Set Up a Private Endpoint for a Serverless Instance
On this page
Note
This feature is not available for M0
Free clusters, M2
, and
M5
clusters. To learn more about which features are unavailable,
see Atlas M0 (Free Cluster), M2, and M5 Limits.
Note
Serverless instances don't support GCP Private Service Connect. If you need to set up GCP Private Service Connect, use a dedicated cluster.
MongoDB plans to add support for more configurations and capabilities on Serverless instances over time. To learn which features MongoDB plans to support for Serverless instances in the future, see Serverless Instance Limits.
Follow these steps to enable a client to connect to an Atlas Serverless instance using a private endpoint.
To learn more about using private endpoints with Atlas, see Learn About Private Endpoints in Atlas.
To set up a private endpoint for a dedicated cluster, see Set Up a Private Endpoint for a Dedicated Cluster.
Required Access
To set up a private endpoint for a Serverless instance, you must have
Project Owner
access to the project.
Users with Organization Owner
access must add themselves to the
project as a Project Owner
.
Prerequisites, Considerations, and Limitations
To learn the prerequisites, considerations, and limitations for setting up a private endpoint, see the following resources:
Follow These Steps
You can set up AWS PrivateLink for Serverless instances using the Atlas UI or the Atlas Administration API. Select an interface to learn more.
To set up AWS PrivateLink through the Atlas Administration API, configure API access. Then, complete the following steps:
Create the private endpoint in Atlas.
Run the command to create one private endpoint, replacing the placeholders with your parameters. To learn more about the parameters, see create one private endpoint.
1 curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \ 2 --header "Accept: application/json" \ 3 --header "Content-Type: application/json" \ 4 --request POST "https://cloud.mongodb.com/api/atlas/v1.0/groups/{GROUP-ID}/privateEndpoint/serverless/instance/{INSTANCE-NAME}/endpoint?pretty=true" \ 5 --data ' 6 { 7 "comment" : "example comment" 8 }' Note the value for the field
_id
in the response.1 { 2 "_id": "5f7cac1adf5d6c6306f4b283", 3 "cloudProviderEndpointId": null, 4 "comment": "example comment", 5 "endpointServiceName": null, 6 "errorMessage": null, 7 "status": "RESERVATION_REQUESTED" 8 }
Retrieve the service name for the private endpoint.
Note
It might take Atlas some time to provision the private endpoint. Wait 1-2 minutes before you complete this step.
Run the command to get one private endpoint, replacing the placeholders with the parameters for the endpoint you created. Replace {ENDPOINT-ID} with the
_id
that you retrieved previously. To learn more about the parameters, see get one private endpoint.1 curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \ 2 --header "Accept: application/json" \ 3 --request GET "https://cloud.mongodb.com/api/atlas/v1.0/groups/{GROUP-ID}/privateEndpoint/serverless/instance/{INSTANCE-NAME}/endpoint/{ENDPOINT-ID}?pretty=true" Note the value for the field
endpointServiceName
in the response.1 { 2 "_id": "5f7cac1adf5d6c6306f4b283", 3 "cloudProviderEndpointId": "34985fcac938279cd98dc894", 4 "comment": "example comment", 5 "endpointServiceName": "com.amazonaws.vpce.us-east-1.vpce-svc-0afd34ee97e30d43f", 6 "errorMessage": null, 7 "status": "RESERVED" 8 }
If endpointServiceName
is null
, wait 1-2 more minutes for
Atlas to provision the private endpoint. Then, try this step
again.
Create the interface endpoint in AWS.
Run the command in the AWS CLI, replacing the following placeholders with your values:
PlaceholderDescription{VPC-ID}Unique string that identifies the peer AWS VPC. Find this value on the VPC dashboard in your AWS account.{REGION}AWS region in which your cluster resides.{SUBNET-IDS}Unique string that identifies the subnets that your AWS VPC uses. Find these values on the Subnet dashboard in your AWS account.
IMPORTANT: You must specify at least one subnet. If you don't, AWS won't provision an interface endpoint in your VPC. An interface endpoint is required for clients in your VPC to send traffic to the private endpoint.
{SERVICE-NAME}Unique string identifying the private endpoint service that you retrieved previously.aws ec2 create-vpc-endpoint --vpc-id {VPC-ID} \ --region {REGION} --service-name {SERVICE-NAME} \ --vpc-endpoint-type Interface --subnet-ids {SUBNET-IDS} To learn more about the AWS CLI, see Creating an Interface Endpoint.
Note the value in the response for the field
VpcEndpointId
. This is a 22-character alphanumeric string that identifies your private endpoint. You can also find this value on the AWS VPC Dashboard under Endpoints > VPC ID.
Update your private endpoint with the VPC Endpoint ID.
Run the command to update one private endpoint,
replacing the placeholders with the parameters for the endpoint you
created. Update the cloudProviderEndpointId
field to the VPC
Endpoint ID you retrieved previously. To learn more about the
parameters, see update one private endpoint.
