Docs Menu
Docs Home
/
MongoDB Atlas
/
Atlas App Services
/
Secure Your App

Use a VPC Private Endpoint (Preview)

On this page

  • Before You Begin
  • Add a Private Endpoint
  • Add a General Endpoint
  • Add a Sync Endpoint
  • Change Access Restrictions
  • Private Endpoints Ignore IP Access Lists
  • Supported SDK Versions
  • Private Endpoint Limitations

You can use a Private Endpoint to access Atlas App Services from within your Virtual Private Cloud (VPC). This is a private connection to Atlas App Services that does not go over the public internet. Requests from outside of your VPC return a 404 error.

Private Endpoints are only available for Atlas App Services Apps deployed locally to a region in AWS. They connect to your AWS VPC using AWS PrivateLink. To learn more, see What is AWS PrivateLink? in the AWS documentation.

There are two kinds of App Services Private Endpoints:

  • General: Endpoints that use services.cloud.mongodb.com for Client HTTP requests.

  • Sync: Endpoints that use services.cloud.mongodb.com for Sync WebSocket connections.

Important

Custom HTTPS Endpoints and Data API endpoints are not supported in private endpoints.

Before You Begin

Gather the following information:

  • Your VPC ID, which you can find in the AWS VPC dashboard or by running the describe-vpcs command in the AWS CLI.

  • Your Subnet IDs, which you can find in the AWS VPC dashboard or by running the describe-subnets command in the AWS CLI.

Set up a private hosted zone for your VPC. You need your VPC ID for this. Use ModifyVpcAttribute to set the following VPC attributes to true:

  • EnableDnsHostnames

  • EnableDnsSupport

You must also install and authenticate the AWS CLI.

Add a Private Endpoint

You can add a new General Endpoint or Sync Endpoint with the App Services UI or the Admin API.

Add a General Endpoint

1

Create a VPC Interface Endpoint

  1. In the App Services UI, navigate to App Settings, then click the Private Endpoints tab.

  2. Click Add Private Endpoint, then click General.

  3. Add your VPC ID and Subnet IDs (comma-separated list) in their separate fields, then click Next.

  4. Copy the generated VPC Interface Endpoint Command. The command should look something like this:

    aws ec2 create-vpc-endpoint \
      --vpc-endpoint-type Interface
      --service-name <App Services Endpoint Service Name> \
      --vpc-id <your-vpc-id> \
      --region <your-aws-deployment-region> \
      --subnet-ids <your-subnet-ids>

  5. In your terminal, execute the generated AWS CLI command to create a VPC Endpoint.

2

Add the Private Endpoint to Your App

Now that you've created the interface endpoint in your VPC, you need to add it to your App.

  1. Find the VPC Endpoint ID, either in the output of the CLI command you ran in the previous step or on the endpoint details screen of the AWS VPC dashboard. This value starts with vpce-.

  2. Copy your new VPC Endpoint's ID and paste it into the Your VPC Endpoint ID field in the App Services UI, then click Next.

  3. If this is the first Private Endpoint you are creating, you will see a toggle you can use to either restrict or open all access from requests outside your PrivateLink connection. By default, App Services blocks all requests coming from outside your PrivateLink connection. This setting applies to this endpoint and all additional endpoints you create. Refer to change access restrictions for more information.

  4. Click Finish Endpoint Creation.

1

Create a VPC Interface Endpoint

  1. Call the List VPC Private Endpoint Services endpoint.

  2. Filter the response object to find the entry for your App's deployment region and the endpoint type you want to create.

    curl https://services.cloud.mongodb.com/api/admin/v3.0/groups/{groupId}/apps/{appId}/security/private_endpoint_service_infos \
    -H "Authorization: Bearer <access_token>"
    [
    {
       "cloud_provider_region": "aws-us-east-1",
       "service_name": "com.amazonaws.vpce.us-east-1.vpce-svc-0718bec2c0bdeab5c",
       "endpoint_type": "general"
    },
    ...
    ]

  3. Get the service_name field from the desired entry in the previous step.

  4. Create a VPC Endpoint using the AWS CLI create-vpc-endpoint command. You need an App Services endpoint service name, VPC ID, subnet IDs, and AWS deployment region. The command should look something like this:

aws ec2 create-vpc-endpoint \
  --vpc-endpoint-type Interface
  --service-name <App Services Endpoint Service Name> \
  --vpc-id <your-vpc-id> \
  --region <your-aws-deployment-region> \
  --subnet-ids <your-subnet-ids>
2

Add the Private Endpoint to Your App

Now that you've created the interface endpoint in your VPC, you need to add it to your App.

  1. Find the VPC Endpoint ID, either in the output of the CLI command you ran in the previous step or on the endpoint details screen of the AWS VPC dashboard. This value starts with vpce-.

  2. When you have your VPC Endpoint's ID, call Create a VPC Private Endpoint with the Endpoint ID, cloud deployment region, and endpoint type. For example, using aws-us-east-1:

curl https://services.cloud.mongodb.com/api/admin/v3.0/groups/{groupId}/apps/{appId}/security/private_endpoints \
  -X POST \
  -H "Authorization: Bearer <accessToken>" \
  -H "Content-Type: application/json" \
  -d '{
    "cloud_provider_region": "<your-cloud-deployment-region>",
    "cloud_provider_endpoint_id": "<your-vpc-endpoint-id>",
    "endpoint_type": "general",
    "comment": "Optional: add a comment describing the endpoint."
  }'

Add a Sync Endpoint

Every Sync Endpoint must be paired with a General Endpoint.

