Manage Private Endpoints for Serverless Instances
On this page
Atlas Kubernetes Operator supports managing private endpoints for serverless instances on the following platforms:
AWS using the AWS PrivateLink feature.
Azure using the Azure Private Link feature.
Note
Serverless instances don't support Private Service Connect. If you need to set up Private Service Connect, use a dedicated cluster.
MongoDB plans to add support for more configurations and capabilities on serverless instances over time. To learn which features MongoDB plans to support for serverless instances in the future, see Serverless Instance Limits.
Before you begin, see Manage Private Endpoints.
Procedure
To enable clients to connect to Atlas serverless instances using private endpoints:
Specify the spec.serverlessSpec.privateEndpoints
parameter.
Specify the spec.serverlessSpec.privateEndpoints
parameter for the AtlasDeployment
Custom Resource.
In the spec.serverlessSpec.privateEndpoints.name
field, specify a unique label to identify the private
endpoint and run the following command:
cat <<EOF | kubectl apply -f - apiVersion: atlas.mongodb.com/v1 kind: AtlasDeployment metadata: name: atlas-deployment-serverless spec: projectRef: name: my-project serverlessSpec: name: serverless-instance tags: - key: "environment" value: "production" providerSettings: providerName: SERVERLESS backingProviderName: AWS regionName: US_EAST_1 privateEndpoints: - name: "{unique-private-endpoint-label}" EOF
Atlas creates the VPC resources. This might take several minutes to complete.
Find the service names for your private endpoints.
Run the following command:
kubectl get atlasdeployment atlas-deployment-serverless -o yaml Note the service name string for each private endpoint within the
status.serverlessPrivateEndpoints.EndpointServiceName
field of theAtlasDeployment
Custom Resource.
Use the AWS CLI to configure each private endpoint.
To create your application VPC interface endpoint:
Copy the following command:
aws ec2 create-vpc-endpoint --vpc-id {your-application-vpc-id} --region {aws-region} --service-name {service-name-string} --vpc-endpoint-type Interface --subnet-ids {your-application-subnet-ids} Replace the following placeholders with the details about your AWS VPC:
your-application-vpc-id
Unique string that identifies the peer AWS VPC. Find this value on the VPC dashboard in your AWS account.aws-region
Label that identifies the AWS region of the private endpoint.service-name-string
Unique string that identifies the service name for your private endpoint. Find this value within thestatus.serverlessPrivateEndpoints.EndpointServiceName
field of theAtlasDeployment
Custom Resource.your-application-subnet-ids
Unique strings that identify the subnets your AWS VPC uses. Separate each subnet with a space. Find these values on the Subnet dashboard in your AWS account.
IMPORTANT: You must specify at least one subnet. If you don't, AWS won't provision a interface endpoint in your VPC. An interface endpoint is required for clients in your VPC to send traffic to the private endpoint.
Run the command with the AWS CLI.
Note the
VpcEndpointId
value in the output.Example
"VpcEndpoint": { "VpcEndpointId": "vpce-XXXXXX", "VpcEndpointType": "Interface", "VpcId": "vpc-XXXXX", "ServiceName": "com.amazonaws.vpce.{aws-region}.vpce-svc-XXXX", "State": "pendingAcceptance",
To learn more, see Creating an Interface Endpoint in the AWS documentation.
Update the spec.serverlessSpec.privateEndpoints
parameter.
Update the spec.serverlessSpec.privateEndpoints
parameter for the AtlasDeployment
Custom Resource.
Replace the vpce-id
with the VpcEndpointId
values
for your private endpoints and run the following command:
Note
You can find the unique identifier of the peer AWS VPC on the VPC dashboard in your AWS account.
cat <<EOF | kubectl apply -f - apiVersion: atlas.mongodb.com/v1 kind: AtlasDeployment metadata: name: atlas-deployment-serverless spec: projectRef: name: my-project serverlessSpec: name: serverless-instance tags: - key: "environment" value: "production" providerSettings: providerName: SERVERLESS backingProviderName: AWS regionName: US_EAST_1 privateEndpoints: - name: "{unique-private-endpoint-label}" cloudProviderEndpointID: "{vpce-id}" EOF
Retrieve the secret that Atlas Kubernetes Operator created to connect to the cluster.