1 curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \ 2 --header "Accept: application/json" \ 3 --header "Content-Type: application/json" \ 4 --request PATCH "https://cloud.mongodb.com/api/atlas/v1.0/groups/{GROUP-ID}/privateEndpoint/serverless/instance/{INSTANCE-NAME}/endpoint/{ENDPOINT-ID}" \ 5 --data ' 6 { 7 "cloudProviderEndpointId" : "vpce-fcac938279cd98dc894", 8 "providerName" : "AWS" 9 }'
Note
You must include the providerName
to successfully run this command.
Configure your resources' security groups to send traffic to and receive traffic from the interface endpoint.
For each resource that needs to connect to your Atlas clusters using AWS PrivateLink, the resource's security group must allow outbound traffic to the interface endpoint's private IP addresses on all ports.
See Adding Rules to a Security Group for more information.
Create a security group for your interface endpoint to allow resources to access it.
This security group must allow inbound traffic on all ports from each resource that needs to connect to your Atlas clusters using AWS PrivateLink:
In the AWS console, navigate to the VPC Dashboard.
Click Security Groups, then click Create security group.
Use the wizard to create a security group. Make sure you select your VPC from the VPC list.
Select the security group you just created, then click the Inbound Rules tab.
Click Edit Rules.
Add rules to allow all inbound traffic from each resource in your VPC that you want to connect to your Atlas cluster.
Click Save Rules.
Click Endpoints, then click the endpoint for your VPC.
Click the Security Groups tab, then click Edit Security Groups.
Add the security group you just created, then click Save.
To learn more about VPC security groups, see the AWS documentation.
Verify the private endpoint's availability.
You can connect to an Atlas Serverless instance using the AWS PrivateLink private endpoint after Atlas finishes configuring all of the resources and the private endpoint becomes available.
To verify that the AWS PrivateLink private endpoint is available:
Run the command to get one Private Endpoint for one Serverless Instance, replacing the placeholders with the parameters for the endpoint you created. To learn more about the parameters, see get one Private Endpoint for one Serverless Instance.
1 curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \ 2 --header "Accept: application/json" \ 3 --request GET "https://cloud.mongodb.com/api/atlas/v1.0/groups/{GROUP-ID}/privateEndpoint/serverless/instance/{INSTANCE-NAME}/endpoint/{ENDPOINT-ID}?pretty=true" Verify that the
status
field's value isAVAILABLE
as shown in the following example:1 { 2 "_id": "5f7cac1adf5d6c6306f4b283", 3 "cloudProviderEndpointId": "vpce-fcac938279cd98dc894", 4 "comment": "example comment", 5 "endpointServiceName": "com.amazonaws.vpce.us-east-1.vpce-svc-0afd34ee97e30d43f", 6 "errorMessage": null, 7 "status": "AVAILABLE" 8 }
If cloudProviderEndpointId
is Initiating
, wait 1-2 more minutes
for Atlas to configure the private endpoint. Then, try this step
again.
To set up AWS PrivateLink through the Atlas UI:
In Atlas, go to the Network Access page for your project.
If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.
If it's not already displayed, select your project from the Projects menu in the navigation bar.
In the sidebar, click Network Access under the Security heading.
The Network Access page displays.
Choose a Serverless instance.
From the Serverless Instance dropdown, select the Serverless instance you want to connect using a private endpoint. The cloud provider and region for the Serverless instance populate automatically.
Click Confirm. Atlas begins allocating the endpoint service, which might take several minutes to complete. You can continue to the next steps while Atlas allocates the endpoint service.
Configure your resources' security groups to send traffic to and receive traffic from the interface endpoint.
For each resource that needs to connect to your Atlas clusters using AWS PrivateLink, the resource's security group must allow outbound traffic to the interface endpoint's private IP addresses on all ports.
See Adding Rules to a Security Group for more information.
Create a security group for your interface endpoint to allow resources to access it.
This security group must allow inbound traffic on all ports from each resource that needs to connect to your Atlas clusters using AWS PrivateLink:
In the AWS console, navigate to the VPC Dashboard.
Click Security Groups, then click Create security group.
Use the wizard to create a security group. Make sure you select your VPC from the VPC list.
Select the security group you just created, then click the Inbound Rules tab.
Click Edit Rules.
Add rules to allow all inbound traffic from each resource in your VPC that you want to connect to your Atlas cluster.
Click Save Rules.
Click Endpoints, then click the endpoint for your VPC.
Click the Security Groups tab, then click Edit Security Groups.
Add the security group you just created, then click Save.
To learn more about VPC security groups, see the AWS documentation.
In Atlas, go to the Network Access page for your project.
If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.
If it's not already displayed, select your project from the Projects menu in the navigation bar.
In the sidebar, click Network Access under the Security heading.
The Network Access page displays.
Verify that the private endpoint is available.
You can connect to an Atlas cluster using the AWS PrivateLink private endpoint when all of the resources are configured and the private endpoint becomes available.
To verify that the AWS PrivateLink private endpoint is available:
On the Private Endpoint tab, select a cluster type and verify the following statuses for the region that contains the cluster you want to connect to using AWS PrivateLink:
Atlas Endpoint Service StatusAvailableEndpoint StatusAvailable
To learn more about possible status values, see Troubleshoot Private Endpoint Connection Issues.
If you do not see these statuses, see Troubleshoot Private Endpoint Connection Issues for additional information.
