Note
This feature is not available for M0 Free clusters and
Flex clusters. To learn more about which features are
unavailable, see Atlas M0 (Free Cluster) Limits.
MongoDB Atlas supports private endpoints on dedicated clusters. Select your cluster type to learn which cloud providers Atlas supports:
AWS using the AWS PrivateLink feature.
Azure using the Azure Private Link feature.
Google Cloud using the GCP Private Service Connect feature.
You can also set up private endpoints for your Online Archive. To learn more, see Set Up a Private Endpoint for Online Archives.
Private Endpoint Concepts
You can also set up private endpoints for your Online Archive. To learn more, see Set Up a Private Endpoint for Online Archives.
Required Access
To set up a private endpoint, you must have
Organization Owner or Project Owner access to
the project.
Considerations
High Availability
Port Ranges Used for Private Endpoints
Private Endpoint-Aware Connection Strings
(Optional) Optimize Connection to Sharded Clusters Behind a Private Endpoint
Atlas can generate an optimized SRV connection string for sharded
clusters using the load balancers from your private endpoint
service. When you use an optimized connection string, Atlas limits
the number of connections per mongos between your application and
your sharded cluster. The limited connections per mongos
improve performance during spikes in connection counts.
Atlas doesn't support optimized connection strings for clusters that run on Google Cloud or Azure. To learn more about optimized connection strings for sharded clusters behind a private endpoint, see How can I optimize connection performance for sharded clusters using private endpoints?.
IP Access Lists and Network Peering Connections with Private Endpoints
When you enable private endpoints, you can still enable access to your Atlas clusters using other methods, such as adding public IPs to IP access lists and network peering.
Clients connecting to Atlas clusters using other methods use standard connection strings. Your clients might have to identify when to use private endpoint-aware connection strings and standard connection strings.
Multi-Cloud Deployment Connections
When you use a private endpoint to connect to a multi-cloud deployment, you can access only the nodes hosted in the cloud service provider and region that you're connecting from. To access all nodes in your multi-cloud deployment, use alternative connection methods described in the Connections to Multi-Cloud Deployments section in the "Configure High Availability and Workload Isolation" topic.
(Optional) Regionalized Private Endpoints for Multi-Region Sharded Clusters
For global sharded clusters that you deploy in multiple regions, if you need to connect to Atlas using a private endpoint from networks that can't be peered with one another, you can deploy multiple private endpoints to a region.
You can deploy any number of private endpoints to regions that you
deployed your cluster to. Each regional private
endpoint connects to the mongos instances in that region.
WARNING: Your connection strings to existing multi-region and global sharded clusters change when you enable this setting.
You must update your applications to use the new connection strings. This might cause downtime.
You can enable this setting only if your Atlas project contains no non-sharded replica sets.
You can't disable this setting if you have:
More than one private endpoint in more than one region, or
More than one private endpoint in one region and one private endpoint in one or more regions.
You can create only sharded clusters when you enable the regionalized private endpoint setting. You can't create replica sets.
To use this feature, you must enable the regionalized private endpoint setting.
To enable or disable the regionalized private endpoint setting:
Enable Regionalized Private Endpoints
To enable the regionalized private endpoint setting for your project using the Atlas CLI, run the following command:
atlas privateEndpoints regionalModes enable [options]
To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints regionalModes enable.
Disable Regionalized Private Endpoints
To disable the regionalized private endpoint setting for your project using the Atlas CLI, run the following command:
atlas privateEndpoints regionalModes disable [options]
To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints regionalModes disable.
View Regionalized Private Endpoint Settings
To return the regionalized private endpoint settings for your project using the Atlas CLI, run the following command:
atlas privateEndpoints regionalModes describe [options]
To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints regionalModes describe.
Enable Regionalized Private Endpoints
In Atlas, go to the Project Settings page.
If it's not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
In the sidebar, click Project Settings.
The Project Settings page displays.
Disable Regionalized Private Endpoints
In Atlas, go to the Project Settings page.
If it's not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
In the sidebar, click Project Settings.
The Project Settings page displays.
Connecting to Multi-Region Clusters Without Regionalized Private Endpoints
If you use AWS PrivateLink and have applications that connect to multi-region clusters that have endpoints in different regions but are not using regionalized private endpoints, ensure that those applications can reach endpoints in the other regions. For example, to do this with AWS, you can peer the VPCs that contain the endpoints on their side.
Avoiding Downtime When Removing Private Endpoints
For multi-region clusters, you must create a private endpoint for each region with a node.
If you're performing maintenance on a multi-region cluster, do not alter or remove private endpoints until maintenance is complete to avoid cluster downtime.
If you're moving from a multi-region to a single-region cluster, you can remove old private endpoints only after verifying that your cluster is fully functional in the new single-region setup and you've directed all traffic through the new single-region private endpoint.
Billing
To learn more about billing for private endpoints for dedicated clusters, see Private Endpoints for Dedicated Clusters.
Limitations
M0Free clusters and Flex clusters do not support connecting through a private endpoint.
Before you can deploy a private endpoint to a region, you must first resume any paused clusters in your project.
Prerequisites
To enable connections to Atlas using private endpoints, you must:
Have a valid payment method already configured for your organization.