Set Up a Private Endpoint MongoDB Atlas Dedicated Cluster using the AWS PrivateLink feature and connect using Java Spring Boot
Pre-requisites
- Have either the
Project Owner
orOrganization Owner
role in Atlas. - Have an AWS user account with an IAM user policy that grants permissions to create, modify, describe, and delete endpoints. For more information on controlling the use of interface endpoints, see the AWS Documentation.
- (Recommended): Install the AWS CLI.
- If you have not already done so, create your VPC and EC2 instances in AWS. See the AWS documentation for guidance.
Setup AWS Private Link
Navigate to the Network Access page for your project.
- If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
- If it is not already displayed, select your desired project from the Projects menu in the navigation bar.
- Click Network Access in the sidebar.
Click the Private Endpoint tab and then the following tab.
Click Dedicated Cluster for a private endpoint for your dedicated Atlas cluster. (default)
Click the button to set up the private endpoint
- Click the Add Private Endpoint button.
- Choose a cloud provider.
- Click the AWS logo, then click Next.
Choose a region
- From the Atlas Region list, select the region in which you want to create the private endpoint.
- Click Next.
Configure your private endpoint
- Enter the following details about your AWS VPC:
- Your VPC ID , Unique identifier of the AWS VPC. Find this value on the VPC dashboard in your AWS account.
- Your Subnet IDs, Unique identifiers of the subnets your AWS VPC uses. Find these values on the Subnet dashboard in your AWS account. You must specify at least one subnet. If you don’t, AWS won’t provision an interface endpoint in your VPC. An interface endpoint is required for clients in your VPC to send traffic to the private endpoint.
- Copy the command the dialog displays and run it using the AWS CLI. You can’t copy the command until Atlas finishes creating VPC resources in the background.
- Click Next.
Finalize your private endpoint connection.
- Enter your VPC Endpoint ID. This is a 22-character alphanumeric string that identifies your private endpoint. Find this value on the AWS VPC Dashboard under Endpoints > VPC ID.
- Click Create.
Configure your resources’ security groups to send traffic to and receive traffic from the interface endpoint
For each resource that needs to connect to your Atlas clusters using AWS PrivateLink, the resource’s security group must allow outbound traffic to the interface endpoint’s private IP(s) on all ports.
See Adding Rules to a Security Group for more information.
Create a security group for your interface endpoint to allow resources to access it.
This security group must allow inbound traffic on all ports from each resource that needs to connect to your Atlas clusters using AWS PrivateLink:
- In the AWS console, navigate to the VPC Dashboard.
- Click Security Groups, then click Create security group.
- Use the wizard to create a security group. Make sure you select your VPC from the VPC list.
- Select the security group you just created, then click the Inbound Rules tab.
- Click Edit Rules.
- Add rules to allow all inbound traffic from each resource in your VPC that you want to connect to your Atlas cluster.
- Click Save Rules.
- Click Endpoints, then click the endpoint for your VPC.
- Click the Security Groups tab, then click Edit Security Groups.
- Add the security group you just created, then click Save.
To learn more about VPC security groups, see the AWS documentation.
Verify that the private endpoint is available.
You can connect to an Atlas database deployment using the AWS PrivateLink private endpoint when all of the resources are configured and the private endpoint becomes available.
To verify that the AWS PrivateLink private endpoint is available:
- In the Security section of the left navigation, click Network Access.
- On the Private Endpoint tab, select a database deployment type and verify the following statuses for the region that contains the database deployment you want to connect to using AWS PrivateLink:
Atlas Endpoint Service Status : Available
Endpoint Status : Available
IMPORTANT
For each resource that needs to connect to your Atlas clusters using AWS PrivateLink, the resource’s security group must allow outbound traffic to the interface endpoint’s private IP(s) on all ports like below Custom TCP rule in Inbound rules of VPC endpoint security group.
Connect to Atlas using a Private Endpoint
Click Connect.
- Click Databases in the top-left corner of Atlas.
- In the Database Deployments view, click Connect for the database deployment to which you want to connect.
- Select the Private Endpoint connection type.
- Select the private endpoint to which you want to connect.
Create a Database User
Skip this step if Atlas indicates in the Setup connection security step that you have at least one database user configured in your project. To manage existing database users, see Configure Database Users.
To access the database deployment, you need a MongoDB user with access to the desired database or databases on the database deployment in your project. If your project has no MongoDB users, Atlas prompts you to create a new user with the Atlas Admin role.
- Enter the new user’s Username.
- Enter a Password for this new user or click Autogenerate Secure Password.
- Click Create Database User to save the user. Use this user to connect to your database deployment in the following step.Once you have added a database user, click Choose Your Connection Method.
Click Choose a connection method.
AWS PrivateLink
Private endpoint-aware connection strings are available in one of the following formats:
Standard connection string:
mongodb://pl-0-us-east-1-auylw.mongodb.net:1024,pl-0-us-east-1-auylw.mongodb.net:1025,pl-0-us-east-1-auylw.mongodb.net:1026/?ssl=true&authSource=admin&replicaSet=Cluster0-shard-0-shard-0
DNS seedlist connection:
mongodb+srv://cluster0-pl-0-auylw.mongodb.net
MongoDB recommends that your clients use the DNS seedlist connection string format.
Spring Boot Changes
Use the below code reference to create and use a mongo client in java + spring boot
@Configuration
@ConfigurationProperties
public class SpringMongoConfig {
@Value("${spring.data.mongodb.uri}")
private String mongoDBURI;
@Value("${spring.data.mongodb.database}")
private String database;
@Bean
public MongoClient mongo() {
ConnectionString connectionString = new ConnectionString(mongoDBURI);
MongoClientSettings mongoClientSettings = MongoClientSettings.builder()
.applyConnectionString(connectionString)
.build();
return MongoClients.create(mongoClientSettings);
}
@Bean
public MongoTemplate mongoTemplate() throws Exception {
return new MongoTemplate(mongo(), database);
}
}
DEBUG CONNECTIVITY OF JAVA APPLICATION WITH AWS PRIVATE LINK:
As in the image above, go to Network Manager -> Reachability analyzer -> Create and analyse path .
Source Type -> Choose instance.
Source -> Choose the instance on which java application is deployed.
Destination Type -> VPC Endpoints.
Destination -> VPC endpoint for AWS private link.
Port -> Choose 1024–65535 any one.
After Analyzing ifthe result is reachable then you are good to go and you can test the application now. If it is not reachable, check inbound rule in VPC endpoint security group if it has entry for ports 1024–65535.
Hope you will be able to setup this awesome solution by AWS and MongoDB!!