You can set up Azure Private Link for Serverless instances using the Atlas UI or the Atlas Administration API. Select an interface to learn more.
To set up Azure Private Link through the Atlas Administration API, configure API access. Then, complete the following steps:
Create the private endpoint in Atlas.
Run the command to Create One Private Endpoint for One Serverless Instance, replacing the placeholders with your values. To learn more about the placeholders, see the path parameters in the Atlas Administration API spec.
1 curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \ 2 --header "Accept: application/json" \ 3 --header "Content-Type: application/json" \ 4 --request POST "https://cloud.mongodb.com/api/atlas/v1.0/groups/{GROUP-ID}/privateEndpoint/serverless/instance/{INSTANCE-NAME}/endpoint?pretty=true" \ 5 --data ' 6 { 7 "comment" : "example comment" 8 }' Copy and save the value for the field
_id
in the response.1 { 2 "_id": "6313703ae1c4ba2707d18973", 3 "cloudProviderEndpointId": null, 4 "comment": "example comment", 5 "endpointServiceName": null, 6 "errorMessage": null, 7 "privateEndpointIpAddress": null, 8 "privateLinkServiceResourceId": null, 9 "status": "RESERVATION_REQUESTED" 10 }
Retrieve information about the private endpoint.
Note
It might take Atlas some time to provision the private endpoint. Wait 1-2 minutes before you perform this step.
Run the command to Return One Private Endpoint for One Serverless Instance. You must replace the placeholders with the exact values for the endpoint that you created. Replace {ENDPOINT-ID} with the
_id
that you retrieved previously. To learn more about the {GROUP-ID} and {INSTANCE-NAME} placeholders, see the path parameters in the Atlas Administration API spec.1 curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \ 2 --header "Accept: application/json" \ 3 --request GET "https://cloud.mongodb.com/api/atlas/v1.0/groups/{GROUP-ID}/privateEndpoint/serverless/instance/{INSTANCE-NAME}/endpoint/{ENDPOINT-ID}?pretty=true" Copy and save the value for the following fields in the response:
endpointServiceName
privateLinkServiceResourceId
1 { 2 "_id": "6313703ae1c4ba2707d18973", 3 "cloudProviderEndpointId": null, 4 "comment": "example comment", 5 "endpointServiceName": "pls_62f5394fcbfe456e4ed881d6", 6 "errorMessage": null, 7 "privateEndpointIpAddress": null, 8 "privateLinkServiceResourceId": "/subscriptions/4e133d35-e734-4385-a565-c0945567ae346/resourceGroups/rg_95847a959b876e255dbb9b33_dfragd7w/providers/Microsoft.Network/privateLinkServices/pls_62f5394fcbfe456e4ed881d6" 9 "status": "RESERVED" 10 }
If endpointServiceName
is null
, wait 1-2 more minutes for
Atlas to provision the private endpoint. Then, try this step
again.
Configure your Azure private endpoint.
Run the
create-vpc-endpoint
command in the Azure CLI, replacing the following placeholders with your values:PlaceholderDescription{RESOURCE-GROUP-NAME}Name of the Azure resource group that contains the VNet that you want to use to connect to Atlas. You can find this value on the Resource Group Properties page on your Azure dashboard.{VIRTUAL-NETWORK-NAME}Name of the VNet that you want to use to connect to Atlas. You can find this value on the Virtual Network page on your Azure dashboard.{SUBNET-NAME}Name of the subnet in your Azure VNet. You can find this value on the Virtual Network Subnets page on your Azure dashboard.{PRIVATE-ENDPOINT-NAME}Human-readable label that identifies the private endpoint within your Azure resource group.{PRIVATE-LINK-SERVICE-RESOURCE-ID}Unique string that identifies the resource group and ID for the private endpoint.{ENDPOINT-SERVICE-NAME}Unique string that identifies the endpoint service. This is the endpoint service name returned in a previous step.az network private-endpoint create --resource-group {RESOURCE-GROUP-NAME} --name {PRIVATE-ENDPOINT-NAME} --vnet-name {VIRTUAL-NETWORK-NAME} --subnet {SUBNET-NAME} --private-connection-resource-id {PRIVATE-LINK-SERVICE-RESOURCE-ID} --connection-name {ENDPOINT-SERVICE-NAME} --manual-request true To learn more about the Azure CLI, see Create a Private Endpoint by Using the Azure CLI.
Copy and save the following values:
Resource IDUnique string that identifies the private endpoint in your Azure VNet. Find this value in one of the following ways:
Use the Azure dashboard to retrieve this value. The Properties page for your private endpoint on your Azure dashboard displays this property in the Resource ID field.
