Docs Menu
Docs Home
/
MongoDB Atlas

Set Up a Private Endpoint for a Serverless Instance

On this page

  • Required Access
  • Prerequisites, Considerations, and Limitations
  • Follow These Steps
  • Take the Next Steps

Note

This feature is not available for M0 Free clusters, M2, and M5 clusters. To learn more about which features are unavailable, see Atlas M0 (Free Cluster), M2, and M5 Limits.

Note

Serverless instances don't support GCP Private Service Connect. If you need to set up GCP Private Service Connect, use a dedicated cluster.

MongoDB plans to add support for more configurations and capabilities on Serverless instances over time. To learn which features MongoDB plans to support for Serverless instances in the future, see Serverless Instance Limits.

Follow these steps to enable a client to connect to an Atlas Serverless instance using a private endpoint.

To learn more about using private endpoints with Atlas, see Learn About Private Endpoints in Atlas.

To set up a private endpoint for a dedicated cluster, see Set Up a Private Endpoint for a Dedicated Cluster.

To set up a private endpoint for a Serverless instance, you must have Project Owner access to the project. Users with Organization Owner access must add themselves to the project as a Project Owner.

To learn the prerequisites, considerations, and limitations for setting up a private endpoint, see the following resources:

You can set up AWS PrivateLink for Serverless instances using the Atlas UI or the Atlas Administration API. Select an interface to learn more.

To set up AWS PrivateLink through the Atlas Administration API, configure API access. Then, complete the following steps:

1
  1. Run the command to create one private endpoint, replacing the placeholders with your parameters. To learn more about the parameters, see create one private endpoint.

    1curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \
    2--header "Accept: application/json" \
    3--header "Content-Type: application/json" \
    4--request POST "https://cloud.mongodb.com/api/atlas/v1.0/groups/{GROUP-ID}/privateEndpoint/serverless/instance/{INSTANCE-NAME}/endpoint?pretty=true" \
    5--data '
    6 {
    7 "comment" : "example comment"
    8 }'
  2. Note the value for the field _id in the response.

    1{
    2 "_id": "5f7cac1adf5d6c6306f4b283",
    3 "cloudProviderEndpointId": null,
    4 "comment": "example comment",
    5 "endpointServiceName": null,
    6 "errorMessage": null,
    7 "status": "RESERVATION_REQUESTED"
    8}
2

Note

It might take Atlas some time to provision the private endpoint. Wait 1-2 minutes before you complete this step.

  1. Run the command to get one private endpoint, replacing the placeholders with the parameters for the endpoint you created. Replace {ENDPOINT-ID} with the _id that you retrieved previously. To learn more about the parameters, see get one private endpoint.

    1curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \
    2 --header "Accept: application/json" \
    3 --request GET "https://cloud.mongodb.com/api/atlas/v1.0/groups/{GROUP-ID}/privateEndpoint/serverless/instance/{INSTANCE-NAME}/endpoint/{ENDPOINT-ID}?pretty=true"
  2. Note the value for the field endpointServiceName in the response.

    1{
    2 "_id": "5f7cac1adf5d6c6306f4b283",
    3 "cloudProviderEndpointId": "34985fcac938279cd98dc894",
    4 "comment": "example comment",
    5 "endpointServiceName": "com.amazonaws.vpce.us-east-1.vpce-svc-0afd34ee97e30d43f",
    6 "errorMessage": null,
    7 "status": "RESERVED"
    8}

If endpointServiceName is null, wait 1-2 more minutes for Atlas to provision the private endpoint. Then, try this step again.

3
  1. Run the command in the AWS CLI, replacing the following placeholders with your values:

    Placeholder
    Description
    {VPC-ID}
    Unique string that identifies the peer AWS VPC. Find this value on the VPC dashboard in your AWS account.
    {REGION}
    AWS region in which your cluster resides.
    {SUBNET-IDS}

    Unique string that identifies the subnets that your AWS VPC uses. Find these values on the Subnet dashboard in your AWS account.

    IMPORTANT: You must specify at least one subnet. If you don't, AWS won't provision an interface endpoint in your VPC. An interface endpoint is required for clients in your VPC to send traffic to the private endpoint.

    {SERVICE-NAME}
    Unique string identifying the private endpoint service that you retrieved previously.
    aws ec2 create-vpc-endpoint --vpc-id {VPC-ID} \
    --region {REGION} --service-name {SERVICE-NAME} \
    --vpc-endpoint-type Interface --subnet-ids {SUBNET-IDS}

    To learn more about the AWS CLI, see Creating an Interface Endpoint.

  2. Note the value in the response for the field VpcEndpointId. This is a 22-character alphanumeric string that identifies your private endpoint. You can also find this value on the AWS VPC Dashboard under Endpoints > VPC ID.

4

Run the command to update one private endpoint, replacing the placeholders with the parameters for the endpoint you created. Update the cloudProviderEndpointId field to the VPC Endpoint ID you retrieved previously. To learn more about the parameters, see update one private endpoint.

1curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \
2 --header "Accept: application/json" \
3 --header "Content-Type: application/json" \
4 --request PATCH "https://cloud.mongodb.com/api/atlas/v1.0/groups/{GROUP-ID}/privateEndpoint/serverless/instance/{INSTANCE-NAME}/endpoint/{ENDPOINT-ID}" \
5 --data '
6 {
7 "cloudProviderEndpointId" : "vpce-fcac938279cd98dc894",
8 "providerName" : "AWS"
9 }'

Note

You must include the providerName to successfully run this command.

