You can use this secret in your application:

    containers:
      - name: test-app
        env:
        - name: "CONNECTION_STRING"
          valueFrom:
            secretKeyRef:
              name: my-project-my-atlas-cluster-my-database-user
              key: connectionStringPrivate
1

Specify the spec.serverlessSpec.privateEndpoints parameter.

Specify the spec.serverlessSpec.privateEndpoints parameter for the AtlasDeployment Custom Resource. In the spec.serverlessSpec.privateEndpoints.name field, specify a unique label to identify the private endpoint and run the following command:

cat <<EOF | kubectl apply -f -
apiVersion: atlas.mongodb.com/v1
kind: AtlasDeployment
metadata:
  name: atlas-deployment-serverless
spec:
  projectRef:
    name: my-project
  serverlessSpec:
    name: serverless-instance
    tags:
    - key: "environment"
      value: "production"
    providerSettings:
      providerName: SERVERLESS
      backingProviderName: AWS
      regionName: US_EAST_1
    privateEndpoints:
    - name: "{unique-private-endpoint-label}"
EOF

Atlas creates the VNET resources. This might take several minutes to complete.

2

Disable private endpoint network policies.

Atlas doesn't support network policies for private endpoints.

  1. Copy the following command:

    az network vnet subnet update --resource-group {resource-group-name} --vnet-name {vnet-name} --name {subnet-name} --disable-private-endpoint-network-policies true

  2. Replace the following placeholders with the details about your Azure VNet:

    resource-group-name
    Human-readable label for the resource group that contains the VNet that you want to use to connect to Atlas. Find this value on the Resource Group Properties page on your Azure dashboard.
    vnet-name
    Human-readable label that identifies the VNet that you want to use to connect to Atlas. Find this value on the Virtual Network page on your Azure dashboard.
    subnet-name
    Human-readable label that identifies the subnet in your Azure VNet. Find this value on the Virtual Network Subnets page on your Azure dashboard.

  3. Run the command with the Azure CLI.

To learn more, see the Manage network policies for private endpoints in the Azure documentation.

3

Find the service IDs and names for your private endpoints.

  1. Run the following command:

    kubectl get atlasdeployment atlas-deployment-serverless -o yaml

  2. Note the service resouce ID and service name for each private endpoint within the status.serverlessPrivateEndpoints.PrivateLinkServiceResourceId and status.serverlessPrivateEndpoints.EndpointServiceName fields of the AtlasDeployment Custom Resource.

4

Use the Azure CLI to configure each private endpoint.

To create your private endpoint:

  1. Copy the following command:

    az network private-endpoint create --resource-group {resource-group-name} --name {endpoint-name} --vnet-name {vnet-name} --subnet {subnet-name} --private-connection-resource-id {serviceResourceId} --connection-name {serviceName} --manual-request true

  2. Replace the following placeholders with the details about your Azure VNet:

    resource-group-name
    Human-readable label for the resource group that contains the VNet that you want to use to connect to Atlas. Find this value on the Resource Group Properties page on your Azure dashboard.
    endpoint-name
    Human-readable label that identifies your private endpoint. Specify this now.
    vnet-name
    Human-readable label that identifies the VNet that you want to use to connect to Atlas. Find this value on the Virtual Network page on your Azure dashboard.
    subnet-name
    Human-readable label that identifies the subnet in your Azure VNet. Find this value on the Virtual Network Subnets page on your Azure dashboard.
    serviceResourceId
    Unique string that identifies the service resource for your private endpoint. Find this value within the status.serverlessPrivateEndpoints.PrivateLinkServiceResourceId field of the AtlasDeployment Custom Resource.
    serviceName
    Unique string that identifies the service name for your private endpoint. Find this value within the status.serverlessPrivateEndpoints.EndpointServiceName field of the AtlasDeployment Custom Resource.

  3. Run the command with the Azure CLI.

5

Update the spec.serverlessPrivateEndpoints parameter.

Update the spec.serverlessSpec.privateEndpoints parameter for the AtlasDeployment Custom Resource. Specify the Resource ID and IP address information for your private endpoints and run the following command:

Note

The Properties page on your Azure dashboard displays the unique identifier for the private endpoint that you created in the Resource ID field.

The Overview page on your Azure dashboard displays the private IP address of the private endpoint network interface that you created in the Private IP field.

cat <<EOF | kubectl apply -f -
apiVersion: atlas.mongodb.com/v1
kind: AtlasDeployment
metadata:
  name: atlas-deployment-serverless
spec:
  projectRef:
    name: my-project
  serverlessSpec:
    name: serverless-instance
    tags:
    - key: "environment"
      value: "production"
    providerSettings:
      providerName: SERVERLESS
      backingProviderName: AWS
      regionName: US_EAST_1
    privateEndpoints:
    - name: "{unique-private-endpoint-label}"
      cloudProviderEndpointID: "{resource-id}"
      privateEndpointIpAddress: "{private-ip}"
EOF
6

Check the status of your private endpoints using Atlas Kubernetes Operator.

Run the following command:

kubectl get atlasdeployment atlas-deployment-serverless -o yaml
7

Retrieve the secret that Atlas Kubernetes Operator created to connect to the cluster.

  1. Copy the following command:

    Important

    The following command requires jq 1.6 or higher.

    kubectl get secret {my-project}-{my-atlas-cluster}-{my-database-user} -o json | jq -r '.data | with_entries(.value |= @base64d)';

  2. Replace the following placeholders with the details for your custom resources:

    my-project
    Specify the value of the metadata field of your AtlasProject Custom Resource.
    my-atlas-cluster
    Specify the value of the metadata field of your AtlasDeployment Custom Resource.
    my-database-user
    Specify the value of the metadata field of your AtlasDatabaseUser Custom Resource.

  3. Run the command.

    Note

    Your connection strings will differ from the following example. If you have multiple private endpoints, the secret contains multiple connectionStringPrivate and connectionStringPrivateSvr fields with the appropriate numeric suffix (for example, connectionStringPrivate1, connectionStringPrivate2, and so on).

    {
      "connectionStringPrivate": "mongodb://pl-0-eastus2.uzgh6.mongodb.net:1024,pl-0-eastus2.uzgh6.mongodb.net:1025,pl-0-eastus2.uzgh6.mongodb.net:1026/?ssl=truereplicaSet=atlas-18bndf-shard-0",
      "connectionStringPrivateSrv": "mongodb+srv://cluster0-pl-0.uzgh6.mongodb.net",
      "password": "P@@sword%",
      "username": "theuser"
     }

    You can use this secret in your application:

    containers:
      - name: test-app
        env:
        - name: "CONNECTION_STRING"
          valueFrom:
            secretKeyRef:
              name: my-project-my-atlas-cluster-my-database-user
              key: connectionStringPrivate

Back

Dedicated

Next

Federated

On this page