Use the output from the following command, which returns the highlighted value in the
id
field:1 azure network private-endpoint create 1 { 2 "customDnsConfigs": [], 3 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 4 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink", 5 "location": "eastus2", 6 "manualPrivateLinkServiceConnections": [ 7 { 8 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 9 "groupIds": null, 10 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink/manualPrivateLinkServiceConnections/pls_5f860388d432510d5a6e1a3e", 11 "name": "pls_5f860388d432510d5a6e1a3e", 12 "privateLinkServiceConnectionState": { 13 "actionsRequired": "None", 14 "description": "Connection deleted by service provider", 15 "status": "Disconnected" 16 }, 17 "privateLinkServiceId": "pls_5f860388d432510d5a6e1a3e.00000000-0000-0000-0000-000000000000.eastus2.privatelinkservice", 18 "provisioningState": "Succeeded", 19 "requestMessage": null, 20 "resourceGroup": "privatelink", 21 "type": "Microsoft.Network/privateEndpoints/manualPrivateLinkServiceConnections" 22 } 23 ], 24 "name": "privatelink", 25 "networkInterfaces": [ 26 { 27 "dnsSettings": null, 28 "dscpConfiguration": null, 29 "enableAcceleratedNetworking": null, 30 "enableIpForwarding": null, 31 "etag": null, 32 "hostedWorkloads": null, 33 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000", 34 "ipConfigurations": null, 35 "location": null, 36 "macAddress": null, 37 "name": null, 38 "networkSecurityGroup": null, 39 "primary": null, 40 "privateEndpoint": null, 41 "provisioningState": null, 42 "resourceGroup": "privatelink", 43 "resourceGuid": null, 44 "tags": null, 45 "tapConfigurations": null, 46 "type": null, 47 "virtualMachine": null 48 } 49 ], 50 "privateLinkServiceConnections": [], 51 "provisioningState": "Succeeded", 52 "resourceGroup": "privatelink", 53 "subnet": { 54 "addressPrefix": null, 55 "addressPrefixes": null, 56 "delegations": null, 57 "etag": null, 58 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/virtualNetworks/privatelink/subnets/privatelink", 59 "ipAllocations": null, 60 "ipConfigurationProfiles": null, 61 "ipConfigurations": null, 62 "name": null, 63 "natGateway": null, 64 "networkSecurityGroup": null, 65 "privateEndpointNetworkPolicies": null, 66 "privateEndpoints": null, 67 "privateLinkServiceNetworkPolicies": null, 68 "provisioningState": null, 69 "purpose": null, 70 "resourceGroup": "privatelink", 71 "resourceNavigationLinks": null, 72 "routeTable": null, 73 "serviceAssociationLinks": null, 74 "serviceEndpointPolicies": null, 75 "serviceEndpoints": null 76 }, 77 "tags": null, 78 "type": "Microsoft.Network/privateEndpoints" 79 } You can also return this value using the azure network private-endpoint list CLI command.
Private IPPrivate IP address of the private endpoint network interface you created in your Azure VNet. Find this value in one of the following ways:
Use the Azure dashboard to retrieve this value. The Overview page for your private endpoint on your Azure dashboard displays this property in the Private IP field.
Use the Azure CLI to retrieve this value:
Use the output from the following command, which returns the ID of the network interface in the highlighted
networkInterfaces.id
field:1 azure network private-endpoint create 1 { 2 "customDnsConfigs": [], 3 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 4 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink", 5 "location": "eastus2", 6 "manualPrivateLinkServiceConnections": [ 7 { 8 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 9 "groupIds": null, 10 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink/manualPrivateLinkServiceConnections/pls_5f860388d432510d5a6e1a3e", 11 "name": "pls_5f860388d432510d5a6e1a3e", 12 "privateLinkServiceConnectionState": { 13 "actionsRequired": "None", 14 "description": "Connection deleted by service provider", 15 "status": "Disconnected" 16 }, 17 "privateLinkServiceId": "pls_5f860388d432510d5a6e1a3e.00000000-0000-0000-0000-000000000000.eastus2.privatelinkservice", 18 "provisioningState": "Succeeded", 19 "requestMessage": null, 20 "resourceGroup": "privatelink", 21 "type": "Microsoft.Network/privateEndpoints/manualPrivateLinkServiceConnections" 22 } 23 ], 24 "name": "privatelink", 25 "networkInterfaces": [ 26 { 27 "dnsSettings": null, 28 "dscpConfiguration": null, 29 "enableAcceleratedNetworking": null, 30 "enableIpForwarding": null, 31 "etag": null, 32 "hostedWorkloads": null, 33 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000", 34 "ipConfigurations": null, 35 "location": null, 36 "macAddress": null, 37 "name": null, 38 "networkSecurityGroup": null, 39 "primary": null, 40 "privateEndpoint": null, 41 "provisioningState": null, 42 "resourceGroup": "privatelink", 43 "resourceGuid": null, 44 "tags": null, 45 "tapConfigurations": null, 46 "type": null, 47 "virtualMachine": null 48 } 49 ], 50 "privateLinkServiceConnections": [], 51 "provisioningState": "Succeeded", 52 "resourceGroup": "privatelink", 53 "subnet": { 54 "addressPrefix": null, 55 "addressPrefixes": null, 56 "delegations": null, 57 "etag": null, 58 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/virtualNetworks/privatelink/subnets/privatelink", 59 "ipAllocations": null, 60 "ipConfigurationProfiles": null, 61 "ipConfigurations": null, 62 "name": null, 63 "natGateway": null, 64 "networkSecurityGroup": null, 65 "privateEndpointNetworkPolicies": null, 66 "privateEndpoints": null, 67 "privateLinkServiceNetworkPolicies": null, 68 "provisioningState": null, 69 "purpose": null, 70 "resourceGroup": "privatelink", 71 "resourceNavigationLinks": null, 72 "routeTable": null, 73 "serviceAssociationLinks": null, 74 "serviceEndpointPolicies": null, 75 "serviceEndpoints": null 76 }, 77 "tags": null, 78 "type": "Microsoft.Network/privateEndpoints" 79 } Run the az network nic show --id {networkInterface.id} Azure CLI command with the value of the