5

For each resource that needs to connect to your Atlas clusters using AWS PrivateLink, the resource's security group must allow outbound traffic to the interface endpoint's private IP addresses on all ports.

See Adding Rules to a Security Group for more information.

6

This security group must allow inbound traffic on all ports from each resource that needs to connect to your Atlas clusters using AWS PrivateLink:

  1. In the AWS console, navigate to the VPC Dashboard.

  2. Click Security Groups, then click Create security group.

  3. Use the wizard to create a security group. Make sure you select your VPC from the VPC list.

  4. Select the security group you just created, then click the Inbound Rules tab.

  5. Click Edit Rules.

  6. Add rules to allow all inbound traffic from each resource in your VPC that you want to connect to your Atlas cluster.

  7. Click Save Rules.

  8. Click Endpoints, then click the endpoint for your VPC.

  9. Click the Security Groups tab, then click Edit Security Groups.

  10. Add the security group you just created, then click Save.

To learn more about VPC security groups, see the AWS documentation.

7

You can connect to an Atlas Serverless instance using the AWS PrivateLink private endpoint after Atlas finishes configuring all of the resources and the private endpoint becomes available.

To verify that the AWS PrivateLink private endpoint is available:

  1. Run the command to get one Private Endpoint for one Serverless Instance, replacing the placeholders with the parameters for the endpoint you created. To learn more about the parameters, see get one Private Endpoint for one Serverless Instance.

    1curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \
    2 --header "Accept: application/json" \
    3 --request GET "https://cloud.mongodb.com/api/atlas/v1.0/groups/{GROUP-ID}/privateEndpoint/serverless/instance/{INSTANCE-NAME}/endpoint/{ENDPOINT-ID}?pretty=true"
  2. Verify that the status field's value is AVAILABLE as shown in the following example:

    1{
    2 "_id": "5f7cac1adf5d6c6306f4b283",
    3 "cloudProviderEndpointId": "vpce-fcac938279cd98dc894",
    4 "comment": "example comment",
    5 "endpointServiceName": "com.amazonaws.vpce.us-east-1.vpce-svc-0afd34ee97e30d43f",
    6 "errorMessage": null,
    7 "status": "AVAILABLE"
    8}

If cloudProviderEndpointId is Initiating, wait 1-2 more minutes for Atlas to configure the private endpoint. Then, try this step again.

To set up AWS PrivateLink through the Atlas UI:

1
  1. If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.

  2. If it's not already displayed, select your project from the Projects menu in the navigation bar.

  3. In the sidebar, click Network Access under the Security heading.

    The Network Access page displays.

2

Click Serverless Instance to set up a private endpoint for your Atlas Serverless instance.

3

Click the Create New Endpoint button.

4
  1. From the Serverless Instance dropdown, select the Serverless instance you want to connect using a private endpoint. The cloud provider and region for the Serverless instance populate automatically.

  2. Click Confirm. Atlas begins allocating the endpoint service, which might take several minutes to complete. You can continue to the next steps while Atlas allocates the endpoint service.

5

Click the AWS logo, then click Next.

6
  1. Enter your VPC Endpoint ID. This is a 22-character alphanumeric string that identifies your private endpoint. Find this value on the AWS VPC Dashboard under Endpoints > VPC ID.

  2. Click Create.

7

For each resource that needs to connect to your Atlas clusters using AWS PrivateLink, the resource's security group must allow outbound traffic to the interface endpoint's private IP addresses on all ports.

See Adding Rules to a Security Group for more information.

8

This security group must allow inbound traffic on all ports from each resource that needs to connect to your Atlas clusters using AWS PrivateLink:

  1. In the AWS console, navigate to the VPC Dashboard.

  2. Click Security Groups, then click Create security group.

  3. Use the wizard to create a security group. Make sure you select your VPC from the VPC list.

  4. Select the security group you just created, then click the Inbound Rules tab.

  5. Click Edit Rules.

  6. Add rules to allow all inbound traffic from each resource in your VPC that you want to connect to your Atlas cluster.

  7. Click Save Rules.

  8. Click Endpoints, then click the endpoint for your VPC.

  9. Click the Security Groups tab, then click Edit Security Groups.

  10. Add the security group you just created, then click Save.

To learn more about VPC security groups, see the AWS documentation.

9
  1. If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.

  2. If it's not already displayed, select your project from the Projects menu in the navigation bar.

  3. In the sidebar, click Network Access under the Security heading.

    The Network Access page displays.

10

You can connect to an Atlas cluster using the AWS PrivateLink private endpoint when all of the resources are configured and the private endpoint becomes available.

To verify that the AWS PrivateLink private endpoint is available:

  1. On the Private Endpoint tab, select a cluster type and verify the following statuses for the region that contains the cluster you want to connect to using AWS PrivateLink:

    Atlas Endpoint Service Status
    Available
    Endpoint Status
    Available

To learn more about possible status values, see Troubleshoot Private Endpoint Connection Issues.

If you do not see these statuses, see Troubleshoot Private Endpoint Connection Issues for additional information.

You can set up Azure Private Link for Serverless instances using the Atlas UI or the Atlas Administration API. Select an interface to learn more.

To set up Azure Private Link through the Atlas Administration API, configure API access. Then, complete the following steps:

1
  1. Run the command to Create One Private Endpoint for One Serverless Instance, replacing the placeholders with your values. To learn more about the placeholders, see the path parameters in the Atlas Administration API spec.

