AWS Partner Network (APN) Blog

Connecting Applications Securely to a MongoDB Atlas Data Plane with AWS PrivateLink

By Igor Alekseev, Partner Solutions Architect at AWS
By Chris Shum, Product Manager at MongoDB Atlas

MongoDB-Logo-1
MongoDB-APN Badge-1.1
Connect with MongoDB-1

Customers want to guarantee private connectivity to MongoDB Atlas running on Amazon Web Services (AWS).

All dedicated clusters on MongoDB Atlas are deployed in their own virtual private cloud (VPC), so customers usually connect to a cluster via VPC peering or public IP access-listing.

However, with VPC peering there are several limitations. For example, customers cannot establish connection between VPCs that have matching or overlapping IPv4 CIDR blocks. Read more about other limitations.

On the other hand, with public IP access-listing customers’ data traffic can go over the Internet. This introduces complexity of managing the IP lists as well can potentially raising concerns with customers’ security teams.

There is an additional option that establishes a one-way connection that preserves a customer’s perceived network trust boundary while eliminating additional security controls associated with VPC peering. AWS PrivateLink allows a MongoDB Atlas cluster to be exposed as an endpoint in a customer’s VPC.

MongoDB is an AWS Advanced Technology Partner with the AWS Data & Analytics Competency and an AWS Service Validation in AWS PrivateLink. In this post, we’ll provide step-by-step instructions to configure AWS PrivateLink for MongoDB Atlas, ensuring private connectivity to your data.

Solution Overview

In this solution, we’ll use an Amazon Elastic Compute Cloud (Amazon EC2) instance with MongoDB CLI installed. This EC2 instance represents an application connecting to a MongoDB Atlas cluster.

Note that our EC2 instance resides its own VPC, which is different from MongoDB VPC where the MongoDB Atlas clusters resides.

Without AWS PrivateLink, traffic between the EC2 instance and MongoDB Atlas will travel over the internet. We’ll configure AWS PrivateLink and expose it as a VPC endpoint connecting to the MongoDB Atlas cluster. The diagram below illustrates our configuration.

MongoDB-Atlas-AWS-PrivateLink-1

Step-by-Step Instructions

Following, we’ll create an endpoint that allows the client to connect privately to a MongoDB Atlas cluster.

  • First, log in to the Atlas Control Plane.
    .
  • Select Atlas and, on the left navigation pane, select Network Access.

MongoDB-Atlas-AWS-PrivateLink-2

  • Navigate to the Private Endpoint tab.
    .
  • Select Add PrivateLink Connection.

MongoDB-Atlas-AWS-PrivateLink-3

  • Choose the region where your VPC is located.
    .
  • Select Next and the Add PrivateLink window appears.

MongoDB-Atlas-AWS-PrivateLink-4

  • Provide the VPC ID and Subnet IDs.
    .
  • Copy the generated command and run it in a terminal on a machine where you have the AWS Command Line Interface (CLI) configured.
    .
  • After running the command, open a new tab in a browser and log into the AWS Management Console.
    .
  • Navigate to VPC > Endpoints. You should be able to observe the endpoint being created in the AWS console.

MongoDB-Atlas-AWS-PrivateLink-5

  • After a few minutes, the endpoint’s status changes from pending acceptance to pending, and finally to available.

MongoDB-Atlas-AWS-PrivateLink-6

  • Next, back in the Atlas Control Plane, enter your VPC Endpoint ID and select Create.

MongoDB-Atlas-AWS-PrivateLink-7

  • Your endpoint is now ready.

MongoDB-Atlas-AWS-PrivateLink-8

Configure Access to MongoDB Atlas Cluster

  • To configure access to the MongoDB Atlas Cluster, navigate to your cluster in the Atlas Control Plane and select Connect.

MongoDB-Atlas-AWS-PrivateLink-9

  • Select PrivateLink Connection and choose the endpoint. You may have to create a database user if you have not done so already.

MongoDB-Atlas-AWS-PrivateLink-10

  • Select the connection method. In this example, we use Connect with the mongo shell.

MongoDB-Atlas-AWS-PrivateLink-11

  • Once you select the method, MongoDB Atlas generates the connection string for your cluster.