networkInterfaces.id
field to retrieve theipConfigurations.privateIPAddress
for the private endpoint network interface. The value of this field is your Private IP. The input and output should look similar to the following. Note the highlighted value of the Private Endpoint IP Address field.1 az network nic show --id /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000 1 { 2 "dnsSettings": { 3 "appliedDnsServers": [], 4 "dnsServers": [], 5 "internalDnsNameLabel": null, 6 "internalDomainNameSuffix": "<>.cx.internal.cloudapp.net", 7 "internalFqdn": null 8 }, 9 "dscpConfiguration": null, 10 "enableAcceleratedNetworking": false, 11 "enableIpForwarding": false, 12 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 13 "hostedWorkloads": [], 14 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000", 15 "ipConfigurations": [ 16 { 17 "applicationGatewayBackendAddressPools": null, 18 "applicationSecurityGroups": null, 19 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 20 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000/ipConfigurations/privateEndpointIpConfig", 21 "loadBalancerBackendAddressPools": null, 22 "loadBalancerInboundNatRules": null, 23 "name": "privateEndpointIpConfig", 24 "primary": true, 25 "privateIpAddress": "10.0.0.4", 26 "privateIpAddressVersion": "IPv4", 27 "privateIpAllocationMethod": "Dynamic", 28 "privateLinkConnectionProperties": { 29 "fqdns": [], 30 "groupId": "", 31 "requiredMemberName": "" 32 }, 33 "provisioningState": "Succeeded", 34 "publicIpAddress": null, 35 "resourceGroup": "privatelink", 36 "subnet": { 37 "addressPrefix": null, 38 "addressPrefixes": null, 39 "delegations": null, 40 "etag": null, 41 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/virtualNetworks/privatelink/subnets/privatelink", 42 "ipAllocations": null, 43 "ipConfigurationProfiles": null, 44 "ipConfigurations": null, 45 "name": null, 46 "natGateway": null, 47 "networkSecurityGroup": null, 48 "privateEndpointNetworkPolicies": null, 49 "privateEndpoints": null, 50 "privateLinkServiceNetworkPolicies": null, 51 "provisioningState": null, 52 "purpose": null, 53 "resourceGroup": "privatelink", 54 "resourceNavigationLinks": null, 55 "routeTable": null, 56 "serviceAssociationLinks": null, 57 "serviceEndpointPolicies": null, 58 "serviceEndpoints": null 59 }, 60 "type": "Microsoft.Network/networkInterfaces/ipConfigurations", 61 "virtualNetworkTaps": null 62 } 63 ], 64 "location": "eastus2", 65 "macAddress": "", 66 "name": "privatelink.nic.00000000-0000-0000-0000-000000000000", 67 "networkSecurityGroup": null, 68 "primary": null, 69 "privateEndpoint": { 70 "customDnsConfigs": null, 71 "etag": null, 72 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink", 73 "location": null, 74 "manualPrivateLinkServiceConnections": null, 75 "name": null, 76 "networkInterfaces": null, 77 "privateLinkServiceConnections": null, 78 "provisioningState": null, 79 "resourceGroup": "privatelink", 80 "subnet": null, 81 "tags": null, 82 "type": null 83 }, 84 "provisioningState": "Succeeded", 85 "resourceGroup": "privatelink", 86 "resourceGuid": "00000000-0000-0000-0000-000000000000", 87 "tags": null, 88 "tapConfigurations": [], 89 "type": "Microsoft.Network/networkInterfaces", 90 "virtualMachine": null 91 }
Update your private endpoint in Atlas with the Resource ID and IP Address.
Run the command to Update One Private Endpoint for One Serverless Instance, replacing the placeholders with the values for the endpoint you created.
Replace the following placeholders with the values for the endpoint you created:
cloudProviderEndpointId
- replace with theid
that Azure returned when you created the endpoint (the Resource ID in the Azure UI).privateEndpointIpAddress
- replace with theipConfigurations.privateIpAddress
that Azure returned for the endpoint (the Private IP in the Azure UI).
Note
The Resource ID for the private endpoint differs from the resource ID for the private endpoint service.
In our example, the privateLinkServiceResourceId
is:
/subscriptions/4e133d35-e734-4385-a565-c0945567ae346/resourceGroups/rg_95847a959b876e255dbb9b33_dfragd7w/providers/Microsoft.Network/privateLinkServices/pls_62f5394fcbfe456e4ed881d6
The cloudProviderEndpointId
is:
/subscriptions/4e133d35-e734-4385-a565-c0945567ae346/resourceGroups/rg_95847a959b876e255dbb9b33_dfragd7w/providers/Microsoft.Network/privateEndpoints/test-endpoint
To learn more about the placeholders, see the path parameters for Update One Private Endpoint for One Serverless Instance.
