Set Up a Private Endpoint for a Federated Database Instance
On this page
MongoDB supports AWS and Azure private endpoints for your federated database instance. You can set up the private endpoints from the Atlas CLI, Atlas UI, and and Atlas Administration API.
Note
You can't use your Atlas cluster private endpoint ID for Atlas Data Federation. The Atlas Data Federation endpoint ID must be different from your Atlas cluster endpoint ID, if you have one.
Required Access
To set up a private endpoint, you must have Project Owner access to the project.
Users with Organization Owner access must add themselves as a Project Owner
to the project before setting up a private endpoint.
Prerequisites
The procedure differs depending on whether you use AWS or Azure for your cloud provider. Select the appropriate tab:
Have an AWS user account with an IAM user policy that grants permissions to create, modify, describe, and delete endpoints. To learn more about controlling the use of interface endpoints, see the AWS Documentation.
If you have not already done so, create your VPC and EC2 instances in AWS. To learn more, see the AWS documentation for guidance.
Have an Azure user account with permissions to create resources like virtual networks and private endpoints. To learn more about the permissions required, see the Azure Documentation.
Important
With Azure, you can create up to three private endpoints per project for your federated database instances due to an Azure-imposed limit. This is why Atlas prevents you from deleting an Atlas project before first deleting its private endpoints. To request more than three private endpoints for a project, contact MongoDB Support.
Procedure
To create a new Data Federation private endpoint using the Atlas CLI, run the following command:
atlas dataFederation privateEndpoints create <endpointId> [options]
To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas dataFederation privateEndpoints create.
To configure a private endpoint from the API, send a POST request
with the private endpoint ID to the privateNetworkSettings
endpoint.
If the endpoint ID already exists and there is no change to the comment associated with the endpoint, Atlas makes no change to the endpoint ID list.
If the endpoint ID already exists and there is a change to the associated comment, Atlas updates the
commentvalue only in the endpoint ID list.If the endpoint ID doesn't exist, Atlas appends the new endpoint to the list of endpoints in the endpoint ID list.
To learn more about the syntax and options, see API.
To set up a private endpoint for your federated database instance using the Atlas UI, follow these steps:
In Atlas, go to the Network Access page for your project.
Warning
Navigation Improvements In Progress
We're currently rolling out a new and improved navigation experience. If the following steps don't match your view in the Atlas UI, see the preview documentation.
If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.
If it's not already displayed, select your project from the Projects menu in the navigation bar.
In the sidebar, click Network Access under the Security heading.
The Network Access page displays.
Choose a cloud provider and region.
Click the AWS button.
From the dropdown, select the region where you want to create the private endpoint.
You can select one of the following regions:
Data Federation RegionsAWS RegionsVirginia, USA
us-east-1
Oregon, USA
us-west-2
Sao Paulo, Brazil
sa-east-1
Ireland
eu-west-1
London, England
eu-west-2
Frankfurt, Germany
eu-central-1
Tokyo, Japan
ap-northeast-1
Mumbai, India
ap-south-1
Singapore
ap-southeast-1
Sydney, Australia
ap-southeast-2
Montreal, Canada
ca-central-1
The following table shows the service names for the various endpoints in each region:
RegionService Nameus-east-1com.amazonaws.vpce.us-east-1.vpce-svc-00e311695874992b4us-west-2com.amazonaws.vpce.us-west-2.vpce-svc-09d86b19e59d1b4bbeu-west-1com.amazonaws.vpce.eu-west-1.vpce-svc-0824460b72e1a420eeu-west-2com.amazonaws.vpce.eu-west-2.vpce-svc-052f1840aa0c4f1f9eu-central-1com.amazonaws.vpce.eu-central-1.vpce-svc-0ac8ce91871138c0dsa-east-1com.amazonaws.vpce.sa-east-1.vpce-svc-0b56e75e8cdf50044ap-southeast-2com.amazonaws.vpce.ap-southeast-2.vpce-svc-036f1de74d761706eap-south-1com.amazonaws.vpce.ap-south-1.vpce-svc-03eb8a541f96d356dca-central-1com.amazonaws.vpce.ca-central-1.vpce-svc-08564bb8ccae8ba64ap-northeast-1com.amazonaws.vpce.ap-northeast-1.vpce-svc-0b63834ecd618a332ap-southeast-1com.amazonaws.vpce.ap-southeast-1.vpce-svc-07728d2dfd2860efbTo learn more, see Atlas Data Federation Regions.
Click Next.
Configure your private endpoint.
Important
To avoid connection interruptions, you must specify the correct information. We recommend that you don't skip the commands and substeps in this step.
Enter the following details about your AWS VPC:
Tip
You can click Show instruction for the following settings to display a screenshot of the AWS console where you can find the value for the setting.
Your VPC ID
Unique 22-character alphanumeric string that identifies the peer AWS VPC. Find this value on the VPC dashboard in your AWS account.
Your Subnet IDs
Unique strings that identify the subnets that your AWS VPC uses. Find these values on the Subnet dashboard in your AWS account.