    1curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \
    2--header "Accept: application/json" \
    3--header "Content-Type: application/json" \
    4--request POST "https://cloud.mongodb.com/api/atlas/v1.0/groups/{GROUP-ID}/privateEndpoint/serverless/instance/{INSTANCE-NAME}/endpoint?pretty=true" \
    5--data '
    6 {
    7 "comment" : "example comment"
    8 }'
  2. Copy and save the value for the field _id in the response.

    1{
    2 "_id": "6313703ae1c4ba2707d18973",
    3 "cloudProviderEndpointId": null,
    4 "comment": "example comment",
    5 "endpointServiceName": null,
    6 "errorMessage": null,
    7 "privateEndpointIpAddress": null,
    8 "privateLinkServiceResourceId": null,
    9 "status": "RESERVATION_REQUESTED"
    10}
2

Note

It might take Atlas some time to provision the private endpoint. Wait 1-2 minutes before you perform this step.

  1. Run the command to Return One Private Endpoint for One Serverless Instance. You must replace the placeholders with the exact values for the endpoint that you created. Replace {ENDPOINT-ID} with the _id that you retrieved previously. To learn more about the {GROUP-ID} and {INSTANCE-NAME} placeholders, see the path parameters in the Atlas Administration API spec.

    1curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \
    2 --header "Accept: application/json" \
    3 --request GET "https://cloud.mongodb.com/api/atlas/v1.0/groups/{GROUP-ID}/privateEndpoint/serverless/instance/{INSTANCE-NAME}/endpoint/{ENDPOINT-ID}?pretty=true"
  2. Copy and save the value for the following fields in the response:

    • endpointServiceName

    • privateLinkServiceResourceId

    1{
    2 "_id": "6313703ae1c4ba2707d18973",
    3 "cloudProviderEndpointId": null,
    4 "comment": "example comment",
    5 "endpointServiceName": "pls_62f5394fcbfe456e4ed881d6",
    6 "errorMessage": null,
    7 "privateEndpointIpAddress": null,
    8 "privateLinkServiceResourceId": "/subscriptions/4e133d35-e734-4385-a565-c0945567ae346/resourceGroups/rg_95847a959b876e255dbb9b33_dfragd7w/providers/Microsoft.Network/privateLinkServices/pls_62f5394fcbfe456e4ed881d6"
    9 "status": "RESERVED"
    10}

If endpointServiceName is null, wait 1-2 more minutes for Atlas to provision the private endpoint. Then, try this step again.

3
  1. Run the create-vpc-endpoint command in the Azure CLI, replacing the following placeholders with your values:

    Placeholder
    Description
    {RESOURCE-GROUP-NAME}
    Name of the Azure resource group that contains the VNet that you want to use to connect to Atlas. You can find this value on the Resource Group Properties page on your Azure dashboard.
    {VIRTUAL-NETWORK-NAME}
    Name of the VNet that you want to use to connect to Atlas. You can find this value on the Virtual Network page on your Azure dashboard.
    {SUBNET-NAME}
    Name of the subnet in your Azure VNet. You can find this value on the Virtual Network Subnets page on your Azure dashboard.
    {PRIVATE-ENDPOINT-NAME}
    Human-readable label that identifies the private endpoint within your Azure resource group.
    {PRIVATE-LINK-SERVICE-RESOURCE-ID}
    Unique string that identifies the resource group and ID for the private endpoint.
    {ENDPOINT-SERVICE-NAME}
    Unique string that identifies the endpoint service. This is the endpoint service name returned in a previous step.
    az network private-endpoint create --resource-group {RESOURCE-GROUP-NAME} --name {PRIVATE-ENDPOINT-NAME} --vnet-name {VIRTUAL-NETWORK-NAME} --subnet {SUBNET-NAME} --private-connection-resource-id {PRIVATE-LINK-SERVICE-RESOURCE-ID} --connection-name {ENDPOINT-SERVICE-NAME} --manual-request true

    To learn more about the Azure CLI, see Create a Private Endpoint by Using the Azure CLI.

  2. Copy and save the following values:

    Resource ID

    Unique string that identifies the private endpoint in your Azure VNet. Find this value in one of the following ways:

    • Use the Azure dashboard to retrieve this value. The Properties page for your private endpoint on your Azure dashboard displays this property in the Resource ID field.

    • Use the output from the following command, which returns the highlighted value in the id field:

      1azure network private-endpoint create
      1{
      2 "customDnsConfigs": [],
      3 "etag": "W/\"00000000-0000-0000-0000-000000000000\"",
      4 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink",
      5 "location": "eastus2",
      6 "manualPrivateLinkServiceConnections": [
      7 {
      8 "etag": "W/\"00000000-0000-0000-0000-000000000000\"",
      9 "groupIds": null,
      10 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink/manualPrivateLinkServiceConnections/pls_5f860388d432510d5a6e1a3e",
      11 "name": "pls_5f860388d432510d5a6e1a3e",
      12 "privateLinkServiceConnectionState": {
      13 "actionsRequired": "None",
      14 "description": "Connection deleted by service provider",
      15 "status": "Disconnected"
      16 },
      17 "privateLinkServiceId": "pls_5f860388d432510d5a6e1a3e.00000000-0000-0000-0000-000000000000.eastus2.privatelinkservice",
      18 "provisioningState": "Succeeded",
      19 "requestMessage": null,
      20 "resourceGroup": "privatelink",
      21 "type": "Microsoft.Network/privateEndpoints/manualPrivateLinkServiceConnections"
      22 }
      23 ],
      24 "name": "privatelink",
      25 "networkInterfaces": [
      26 {
      27 "dnsSettings": null,
      28 "dscpConfiguration": null,
      29 "enableAcceleratedNetworking": null,
      30 "enableIpForwarding": null,
      31 "etag": null,
      32 "hostedWorkloads": null,
      33 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000",
      34 "ipConfigurations": null,
      35 "location": null,
      36 "macAddress": null,
      37 "name": null,
      38 "networkSecurityGroup": null,
      39 "primary": null,
      40 "privateEndpoint": null,
      41 "provisioningState": null,
      42 "resourceGroup": "privatelink",
      43 "resourceGuid": null,
      44 "tags": null,
      45 "tapConfigurations": null,
      46 "type": null,
      47 "virtualMachine": null
      48 }
      49 ],
      50 "privateLinkServiceConnections": [],
      51 "provisioningState": "Succeeded",
      52 "resourceGroup": "privatelink",
      53 "subnet": {
      54 "addressPrefix": null,
      55 "addressPrefixes": null,
      56 "delegations": null,
      57 "etag": null,
      58 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/virtualNetworks/privatelink/subnets/privatelink",
      59 "ipAllocations": null,
      60 "ipConfigurationProfiles": null,
      61 "ipConfigurations": null,
      62 "name": null,
      63 "natGateway": null,
      64 "networkSecurityGroup": null,
      65 "privateEndpointNetworkPolicies": null,
      66 "privateEndpoints": null,
      67 "privateLinkServiceNetworkPolicies": null,
      68 "provisioningState": null,
      69 "purpose": null,
      70 "resourceGroup": "privatelink",
      71 "resourceNavigationLinks": null,
      72 "routeTable": null,
      73 "serviceAssociationLinks": null,
      74 "serviceEndpointPolicies": null,
      75 "serviceEndpoints": null
      76 },
      77 "tags": null,
      78 "type": "Microsoft.Network/privateEndpoints"
      79}

      You can also return this value using the azure network private-endpoint list CLI command.

    Private IP

    Private IP address of the private endpoint network interface you created in your Azure VNet. Find this value in one of the following ways:

    • Use the Azure dashboard to retrieve this value. The Overview page for your private endpoint on your Azure dashboard displays this property in the Private IP field.

    • Use the Azure CLI to retrieve this value:

      1. Use the output from the following command, which returns the ID of the network interface in the highlighted networkInterfaces.id field:

        1azure network private-endpoint create
        1{
        2 "customDnsConfigs": [],
        3 "etag": "W/\"00000000-0000-0000-0000-000000000000\"",
        4 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink",
        5 "location": "eastus2",
        6 "manualPrivateLinkServiceConnections": [
        7 {
        8 "etag": "W/\"00000000-0000-0000-0000-000000000000\"",
        9 "groupIds": null,
        10 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink/manualPrivateLinkServiceConnections/pls_5f860388d432510d5a6e1a3e",
        11 "name": "pls_5f860388d432510d5a6e1a3e",
        12 "privateLinkServiceConnectionState": {
        13 "actionsRequired": "None",
        14 "description": "Connection deleted by service provider",
        15 "status": "Disconnected"
        16 },
        17 "privateLinkServiceId": "pls_5f860388d432510d5a6e1a3e.00000000-0000-0000-0000-000000000000.eastus2.privatelinkservice",
        18 "provisioningState": "Succeeded",
        19 "requestMessage": null,
        20 "resourceGroup": "privatelink",
        21 "type": "Microsoft.Network/privateEndpoints/manualPrivateLinkServiceConnections"
        22 }
        23 ],
        24 "name": "privatelink",
        25 "networkInterfaces": [
        26 {
        27 "dnsSettings": null,
        28 "dscpConfiguration": null,
        29 "enableAcceleratedNetworking": null,
        30 "enableIpForwarding": null,
        31 "etag": null,
        32 "hostedWorkloads": null,
        33 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000",
        34 "ipConfigurations": null,
        35 "location": null,
        36 "macAddress": null,
        37 "name": null,
        38 "networkSecurityGroup": null,
        39 "primary": null,
        40 "privateEndpoint": null,
        41 "provisioningState": null,
        42 "resourceGroup": "privatelink",
        43 "resourceGuid": null,
        44 "tags": null,
        45 "tapConfigurations": null,
        46 "type": null,
        47 "virtualMachine": null
        48 }
        49 ],
        50 "privateLinkServiceConnections": [],
        51 "provisioningState": "Succeeded",
        52 "resourceGroup": "privatelink",
        53 "subnet": {
        54 "addressPrefix": null,
        55 "addressPrefixes": null,
        56 "delegations": null,
        57 "etag": null,
        58 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/virtualNetworks/privatelink/subnets/privatelink",
        59 "ipAllocations": null,
        60 "ipConfigurationProfiles": null,
        61 "ipConfigurations": null,
        62 "name": null,
        63 "natGateway": null,
        64 "networkSecurityGroup": null,
        65 "privateEndpointNetworkPolicies": null,
        66 "privateEndpoints": null,
        67 "privateLinkServiceNetworkPolicies": null,
        68 "provisioningState": null,
        69 "purpose": null,
        70 "resourceGroup": "privatelink",
        71 "resourceNavigationLinks": null,
        72 "routeTable": null,
        73 "serviceAssociationLinks": null,
        74 "serviceEndpointPolicies": null,
        75 "serviceEndpoints": null
        76 },
        77 "tags": null,
        78 "type": "Microsoft.Network/privateEndpoints"
        79}
      2. Run the az network nic show --id {networkInterface.id} Azure CLI command with the value of the networkInterfaces.id field to retrieve the ipConfigurations.privateIPAddress for the private endpoint network interface. The value of this field is your Private IP. The input and output should look similar to the following. Note the highlighted value of the Private Endpoint IP Address field.