1 curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \ 2 --header "Accept: application/json" \ 3 --header "Content-Type: application/json" \ 4 --request PATCH "https://cloud.mongodb.com/api/atlas/v1.0/groups/{GROUP-ID}/privateEndpoint/serverless/instance/{INSTANCE-NAME}/endpoint/{ENDPOINT-ID}" \ 5 --data ' 6 { 7 "cloudProviderEndpointId" : "/subscriptions/4e133d35-e734-4385-a565-c0945567ae346/resourceGroups/rg_95847a959b876e255dbb9b33_dfragd7w/providers/Microsoft.Network/privateEndpoints/test-endpoint", 8 "providerName" : "AZURE", 9 "privateEndpointIpAddress" : "10.0.0.6" 10 }'
Note
You must include the providerName
to successfully run this command.
Verify the private endpoint's availability.
You can connect to an Atlas Serverless instance using the Azure private endpoint after Atlas finishes configuring all of the resources and the private endpoint becomes available.
To verify that the Azure private endpoint is available:
Run the command to Return One Private Endpoint for One Serverless Instance, replacing the placeholders with the parameters for the endpoint you created. To learn more about the placeholders, see the path parameters for Return One Private Endpoint for One Serverless Instance.
1 curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \ 2 --header "Accept: application/json" \ 3 --request GET "https://cloud.mongodb.com/api/atlas/v1.0/groups/{GROUP-ID}/privateEndpoint/serverless/instance/{INSTANCE-NAME}/endpoint/{ENDPOINT-ID}?pretty=true" Verify that the
status
field's value isAVAILABLE
as shown in the following example:1 { 2 "_id": "6313703ae1c4ba2707d18973", 3 "cloudProviderEndpointId": "/subscriptions/4e133d35-e734-4385-a565-c0945567ae346/resourceGroups/rg_95847a959b876e255dbb9b33_dfragd7w/providers/Microsoft.Network/privateEndpoints/test-endpoint", 4 "comment": "example comment", 5 "endpointServiceName": "pls_62f5394fcbfe456e4ed881d6", 6 "errorMessage": null, 7 "privateEndpointIpAddress" : "10.0.0.6", 8 "privateLinkServiceResourceId" : "/subscriptions/4e133d35-e734-4385-a565-c0945567ae346/resourceGroups/rg_95847a959b876e255dbb9b33_dfragd7w/providers/Microsoft.Network/privateLinkServices/pls_62f5394fcbfe456e4ed881d6", 9 "status": "AVAILABLE" 10 }
If cloudProviderEndpointId
is Initiating
, wait 1-2 more minutes
for Atlas to configure the private endpoint. Then, try this step
again.
To set up AWS PrivateLink through the Atlas UI:
In Atlas, go to the Network Access page for your project.
If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.
If it's not already displayed, select your project from the Projects menu in the navigation bar.
In the sidebar, click Network Access under the Security heading.
The Network Access page displays.
Choose a Serverless instance.
From the Serverless Instance dropdown, select the Serverless instance to connect to using a private endpoint. The cloud provider and region for the Serverless instance populate automatically.
Click Confirm. Atlas begins allocating the endpoint service, which might take several minutes to complete. You can continue to the next steps while Atlas allocates the endpoint service.
Configure your private endpoint.
Enter the following details about your Azure VNet:
Resource Group NameHuman-readable label that identifies the resource group that contains the VNet that you want to use to connect to Atlas. Find this value on the Resource Group Properties page on your Azure dashboard.Virtual Network NameHuman-readable label that identifies the VNet that you want to use to connect to Atlas. Find this value on the Virtual Network page on your Azure dashboard.Subnet NameHuman-readable label that identifies the subnet in your Azure VNet. Find this value on the Virtual Network Subnets page on your Azure dashboard.Enter a unique name for your private endpoint in the Private Endpoint Name field.
Create the private endpoint in your VNet by copying the
az network private-endpoint create
command the dialog box displays and running it using the Azure CLI.Note
You can't copy the command until Atlas finishes creating VNet resources in the background.
For more information about this command, see the Azure documentation.
You might receive an error like the following when you create the private endpoint:
ServiceError: code: LinkedAuthorizationFailed - , The client has permission to perform action 'Microsoft.Network/privateLinkServices/PrivateEndpointConnectionsApproval/action' on scope '/subscriptions/<subscription-id>/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink', however the current tenant '<tenant-id>' is not authorized to access linked subscription '<tenant-id>'. If you receive this error, add the
--manual-request true
parameter to the Azure CLI command you used to create the private endpoint, then run the command again.Click Next.
Finalize your private endpoint connection.
Enter the following details about your private endpoint:
Resource IDUnique string that identifies the private endpoint in your Azure VNet. Find this value in one of the following ways:
Use the Azure dashboard to retrieve this value. The Properties page for your private endpoint on your Azure dashboard displays this property in the Resource ID field.