IMPORTANT: You must specify at least one subnet. If you don't, AWS won't provision an interface endpoint in your VPC. An interface endpoint is required for clients in your VPC to send traffic to the private endpoint.
Copy the command the dialog box displays and run it using the AWS CLI.
Note
If you skip this step, the interface endpoint for the Private Endpoint service isn't created.
You can't copy the command until Atlas finishes creating VPC resources in the background.
See Creating an Interface Endpoint to perform this task using the AWS CLI.
Enter the 22-character alphanumeric string that identifies your private endpoint in the VPC Endpoint ID field. Find this value on the AWS VPC Dashboard under Endpoints > VPC ID.
Enter the alpha-numeric DNS hostname associated with your private endpoint on AWS in the Your VPC Endpoint DNS Name field.
If you have multiple DNS names for your private endpoint, copy and paste the first name from your list. To learn more, see Manage DNS names for VPC endpoint services.
Configure your resources' security groups to send traffic to and receive traffic from the interface endpoint.
For each resource that needs to connect to your federated database instance using AWS PrivateLink, the resource's security group must allow outbound traffic to the interface endpoint's private IP addresses on port 27017.
See Adding Rules to a Security Group for more information.
Create a security group for your interface endpoint to allow resources to access it.
This security group must allow inbound traffic on port 27017 from each resource that needs to connect to your federated database instance using AWS PrivateLink:
In the AWS console, navigate to the VPC Dashboard.
Click Security Groups, then click Create security group.
Use the wizard to create a security group. Make sure you select your VPC from the VPC list.
Select the security group you just created, then click the Inbound Rules tab.
Click Edit Rules.
Add rules to allow all inbound traffic from each resource in your VPC that you want to connect to your federated database instance.
Click Save Rules.
Click Endpoints, then click the endpoint for your VPC.
Click the Security Groups tab, then click Edit Security Groups.
Add the security group you just created, then click Save.
To learn more about VPC security groups, see the AWS documentation.
In Atlas, go to the Network Access page for your project.
Warning
Navigation Improvements In Progress
We're currently rolling out a new and improved navigation experience. If the following steps don't match your view in the Atlas UI, see the preview documentation.
If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.
If it's not already displayed, select your project from the Projects menu in the navigation bar.
In the sidebar, click Network Access under the Security heading.
The Network Access page displays.
Enter your VPC endpoint ID and DNS name.
Enter the 22-character alphanumeric string that identifies your private endpoint in the Your VPC Endpoint ID field.
Enter the alpha-numeric DNS hostname associated with your private endpoint on AWS in the Your VPC Endpoint DNS Name field.
If you have multiple DNS names for your private endpoint, copy and paste the first name from your list. To learn more, see Manage DNS names for VPC endpoint services.
Tip
Click and expand Show more instructions in the dialog box for a visual clue as to where you can find the necessary information in the AWS console.
Add a comment to associate with this endpoint. You can enter your subnet ID, VPC ID, AWS region, and other information to associate with this endpoint here.
In Atlas, go to the Network Access page for your project.
Warning
Navigation Improvements In Progress
We're currently rolling out a new and improved navigation experience. If the following steps don't match your view in the Atlas UI, see the preview documentation.
If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.
If it's not already displayed, select your project from the Projects menu in the navigation bar.
In the sidebar, click Network Access under the Security heading.
The Network Access page displays.
Choose a cloud provider and region.
Click the Azure button.
From the dropdown, select the region where you want to create the private endpoint.
You can select one of the following regions:
Data Federation RegionsAzure RegionsVirginia, USA
US_EAST_2Netherlands
EUROPE_WESTTo learn more, see Atlas Data Federation Regions.
Click Next.
Configure your private endpoint.
Enter the following details about your Azure private endpoint:
Tip
You can click Show instruction in the Atlas UI for the following settings to display a screenshot of the Azure Dashboard where you can find the value for the setting.
Resource Group Name
Name of the Azure resource group that contains the VNet that you want to use to connect to Atlas. Find this value in your Azure account.
Virtual Network Name
Name of the VNet that you want to use to connect to Atlas. Find this value in your Azure account.
Subnet ID
Identifier of the subnet in your Azure VNet. Find this value in your Azure account.
Private Endpoint Name
Unique alphanumeric string that identifies the private endpoint within your Azure resource group. Any private endpoint name that exceeds 24 characters is automatically transformed into a unique identifier in your private endpoint URI connection string.
Click Next.
Copy the command the dialog box displays and run it using the Azure CLI.
Note
You can't copy the command until Atlas finishes creating virtual network resources in the background.
Click Finish.
To verify whether the private endpoint setup is successful:
In Atlas, go to the Network Access page for your project.
Warning
Navigation Improvements In Progress
We're currently rolling out a new and improved navigation experience. If the following steps don't match your view in the Atlas UI, see the preview documentation.
If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.
If it's not already displayed, select your project from the Projects menu in the navigation bar.
In the sidebar, click Network Access under the Security heading.
The Network Access page displays.
Review the details.
Review the Cloud Provider, Region, Endpoint Status, VPC ID / Virtual Network Name and Description.
To learn more, see View the List of Private Endpoints.