1

Create a VPC Interface Endpoint

  1. In the App Services UI, navigate to App Settings and then click the Private Endpoints tab.

  2. Click Add Private Endpoint, then click Sync.

  3. Add your VPC ID and Subnet IDs (comma-separated list) in their separate fields, then click Next.

  4. Copy the generated VPC Interface Endpoint Command. The command should look something like this:

    aws ec2 create-vpc-endpoint \
      --vpc-endpoint-type Interface
      --service-name <App Services Endpoint Service Name> \
      --vpc-id <your-vpc-id> \
      --region <your-aws-deployment-region> \
      --subnet-ids <your-subnet-ids>

  5. In your terminal, execute the generated AWS CLI command to create a VPC Endpoint.

  6. You must also create a General Endpoint using the command App Services generates.

2

Add the Private Endpoints to Your App

Now that you've created the interface endpoints in your VPC, you need to add them to your App.

  1. Find the Sync and General VPC Endpoint IDs, either in the output of the CLI commands you ran in the previous step or on the endpoint details screen of the AWS VPC dashboard. This value starts with vpce-.

  2. Copy your new VPC Endpoint IDs and paste them into their respective Your VPC Endpoint ID field in the App Services UI, then click Next.

  3. If this is the first Private Endpoint you are creating, you will see a toggle you can use to either restrict or open all access from requests outside your PrivateLink connection. By default, App Services blocks all requests coming from outside your PrivateLink connection. This setting applies to this endpoint and all additional endpoints you create. Refer to change access restrictions for more information.

  4. You must also create a General Private Endpoint by following the steps for creating a General Private Endpoint on this page.

  5. Click Finish Endpoint Creation.

1

Create a VPC Interface Endpoint

  1. Call the List VPC Private Endpoint Services endpoint.

  2. Filter the response object to find the entry for your App's deployment region and the endpoint type you want to create.

    curl https://services.cloud.mongodb.com/api/admin/v3.0/groups/{groupId}/apps/{appId}/security/private_endpoint_service_infos \
    -H "Authorization: Bearer <access_token>"
    [
    {
       "cloud_provider_region": "aws-us-east-1",
       "service_name": "com.amazonaws.vpce.us-east-1.vpce-svc-0718bec2c0bdeab5c",
       "endpoint_type": "sync"
    },
    ...
    ]

  3. Get the service_name field from the desired entry in the previous step.

  4. Create a VPC Endpoint using the AWS CLI create-vpc-endpoint command. You need an App Services endpoint service name, VPC ID, subnet IDs, and AWS deployment region. The command should look something like this:

aws ec2 create-vpc-endpoint \
  --vpc-endpoint-type Interface
  --service-name <App Services Endpoint Service Name> \
  --vpc-id <your-vpc-id> \
  --region <your-aws-deployment-region> \
  --subnet-ids <your-subnet-ids>
2

Add the Private Endpoint to Your App

Now that you've created the interface endpoint in your VPC, you need to add it to your App.

  1. Find the Sync VPC Endpoint ID, either in the output of the CLI commands you ran in the previous step or on the endpoint details screen of the AWS VPC dashboard. This value starts with vpce-.

  2. Create a Sync Private Endpoint by calling Create a VPC Private Endpoint with its Endpoint ID, cloud deployment region, and endpoint type. For example, using aws-us-east-1:

    curl https://services.cloud.mongodb.com/api/admin/v3.0/groups/{groupId}/apps/{appId}/security/private_endpoints \
    -X POST \
    -H "Authorization: Bearer <accessToken>" \
    -H "Content-Type: application/json" \
    -d '{
       "cloud_provider_region": "<your-cloud-deployment-region>",
       "cloud_provider_endpoint_id": "<your-vpc-endpoint-id>",
       "endpoint_type": "sync",
       "comment": "Optional: add a comment describing the endpoint."
    }'

  3. You must also create a General Private Endpoint by following the steps for creating a General Private Endpoint on this page.

Change Access Restrictions

By default, all private Endpoints only handle internal requests. You can choose to open access from all requests outside your PrivateLink connection.

Important

This setting is global to all of your endpoints.

You can toggle this setting in three ways:

  • In the UI, from the list of endpoints on the Private Endpoints tab, click the Restrict Access button.

  • In the UI, when creating your first Private Endpoint, you have the option to toggle this setting in the Modify Your VPC Private DNS step.

  • In the Admin API, call the Toggle Non-VPC Requests with a boolean value (true to remove the default restriction, or false to reinstate it.)

Private Endpoints Ignore IP Access Lists

When you enable private endpoints, you can still enable access to your App Services application using other methods, such as adding public IPs to IP access lists.

Private IPs do not need to be added to IP access lists, as requests through private endpoints ignore IP access lists.

Supported SDK Versions

The Atlas Device SDKs can access your General and Sync endpoints. However, they must use a version that supports the new domain.

Private Endpoint Limitations

  • You can't use Private Endpoints with globally deployed Apps or local Apps deployed to Azure or GCP.

  • You can't use public internet connections to access your App if you have a Private Endpoint enabled. All requests must come through the Private Endpoint.

  • If you change your deployment model, then you must create new Private Endpoints for the App's new region.

  • You can't simultaneously use Private Endpoints and allow connections over the MongoDB wire protocol. If one is enabled, you can't enable the other.

  • By default, Private Endpoints only handle requests that originate from within your VPC. You can configure your App to also accept requests from the public internet. To learn how, see Change Access Restrictions.

  • All outbound requests, such as an App Services trigger calling an external API, go over the public internet.

Back

Manage Developer Access

Next

Monitor App Activity