Use the output from the following command, which returns the highlighted value in the
id
field:1 azure network private-endpoint create 1 { 2 "customDnsConfigs": [], 3 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 4 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink", 5 "location": "eastus2", 6 "manualPrivateLinkServiceConnections": [ 7 { 8 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 9 "groupIds": null, 10 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink/manualPrivateLinkServiceConnections/pls_5f860388d432510d5a6e1a3e", 11 "name": "pls_5f860388d432510d5a6e1a3e", 12 "privateLinkServiceConnectionState": { 13 "actionsRequired": "None", 14 "description": "Connection deleted by service provider", 15 "status": "Disconnected" 16 }, 17 "privateLinkServiceId": "pls_5f860388d432510d5a6e1a3e.00000000-0000-0000-0000-000000000000.eastus2.privatelinkservice", 18 "provisioningState": "Succeeded", 19 "requestMessage": null, 20 "resourceGroup": "privatelink", 21 "type": "Microsoft.Network/privateEndpoints/manualPrivateLinkServiceConnections" 22 } 23 ], 24 "name": "privatelink", 25 "networkInterfaces": [ 26 { 27 "dnsSettings": null, 28 "dscpConfiguration": null, 29 "enableAcceleratedNetworking": null, 30 "enableIpForwarding": null, 31 "etag": null, 32 "hostedWorkloads": null, 33 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000", 34 "ipConfigurations": null, 35 "location": null, 36 "macAddress": null, 37 "name": null, 38 "networkSecurityGroup": null, 39 "primary": null, 40 "privateEndpoint": null, 41 "provisioningState": null, 42 "resourceGroup": "privatelink", 43 "resourceGuid": null, 44 "tags": null, 45 "tapConfigurations": null, 46 "type": null, 47 "virtualMachine": null 48 } 49 ], 50 "privateLinkServiceConnections": [], 51 "provisioningState": "Succeeded", 52 "resourceGroup": "privatelink", 53 "subnet": { 54 "addressPrefix": null, 55 "addressPrefixes": null, 56 "delegations": null, 57 "etag": null, 58 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/virtualNetworks/privatelink/subnets/privatelink", 59 "ipAllocations": null, 60 "ipConfigurationProfiles": null, 61 "ipConfigurations": null, 62 "name": null, 63 "natGateway": null, 64 "networkSecurityGroup": null, 65 "privateEndpointNetworkPolicies": null, 66 "privateEndpoints": null, 67 "privateLinkServiceNetworkPolicies": null, 68 "provisioningState": null, 69 "purpose": null, 70 "resourceGroup": "privatelink", 71 "resourceNavigationLinks": null, 72 "routeTable": null, 73 "serviceAssociationLinks": null, 74 "serviceEndpointPolicies": null, 75 "serviceEndpoints": null 76 }, 77 "tags": null, 78 "type": "Microsoft.Network/privateEndpoints" 79 } You can also return this value using the azure network private-endpoint list CLI command.
Private IPPrivate IP address of the private endpoint network interface you created in your Azure VNet. Find this value in one of the following ways:
Use the Azure dashboard to retrieve this value. The Overview page for your private endpoint on your Azure dashboard displays this property in the Private IP field.
Use the Azure CLI to retrieve this value:
Use the output from the following command, which returns the ID of the network interface in the highlighted
networkInterfaces.id
field:1 azure network private-endpoint create 1 { 2 "customDnsConfigs": [], 3 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 4 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink", 5 "location": "eastus2", 6 "manualPrivateLinkServiceConnections": [ 7 { 8 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 9 "groupIds": null, 10 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink/manualPrivateLinkServiceConnections/pls_5f860388d432510d5a6e1a3e", 11 "name": "pls_5f860388d432510d5a6e1a3e", 12 "privateLinkServiceConnectionState": { 13 "actionsRequired": "None", 14 "description": "Connection deleted by service provider", 15 "status": "Disconnected" 16 }, 17 "privateLinkServiceId": "pls_5f860388d432510d5a6e1a3e.00000000-0000-0000-0000-000000000000.eastus2.privatelinkservice", 18 "provisioningState": "Succeeded", 19 "requestMessage": null, 20 "resourceGroup": "privatelink", 21 "type": "Microsoft.Network/privateEndpoints/manualPrivateLinkServiceConnections" 22 } 23 ], 24 "name": "privatelink", 25 "networkInterfaces": [ 26 { 27 "dnsSettings": null, 28 "dscpConfiguration": null, 29 "enableAcceleratedNetworking": null, 30 "enableIpForwarding": null, 31 "etag": null, 32 "hostedWorkloads": null, 33 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000", 34 "ipConfigurations": null, 35 "location": null, 36 "macAddress": null, 37 "name": null, 38 "networkSecurityGroup": null, 39 "primary": null, 40 "privateEndpoint": null, 41 "provisioningState": null, 42 "resourceGroup": "privatelink", 43 "resourceGuid": null, 44 "tags": null, 45 "tapConfigurations": null, 46 "type": null, 47 "virtualMachine": null 48 } 49 ], 50 "privateLinkServiceConnections": [], 51 "provisioningState": "Succeeded", 52 "resourceGroup": "privatelink", 53 "subnet": { 54 "addressPrefix": null, 55 "addressPrefixes": null, 56 "delegations": null, 57 "etag": null, 58 