        1az network nic show --id /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000
        1{
        2 "dnsSettings": {
        3 "appliedDnsServers": [],
        4 "dnsServers": [],
        5 "internalDnsNameLabel": null,
        6 "internalDomainNameSuffix": "<>.cx.internal.cloudapp.net",
        7 "internalFqdn": null
        8 },
        9 "dscpConfiguration": null,
        10 "enableAcceleratedNetworking": false,
        11 "enableIpForwarding": false,
        12 "etag": "W/\"00000000-0000-0000-0000-000000000000\"",
        13 "hostedWorkloads": [],
        14 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000",
        15 "ipConfigurations": [
        16 {
        17 "applicationGatewayBackendAddressPools": null,
        18 "applicationSecurityGroups": null,
        19 "etag": "W/\"00000000-0000-0000-0000-000000000000\"",
        20 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000/ipConfigurations/privateEndpointIpConfig",
        21 "loadBalancerBackendAddressPools": null,
        22 "loadBalancerInboundNatRules": null,
        23 "name": "privateEndpointIpConfig",
        24 "primary": true,
        25 "privateIpAddress": "10.0.0.4",
        26 "privateIpAddressVersion": "IPv4",
        27 "privateIpAllocationMethod": "Dynamic",
        28 "privateLinkConnectionProperties": {
        29 "fqdns": [],
        30 "groupId": "",
        31 "requiredMemberName": ""
        32 },
        33 "provisioningState": "Succeeded",
        34 "publicIpAddress": null,
        35 "resourceGroup": "privatelink",
        36 "subnet": {
        37 "addressPrefix": null,
        38 "addressPrefixes": null,
        39 "delegations": null,
        40 "etag": null,
        41 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/virtualNetworks/privatelink/subnets/privatelink",
        42 "ipAllocations": null,
        43 "ipConfigurationProfiles": null,
        44 "ipConfigurations": null,
        45 "name": null,
        46 "natGateway": null,
        47 "networkSecurityGroup": null,
        48 "privateEndpointNetworkPolicies": null,
        49 "privateEndpoints": null,
        50 "privateLinkServiceNetworkPolicies": null,
        51 "provisioningState": null,
        52 "purpose": null,
        53 "resourceGroup": "privatelink",
        54 "resourceNavigationLinks": null,
        55 "routeTable": null,
        56 "serviceAssociationLinks": null,
        57 "serviceEndpointPolicies": null,
        58 "serviceEndpoints": null
        59 },
        60 "type": "Microsoft.Network/networkInterfaces/ipConfigurations",
        61 "virtualNetworkTaps": null
        62 }
        63 ],
        64 "location": "eastus2",
        65 "macAddress": "",
        66 "name": "privatelink.nic.00000000-0000-0000-0000-000000000000",
        67 "networkSecurityGroup": null,
        68 "primary": null,
        69 "privateEndpoint": {
        70 "customDnsConfigs": null,
        71 "etag": null,
        72 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink",
        73 "location": null,
        74 "manualPrivateLinkServiceConnections": null,
        75 "name": null,
        76 "networkInterfaces": null,
        77 "privateLinkServiceConnections": null,
        78 "provisioningState": null,
        79 "resourceGroup": "privatelink",
        80 "subnet": null,
        81 "tags": null,
        82 "type": null
        83 },
        84 "provisioningState": "Succeeded",
        85 "resourceGroup": "privatelink",
        86 "resourceGuid": "00000000-0000-0000-0000-000000000000",
        87 "tags": null,
        88 "tapConfigurations": [],
        89 "type": "Microsoft.Network/networkInterfaces",
        90 "virtualMachine": null
        91}
4

Run the command to Update One Private Endpoint for One Serverless Instance, replacing the placeholders with the values for the endpoint you created.

Replace the following placeholders with the values for the endpoint you created:

  • cloudProviderEndpointId - replace with the id that Azure returned when you created the endpoint (the Resource ID in the Azure UI).

  • privateEndpointIpAddress - replace with the ipConfigurations.privateIpAddress that Azure returned for the endpoint (the Private IP in the Azure UI).

Note

The Resource ID for the private endpoint differs from the resource ID for the private endpoint service.

In our example, the privateLinkServiceResourceId is:

/subscriptions/4e133d35-e734-4385-a565-c0945567ae346/resourceGroups/rg_95847a959b876e255dbb9b33_dfragd7w/providers/Microsoft.Network/privateLinkServices/pls_62f5394fcbfe456e4ed881d6

The cloudProviderEndpointId is:

/subscriptions/4e133d35-e734-4385-a565-c0945567ae346/resourceGroups/rg_95847a959b876e255dbb9b33_dfragd7w/providers/Microsoft.Network/privateEndpoints/test-endpoint

To learn more about the placeholders, see the path parameters for Update One Private Endpoint for One Serverless Instance.

1curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \
2 --header "Accept: application/json" \
3 --header "Content-Type: application/json" \
4 --request PATCH "https://cloud.mongodb.com/api/atlas/v1.0/groups/{GROUP-ID}/privateEndpoint/serverless/instance/{INSTANCE-NAME}/endpoint/{ENDPOINT-ID}" \
5 --data '
6 {
7 "cloudProviderEndpointId" : "/subscriptions/4e133d35-e734-4385-a565-c0945567ae346/resourceGroups/rg_95847a959b876e255dbb9b33_dfragd7w/providers/Microsoft.Network/privateEndpoints/test-endpoint",
8 "providerName" : "AZURE",
9 "privateEndpointIpAddress" : "10.0.0.6"
10 }'

Note

You must include the providerName to successfully run this command.

5

You can connect to an Atlas Serverless instance using the Azure private endpoint after Atlas finishes configuring all of the resources and the private endpoint becomes available.

To verify that the Azure private endpoint is available:

  1. Run the command to Return One Private Endpoint for One Serverless Instance, replacing the placeholders with the parameters for the endpoint you created. To learn more about the placeholders, see the path parameters for Return One Private Endpoint for One Serverless Instance.

    1curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \
    2 --header "Accept: application/json" \
    3 --request GET "https://cloud.mongodb.com/api/atlas/v1.0/groups/{GROUP-ID}/privateEndpoint/serverless/instance/{INSTANCE-NAME}/endpoint/{ENDPOINT-ID}?pretty=true"
  2. Verify that the status field's value is AVAILABLE as shown in the following example:

    1{
    2 "_id": "6313703ae1c4ba2707d18973",
    3 "cloudProviderEndpointId": "/subscriptions/4e133d35-e734-4385-a565-c0945567ae346/resourceGroups/rg_95847a959b876e255dbb9b33_dfragd7w/providers/Microsoft.Network/privateEndpoints/test-endpoint",
    4 "comment": "example comment",
    5 "endpointServiceName": "pls_62f5394fcbfe456e4ed881d6",
    6 "errorMessage": null,
    7 "privateEndpointIpAddress" : "10.0.0.6",
    8 "privateLinkServiceResourceId" : "/subscriptions/4e133d35-e734-4385-a565-c0945567ae346/resourceGroups/rg_95847a959b876e255dbb9b33_dfragd7w/providers/Microsoft.Network/privateLinkServices/pls_62f5394fcbfe456e4ed881d6",
    9 "status": "AVAILABLE"
    10}

If cloudProviderEndpointId is Initiating, wait 1-2 more minutes for Atlas to configure the private endpoint. Then, try this step again.

To set up AWS PrivateLink through the Atlas UI:

1
  1. If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.

  2. If it's not already displayed, select your project from the Projects menu in the navigation bar.

  3. In the sidebar, click Network Access under the Security heading.

    The Network Access page displays.

2

Click Serverless Instance to set up a private endpoint for your Atlas Serverless instance.

3

Click the Create New Endpoint button.

4
  1. From the Serverless Instance dropdown, select the Serverless instance to connect to using a private endpoint. The cloud provider and region for the Serverless instance populate automatically.

  2. Click Confirm. Atlas begins allocating the endpoint service, which might take several minutes to complete. You can continue to the next steps while Atlas allocates the endpoint service.

5
  1. Enter the following details about your Azure VNet:

    Resource Group Name
    Human-readable label that identifies the resource group that contains the VNet that you want to use to connect to Atlas. Find this value on the Resource Group Properties page on your Azure dashboard.
    Virtual Network Name
    Human-readable label that identifies the VNet that you want to use to connect to Atlas. Find this value on the Virtual Network page on your Azure dashboard.
    Subnet Name
    Human-readable label that identifies the subnet in your Azure VNet. Find this value on the Virtual Network Subnets page on your Azure dashboard.
  2. Enter a unique name for your private endpoint in the Private Endpoint Name field.

  3. Create the private endpoint in your VNet by copying the az network private-endpoint create command the dialog box displays and running it using the Azure CLI.

    Note

    You can't copy the command until Atlas finishes creating VNet resources in the background.

    For more information about this command, see the Azure documentation.

  4. You might receive an error like the following when you create the private endpoint:

    ServiceError: code: LinkedAuthorizationFailed - , The client has permission to perform action 'Microsoft.Network/privateLinkServices/PrivateEndpointConnectionsApproval/action' on scope '/subscriptions/<subscription-id>/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink', however the current tenant '<tenant-id>' is not authorized to access linked subscription '<tenant-id>'.

    If you receive this error, add the --manual-request true parameter to the Azure CLI command you used to create the private endpoint, then run the command again.

  5. Click Next.

6
  1. Enter the following details about your private endpoint:

    Resource ID

    Unique string that identifies the private endpoint in your Azure VNet. Find this value in one of the following ways:

    • Use the Azure dashboard to retrieve this value. The Properties page for your private endpoint on your Azure dashboard displays this property in the Resource ID field.