Copy the following command:
Important
The following command requires
jq
1.6 or higher.kubectl get secret {my-project}-{my-atlas-cluster}-{my-database-user} -o json | jq -r '.data | with_entries(.value |= @base64d)'; Replace the following placeholders with the details for your custom resources:
my-project
Specify the value of themetadata
field of yourAtlasProject
Custom Resource.my-atlas-cluster
Specify the value of themetadata
field of yourAtlasDeployment
Custom Resource.my-database-user
Specify the value of themetadata
field of yourAtlasDatabaseUser
Custom Resource.Run the command.
Note
Your connection strings will differ from the following example. If you have multiple private endpoints, the secret contains multiple
connectionStringPrivate
andconnectionStringPrivateSvr
fields with the appropriate numeric suffix (for example,connectionStringPrivate1
,connectionStringPrivate2
, and so on).{ "connectionStringPrivate": "mongodb://pl-0-eastus2.uzgh6.mongodb.net:1024,pl-0-eastus2.uzgh6.mongodb.net:1025,pl-0-eastus2.uzgh6.mongodb.net:1026/?ssl=truereplicaSet=atlas-18bndf-shard-0", "connectionStringPrivateSrv": "mongodb+srv://cluster0-pl-0.uzgh6.mongodb.net", "password": "P@@sword%", "username": "theuser" } You can use this secret in your application:
containers: - name: test-app env: - name: "CONNECTION_STRING" valueFrom: secretKeyRef: name: my-project-my-atlas-cluster-my-database-user key: connectionStringPrivate
Specify the spec.serverlessSpec.privateEndpoints
parameter.
Specify the spec.serverlessSpec.privateEndpoints
parameter for the AtlasDeployment
Custom Resource.
In the spec.serverlessSpec.privateEndpoints.name
field, specify a unique label to identify the private
endpoint and run the following command:
cat <<EOF | kubectl apply -f - apiVersion: atlas.mongodb.com/v1 kind: AtlasDeployment metadata: name: atlas-deployment-serverless spec: projectRef: name: my-project serverlessSpec: name: serverless-instance tags: - key: "environment" value: "production" providerSettings: providerName: SERVERLESS backingProviderName: AWS regionName: US_EAST_1 privateEndpoints: - name: "{unique-private-endpoint-label}" EOF
Atlas creates the VNET resources. This might take several minutes to complete.
Disable private endpoint network policies.
Atlas doesn't support network policies for private endpoints.
Copy the following command:
az network vnet subnet update --resource-group {resource-group-name} --vnet-name {vnet-name} --name {subnet-name} --disable-private-endpoint-network-policies true Replace the following placeholders with the details about your Azure VNet:
resource-group-name
Human-readable label for the resource group that contains the VNet that you want to use to connect to Atlas. Find this value on the Resource Group Properties page on your Azure dashboard.vnet-name
Human-readable label that identifies the VNet that you want to use to connect to Atlas. Find this value on the Virtual Network page on your Azure dashboard.subnet-name
Human-readable label that identifies the subnet in your Azure VNet. Find this value on the Virtual Network Subnets page on your Azure dashboard.Run the command with the Azure CLI.
To learn more, see the Manage network policies for private endpoints in the Azure documentation.
Find the service IDs and names for your private endpoints.
Run the following command:
kubectl get atlasdeployment atlas-deployment-serverless -o yaml Note the service resouce ID and service name for each private endpoint within the
status.serverlessPrivateEndpoints.PrivateLinkServiceResourceId
andstatus.serverlessPrivateEndpoints.EndpointServiceName
fields of theAtlasDeployment
Custom Resource.
Use the Azure CLI to configure each private endpoint.