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/virtualNetworks/privatelink/subnets/privatelink", 59 "ipAllocations": null, 60 "ipConfigurationProfiles": null, 61 "ipConfigurations": null, 62 "name": null, 63 "natGateway": null, 64 "networkSecurityGroup": null, 65 "privateEndpointNetworkPolicies": null, 66 "privateEndpoints": null, 67 "privateLinkServiceNetworkPolicies": null, 68 "provisioningState": null, 69 "purpose": null, 70 "resourceGroup": "privatelink", 71 "resourceNavigationLinks": null, 72 "routeTable": null, 73 "serviceAssociationLinks": null, 74 "serviceEndpointPolicies": null, 75 "serviceEndpoints": null 76 }, 77 "tags": null, 78 "type": "Microsoft.Network/privateEndpoints" 79 } Run the az network nic show --id {networkInterface.id} Azure CLI command with the value of the
networkInterfaces.id
field to retrieve theipConfigurations.privateIPAddress
for the private endpoint network interface. The value of this field is your Private IP. The input and output should look similar to the following. Note the highlighted value of the Private Endpoint IP Address field.1 az network nic show --id /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000 1 { 2 "dnsSettings": { 3 "appliedDnsServers": [], 4 "dnsServers": [], 5 "internalDnsNameLabel": null, 6 "internalDomainNameSuffix": "<>.cx.internal.cloudapp.net", 7 "internalFqdn": null 8 }, 9 "dscpConfiguration": null, 10 "enableAcceleratedNetworking": false, 11 "enableIpForwarding": false, 12 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 13 "hostedWorkloads": [], 14 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000", 15 "ipConfigurations": [ 16 { 17 "applicationGatewayBackendAddressPools": null, 18 "applicationSecurityGroups": null, 19 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 20 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000/ipConfigurations/privateEndpointIpConfig", 21 "loadBalancerBackendAddressPools": null, 22 "loadBalancerInboundNatRules": null, 23 "name": "privateEndpointIpConfig", 24 "primary": true, 25 "privateIpAddress": "10.0.0.4", 26 "privateIpAddressVersion": "IPv4", 27 "privateIpAllocationMethod": "Dynamic", 28 "privateLinkConnectionProperties": { 29 "fqdns": [], 30 "groupId": "", 31 "requiredMemberName": "" 32 }, 33 "provisioningState": "Succeeded", 34 "publicIpAddress": null, 35 "resourceGroup": "privatelink", 36 "subnet": { 37 "addressPrefix": null, 38 "addressPrefixes": null, 39 "delegations": null, 40 "etag": null, 41 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/virtualNetworks/privatelink/subnets/privatelink", 42 "ipAllocations": null, 43 "ipConfigurationProfiles": null, 44 "ipConfigurations": null, 45 "name": null, 46 "natGateway": null, 47 "networkSecurityGroup": null, 48 "privateEndpointNetworkPolicies": null, 49 "privateEndpoints": null, 50 "privateLinkServiceNetworkPolicies": null, 51 "provisioningState": null, 52 "purpose": null, 53 "resourceGroup": "privatelink", 54 "resourceNavigationLinks": null, 55 "routeTable": null, 56 "serviceAssociationLinks": null, 57 "serviceEndpointPolicies": null, 58 "serviceEndpoints": null 59 }, 60 "type": "Microsoft.Network/networkInterfaces/ipConfigurations", 61 "virtualNetworkTaps": null 62 } 63 ], 64 "location": "eastus2", 65 "macAddress": "", 66 "name": "privatelink.nic.00000000-0000-0000-0000-000000000000", 67 "networkSecurityGroup": null, 68 "primary": null, 69 "privateEndpoint": { 70 "customDnsConfigs": null, 71 "etag": null, 72 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink", 73 "location": null, 74 "manualPrivateLinkServiceConnections": null, 75 "name": null, 76 "networkInterfaces": null, 77 "privateLinkServiceConnections": null, 78 "provisioningState": null, 79 "resourceGroup": "privatelink", 80 "subnet": null, 81 "tags": null, 82 "type": null 83 }, 84 "provisioningState": "Succeeded", 85 "resourceGroup": "privatelink", 86 "resourceGuid": "00000000-0000-0000-0000-000000000000", 87 "tags": null, 88 "tapConfigurations": [], 89 "type": "Microsoft.Network/networkInterfaces", 90 "virtualMachine": null 91 }
Enter an optional description for the endpoint.
Click Create.
In Atlas, go to the Network Access page for your project.
If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.
If it's not already displayed, select your project from the Projects menu in the navigation bar.
In the sidebar, click Network Access under the Security heading.
The Network Access page displays.
Verify that the private endpoint is available.
You can connect to an Atlas cluster using the Azure Private Link private endpoint when all of the resources are configured and the private endpoint becomes available.
To verify that the Azure Private Link private endpoint is available:
On the Private Endpoint tab, select a cluster type and verify the following statuses for the region that contains the cluster you want to connect to using Azure Private Link:
Atlas Endpoint Service Status | Available |
Endpoint Status | Available |
To learn more about possible status values, see Troubleshoot Private Endpoint Connection Issues.
If you do not see these statuses, see Troubleshoot Private Endpoint Connection Issues for additional information.