    • Use the output from the following command, which returns the highlighted value in the id field:

      1azure network private-endpoint create
      1{
      2 "customDnsConfigs": [],
      3 "etag": "W/\"00000000-0000-0000-0000-000000000000\"",
      4 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink",
      5 "location": "eastus2",
      6 "manualPrivateLinkServiceConnections": [
      7 {
      8 "etag": "W/\"00000000-0000-0000-0000-000000000000\"",
      9 "groupIds": null,
      10 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink/manualPrivateLinkServiceConnections/pls_5f860388d432510d5a6e1a3e",
      11 "name": "pls_5f860388d432510d5a6e1a3e",
      12 "privateLinkServiceConnectionState": {
      13 "actionsRequired": "None",
      14 "description": "Connection deleted by service provider",
      15 "status": "Disconnected"
      16 },
      17 "privateLinkServiceId": "pls_5f860388d432510d5a6e1a3e.00000000-0000-0000-0000-000000000000.eastus2.privatelinkservice",
      18 "provisioningState": "Succeeded",
      19 "requestMessage": null,
      20 "resourceGroup": "privatelink",
      21 "type": "Microsoft.Network/privateEndpoints/manualPrivateLinkServiceConnections"
      22 }
      23 ],
      24 "name": "privatelink",
      25 "networkInterfaces": [
      26 {
      27 "dnsSettings": null,
      28 "dscpConfiguration": null,
      29 "enableAcceleratedNetworking": null,
      30 "enableIpForwarding": null,
      31 "etag": null,
      32 "hostedWorkloads": null,
      33 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000",
      34 "ipConfigurations": null,
      35 "location": null,
      36 "macAddress": null,
      37 "name": null,
      38 "networkSecurityGroup": null,
      39 "primary": null,
      40 "privateEndpoint": null,
      41 "provisioningState": null,
      42 "resourceGroup": "privatelink",
      43 "resourceGuid": null,
      44 "tags": null,
      45 "tapConfigurations": null,
      46 "type": null,
      47 "virtualMachine": null
      48 }
      49 ],
      50 "privateLinkServiceConnections": [],
      51 "provisioningState": "Succeeded",
      52 "resourceGroup": "privatelink",
      53 "subnet": {
      54 "addressPrefix": null,
      55 "addressPrefixes": null,
      56 "delegations": null,
      57 "etag": null,
      58 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/virtualNetworks/privatelink/subnets/privatelink",
      59 "ipAllocations": null,
      60 "ipConfigurationProfiles": null,
      61 "ipConfigurations": null,
      62 "name": null,
      63 "natGateway": null,
      64 "networkSecurityGroup": null,
      65 "privateEndpointNetworkPolicies": null,
      66 "privateEndpoints": null,
      67 "privateLinkServiceNetworkPolicies": null,
      68 "provisioningState": null,
      69 "purpose": null,
      70 "resourceGroup": "privatelink",
      71 "resourceNavigationLinks": null,
      72 "routeTable": null,
      73 "serviceAssociationLinks": null,
      74 "serviceEndpointPolicies": null,
      75 "serviceEndpoints": null
      76 },
      77 "tags": null,
      78 "type": "Microsoft.Network/privateEndpoints"
      79}

      You can also return this value using the azure network private-endpoint list CLI command.

    Private IP

    Private IP address of the private endpoint network interface you created in your Azure VNet. Find this value in one of the following ways:

    • Use the Azure dashboard to retrieve this value. The Overview page for your private endpoint on your Azure dashboard displays this property in the Private IP field.

    • Use the Azure CLI to retrieve this value:

      1. Use the output from the following command, which returns the ID of the network interface in the highlighted networkInterfaces.id field:

        1azure network private-endpoint create
        1{
        2 "customDnsConfigs": [],
        3 "etag": "W/\"00000000-0000-0000-0000-000000000000\"",
        4 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink",
        5 "location": "eastus2",
        6 "manualPrivateLinkServiceConnections": [
        7 {
        8 "etag": "W/\"00000000-0000-0000-0000-000000000000\"",
        9 "groupIds": null,
        10 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink/manualPrivateLinkServiceConnections/pls_5f860388d432510d5a6e1a3e",
        11 "name": "pls_5f860388d432510d5a6e1a3e",
        12 "privateLinkServiceConnectionState": {
        13 "actionsRequired": "None",
        14 "description": "Connection deleted by service provider",
        15 "status": "Disconnected"
        16 },
        17 "privateLinkServiceId": "pls_5f860388d432510d5a6e1a3e.00000000-0000-0000-0000-000000000000.eastus2.privatelinkservice",
        18 "provisioningState": "Succeeded",
        19 "requestMessage": null,
        20 "resourceGroup": "privatelink",
        21 "type": "Microsoft.Network/privateEndpoints/manualPrivateLinkServiceConnections"
        22 }
        23 ],
        24 "name": "privatelink",
        25 "networkInterfaces": [
        26 {
        27 "dnsSettings": null,
        28 "dscpConfiguration": null,
        29 "enableAcceleratedNetworking": null,
        30 "enableIpForwarding": null,
        31 "etag": null,
        32 "hostedWorkloads": null,
        33 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000",
        34 "ipConfigurations": null,
        35 "location": null,
        36 "macAddress": null,
        37 "name": null,
        38 "networkSecurityGroup": null,
        39 "primary": null,
        40 "privateEndpoint": null,
        41 "provisioningState": null,
        42 "resourceGroup": "privatelink",
        43 "resourceGuid": null,
        44 "tags": null,
        45 "tapConfigurations": null,
        46 "type": null,
        47 "virtualMachine": null
        48 }
        49 ],
        50 "privateLinkServiceConnections": [],
        51 "provisioningState": "Succeeded",
        52 "resourceGroup": "privatelink",
        53 "subnet": {
        54 "addressPrefix": null,
        55 "addressPrefixes": null,
        56 "delegations": null,
        57 "etag": null,
        58 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/virtualNetworks/privatelink/subnets/privatelink",
        59 "ipAllocations": null,
        60 "ipConfigurationProfiles": null,
        61 "ipConfigurations": null,
        62 "name": null,
        63 "natGateway": null,
        64 "networkSecurityGroup": null,
        65 "privateEndpointNetworkPolicies": null,
        66 "privateEndpoints": null,
        67 "privateLinkServiceNetworkPolicies": null,
        68 "provisioningState": null,
        69 "purpose": null,
        70 "resourceGroup": "privatelink",
        71 "resourceNavigationLinks": null,
        72 "routeTable": null,
        73 "serviceAssociationLinks": null,
        74 "serviceEndpointPolicies": null,
        75 "serviceEndpoints": null
        76 },
        77 "tags": null,
        78 "type": "Microsoft.Network/privateEndpoints"
        79}
      2. Run the az network nic show --id {networkInterface.id} Azure CLI command with the value of the networkInterfaces.id field to retrieve the ipConfigurations.privateIPAddress for the private endpoint network interface. The value of this field is your Private IP. The input and output should look similar to the following. Note the highlighted value of the Private Endpoint IP Address field.