To create your private endpoint:
Copy the following command:
az network private-endpoint create --resource-group {resource-group-name} --name {endpoint-name} --vnet-name {vnet-name} --subnet {subnet-name} --private-connection-resource-id {serviceResourceId} --connection-name {serviceName} --manual-request true Replace the following placeholders with the details about your Azure VNet:
resource-group-name
Human-readable label for the resource group that contains the VNet that you want to use to connect to Atlas. Find this value on the Resource Group Properties page on your Azure dashboard.endpoint-name
Human-readable label that identifies your private endpoint. Specify this now.vnet-name
Human-readable label that identifies the VNet that you want to use to connect to Atlas. Find this value on the Virtual Network page on your Azure dashboard.subnet-name
Human-readable label that identifies the subnet in your Azure VNet. Find this value on the Virtual Network Subnets page on your Azure dashboard.serviceResourceId
Unique string that identifies the service resource for your private endpoint. Find this value within thestatus.serverlessPrivateEndpoints.PrivateLinkServiceResourceId
field of theAtlasDeployment
Custom Resource.serviceName
Unique string that identifies the service name for your private endpoint. Find this value within thestatus.serverlessPrivateEndpoints.EndpointServiceName
field of theAtlasDeployment
Custom Resource.Run the command with the Azure CLI.
Update the spec.serverlessPrivateEndpoints
parameter.
Update the spec.serverlessSpec.privateEndpoints
parameter for the AtlasDeployment
Custom Resource.
Specify the Resource ID and IP address information for
your private endpoints and run the following command:
Note
The Properties page on your Azure dashboard displays the unique identifier for the private endpoint that you created in the Resource ID field.
The Overview page on your Azure dashboard displays the private IP address of the private endpoint network interface that you created in the Private IP field.
cat <<EOF | kubectl apply -f - apiVersion: atlas.mongodb.com/v1 kind: AtlasDeployment metadata: name: atlas-deployment-serverless spec: projectRef: name: my-project serverlessSpec: name: serverless-instance tags: - key: "environment" value: "production" providerSettings: providerName: SERVERLESS backingProviderName: AWS regionName: US_EAST_1 privateEndpoints: - name: "{unique-private-endpoint-label}" cloudProviderEndpointID: "{resource-id}" privateEndpointIpAddress: "{private-ip}" EOF
Retrieve the secret that Atlas Kubernetes Operator created to connect to the cluster.
Copy the following command:
Important
The following command requires
jq
1.6 or higher.kubectl get secret {my-project}-{my-atlas-cluster}-{my-database-user} -o json | jq -r '.data | with_entries(.value |= @base64d)'; Replace the following placeholders with the details for your custom resources:
my-project
Specify the value of themetadata
field of yourAtlasProject
Custom Resource.my-atlas-cluster
Specify the value of themetadata
field of yourAtlasDeployment
Custom Resource.my-database-user
Specify the value of themetadata
field of yourAtlasDatabaseUser
Custom Resource.Run the command.
Note
Your connection strings will differ from the following example. If you have multiple private endpoints, the secret contains multiple
connectionStringPrivate
andconnectionStringPrivateSvr
fields with the appropriate numeric suffix (for example,connectionStringPrivate1
,connectionStringPrivate2
, and so on).{ "connectionStringPrivate": "mongodb://pl-0-eastus2.uzgh6.mongodb.net:1024,pl-0-eastus2.uzgh6.mongodb.net:1025,pl-0-eastus2.uzgh6.mongodb.net:1026/?ssl=truereplicaSet=atlas-18bndf-shard-0", "connectionStringPrivateSrv": "mongodb+srv://cluster0-pl-0.uzgh6.mongodb.net", "password": "P@@sword%", "username": "theuser" } You can use this secret in your application:
containers: - name: test-app env: - name: "CONNECTION_STRING" valueFrom: secretKeyRef: name: my-project-my-atlas-cluster-my-database-user key: connectionStringPrivate