MongoDB-Atlas-AWS-PrivateLink-12

  • Next, verify connectivity to the cluster from an Amazon EC2 instance running in the VPC to which the endpoint is attached.
    .
  • To test the connectivity, enter the connection string into a mongo shell:
[ec2-user@ip-172-XXXXX-38 ~]$ mongo “mongodb+srv://cluster1-pl-0.XXXXX.mongodb.net/<dbname>” –username admin
MongoDB shell version v4.4.0
Enter password: 
connecting to: mongodb://pl-0-us-east-1.XXXXX.mongodb.net:1026,pl-0-us-east-1.XXXXX.mongodb.net:1024,pl-0-us-east-1.XXXXX.mongodb.net:1025/%3Cdbname%3E?authSource=admin&compressors=disabled&gssapiServiceName=mongodb&replicaSet=atlas-XXXX-shard-0&ssl=true
Implicit session: session { “id” : UUID(“b537c28a-9d4f-47ba-b653-aa86e12e2c39”) }
MongoDB server version: 4.2.8
WARNING: shell and server versions do not match
MongoDB Enterprise atlas-XXXX-shard-0:PRIMARY>
MongoDB Enterprise atlas-XXXX-shard-0:PRIMARY> use mydb
switched to db mydb
MongoDB Enterprise atlas-XXXX-shard-0:PRIMARY> db.testpl.find()
{ “_id” : ObjectId(“5f497455d731bef94b74025c”), “description” : “private link”, “type” : “PL” }
{ “_id” : ObjectId(“5f497485d731bef94b74025d”), “description” : “private link2”, “type” : “PL” }
  • As the output indicates, we were able to connect and retrieve data.
    .
  • Now, let’s connect to the cluster from a different VPC that does not have the endpoint attached:
Ec2-user@ip-10-XXXXX-190 ~]$ mongo “mongodb+srv://cluster1-pl-0.XXXXX.mongodb.net/<dbnam
“ –username admin
MongoDB shell version v4.4.0
Enter password: 
connecting to: mongodb://pl-0-us-east-1.XXXXX.mongodb.net:1025,pl-0-us-east-1.XXXXX.mongodb.n
et:1026,pl-0-us-east-1.XXXXX.mongodb.net:1024/%3Cdbname%3E?authSource=admin&compressors=disab
led&gssapiServiceName=mongodb&replicaSet=atlas-XXXX-shard-0&ssl=true
{“t”:{“$date”:”2020-08-31T17:30:53.901Z”},”s”:”I”,  “c”:”NETWORK”,  “id”:4333208, “ctx”:”Repl
icaSetMonitor-TaskExecutor”,”msg”:”RSM host selection timeout”,”attr”:{“replicaSet”:”atlas-sf
ozc4-shard-0”,”error”:”FailedToSatisfyReadPreference: Could not find host matching read prefe
rence { mode: \”nearest\” } for set atlas-XXXX-shard-0”}}


*** It looks like this is a MongoDB Atlas cluster. Please ensure that your IP whitelist allow
s connections from your network.

Error: connect failed to replica set atlas-XXXX-shard-0/pl-0-us-east-1.XXXXX.mongodb.net:10
25,pl-0-us-east-1.XXXXX.mongodb.net:1026,pl-0-us-east-1.XXXXX.mongodb.net:1024 :
connect@src/mongo/shell/mongo.js:362:17
@(connect):2:6
exception: connect failed
exiting with code 1
[ec2-user@ip-10-XXXXX-190 ~]$
  • As expected, we couldn’t connect to the cluster from the VPC without the endpoint.

Conclusion

AWS PrivateLink allows you to securely access MongoDB Atlas clusters from your own Amazon VPC. It simplifies your overall network architecture, and allows you to ensure one way connectivity to your MongoDB Atlas cluster.

For more information:

.

MongoDB-APN-Blog-CTA-2

.

MongoDB – AWS Partner Spotlight

MongoDB is an AWS Competency Partner. Their modern, general purpose database platform, is designed to unleash the power of software and data for developers and the applications they build.

Contact MongoDB | Partner Overview | AWS Marketplace

*Already worked with MongoDB? Rate the Partner

*To review an AWS Partner, you must be an AWS customer that has worked with them directly on a project.