        1az network nic show --id /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000
        1{
        2 "dnsSettings": {
        3 "appliedDnsServers": [],
        4 "dnsServers": [],
        5 "internalDnsNameLabel": null,
        6 "internalDomainNameSuffix": "<>.cx.internal.cloudapp.net",
        7 "internalFqdn": null
        8 },
        9 "dscpConfiguration": null,
        10 "enableAcceleratedNetworking": false,
        11 "enableIpForwarding": false,
        12 "etag": "W/\"00000000-0000-0000-0000-000000000000\"",
        13 "hostedWorkloads": [],
        14 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000",
        15 "ipConfigurations": [
        16 {
        17 "applicationGatewayBackendAddressPools": null,
        18 "applicationSecurityGroups": null,
        19 "etag": "W/\"00000000-0000-0000-0000-000000000000\"",
        20 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000/ipConfigurations/privateEndpointIpConfig",
        21 "loadBalancerBackendAddressPools": null,
        22 "loadBalancerInboundNatRules": null,
        23 "name": "privateEndpointIpConfig",
        24 "primary": true,
        25 "privateIpAddress": "10.0.0.4",
        26 "privateIpAddressVersion": "IPv4",
        27 "privateIpAllocationMethod": "Dynamic",
        28 "privateLinkConnectionProperties": {
        29 "fqdns": [],
        30 "groupId": "",
        31 "requiredMemberName": ""
        32 },
        33 "provisioningState": "Succeeded",
        34 "publicIpAddress": null,
        35 "resourceGroup": "privatelink",
        36 "subnet": {
        37 "addressPrefix": null,
        38 "addressPrefixes": null,
        39 "delegations": null,
        40 "etag": null,
        41 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/virtualNetworks/privatelink/subnets/privatelink",
        42 "ipAllocations": null,
        43 "ipConfigurationProfiles": null,
        44 "ipConfigurations": null,
        45 "name": null,
        46 "natGateway": null,
        47 "networkSecurityGroup": null,
        48 "privateEndpointNetworkPolicies": null,
        49 "privateEndpoints": null,
        50 "privateLinkServiceNetworkPolicies": null,
        51 "provisioningState": null,
        52 "purpose": null,
        53 "resourceGroup": "privatelink",
        54 "resourceNavigationLinks": null,
        55 "routeTable": null,
        56 "serviceAssociationLinks": null,
        57 "serviceEndpointPolicies": null,
        58 "serviceEndpoints": null
        59 },
        60 "type": "Microsoft.Network/networkInterfaces/ipConfigurations",
        61 "virtualNetworkTaps": null
        62 }
        63 ],
        64 "location": "eastus2",
        65 "macAddress": "",
        66 "name": "privatelink.nic.00000000-0000-0000-0000-000000000000",
        67 "networkSecurityGroup": null,
        68 "primary": null,
        69 "privateEndpoint": {
        70 "customDnsConfigs": null,
        71 "etag": null,
        72 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink",
        73 "location": null,
        74 "manualPrivateLinkServiceConnections": null,
        75 "name": null,
        76 "networkInterfaces": null,
        77 "privateLinkServiceConnections": null,
        78 "provisioningState": null,
        79 "resourceGroup": "privatelink",
        80 "subnet": null,
        81 "tags": null,
        82 "type": null
        83 },
        84 "provisioningState": "Succeeded",
        85 "resourceGroup": "privatelink",
        86 "resourceGuid": "00000000-0000-0000-0000-000000000000",
        87 "tags": null,
        88 "tapConfigurations": [],
        89 "type": "Microsoft.Network/networkInterfaces",
        90 "virtualMachine": null
        91}
  2. Enter an optional description for the endpoint.

  3. Click Create.

7
  1. If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.

  2. If it's not already displayed, select your project from the Projects menu in the navigation bar.

  3. In the sidebar, click Network Access under the Security heading.

    The Network Access page displays.

8

You can connect to an Atlas cluster using the Azure Private Link private endpoint when all of the resources are configured and the private endpoint becomes available.

To verify that the Azure Private Link private endpoint is available:

On the Private Endpoint tab, select a cluster type and verify the following statuses for the region that contains the cluster you want to connect to using Azure Private Link:

Atlas Endpoint Service Status
Available
Endpoint Status
Available

To learn more about possible status values, see Troubleshoot Private Endpoint Connection Issues.

If you do not see these statuses, see Troubleshoot Private Endpoint Connection Issues for additional information.