Manage and Connect from Private Endpoints
On this page
Note
This feature is not available for M0 free clusters, M2, and
M5 clusters. To learn more about which features are unavailable,
see Atlas M0 (Free Cluster), M2, and M5 Limits.
After you set up a private endpoint for a cluster or set up a private endpoint for a serverless instance, follow these steps to manage and connect from your Atlas private endpoints.
To learn more about using private endpoints with Atlas, see Learn About Private Endpoints in Atlas.
Required Access
To view private endpoints, you must have Project Read Only
access to the project.
To delete private endpoints, you must have Project Owner access
or higher to the project.
Users with Organization Owner access must add themselves to the
project as a Project Owner.
Connect from a Private Endpoint
Important
For considerations about private endpoint-aware connection strings, see Private Endpoint-Aware Connection Strings.
Use a private endpoint-aware connection string to connect to an Atlas cluster with the following procedure:
In Atlas, go to the Clusters page for your project.
If it's not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
If the Clusters page is not already displayed, click Database in the sidebar.
The Clusters page displays.
Create a Database User.
Important
Skip this step if Atlas indicates in the Setup connection security step that you have at least one database user configured in your project. To manage existing database users, see Configure Database Users.
To access the cluster, you need a MongoDB user with access to the desired database or databases on the cluster in your project. If your project has no MongoDB users, Atlas prompts you to create a new user with the Atlas Admin role.
Enter the new user's Username.
Enter a Password for this new user or click Autogenerate Secure Password.
Click Create Database User to save the user.
Use this user to connect to your cluster in the following step.
Once you have added a database user, click Choose Your Connection Method.
In Atlas, go to the Clusters page for your project.
If it's not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
If the Clusters page is not already displayed, click Database in the sidebar.
The Clusters page displays.
Create a Database User.
Important
Skip this step if Atlas indicates in the Setup connection security step that you have at least one database user configured in your project. To manage existing database users, see Configure Database Users.
To access the cluster, you need a MongoDB user with access to the desired database or databases on the cluster in your project. If your project has no MongoDB users, Atlas prompts you to create a new user with the Atlas Admin role.
Enter the new user's Username.
Enter a Password for this new user or click Autogenerate Secure Password.
Click Create Database User to save the user.
Use this user to connect to your cluster in the following step.
Once you have added a database user, click Choose Your Connection Method.
View Private Endpoints
Endpoints
To return the details of the AWS private endpoint you specify using the Atlas CLI, run the following command:
atlas privateEndpoints aws describe <privateEndpointId> [options]
To list all AWS private endpoints in a project using the Atlas CLI, run the following command:
atlas privateEndpoints aws list [options]
To learn more about the syntax and parameters for the previous commands, see the Atlas CLI documentation for atlas privateEndpoints aws describe and atlas privateEndpoints aws list.
Interface Endpoints
To return the AWS private endpoint interface that you specify. using the Atlas CLI, run the following command:
atlas privateEndpoints aws interfaces describe <interfaceEndpointId> [options]
To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints aws interfaces describe.
In Atlas, go to the Network Access page for your project.
If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.
If it's not already displayed, select your project from the Projects menu in the navigation bar.
In the sidebar, click Network Access under the Security heading.
The Network Access page displays.
Endpoints
To return the details of the Azure private endpoint you specify using the Atlas CLI, run the following command:
atlas privateEndpoints azure describe <privateEndpointId> [options]
To list all Azure private endpoints in a project using the Atlas CLI, run the following command:
atlas privateEndpoints azure list [options]
To learn more about the syntax and parameters for the previous commands, see the Atlas CLI documentation for atlas privateEndpoints azure describe and atlas privateEndpoints azure list.
Interface Endpoints
To return the Azure private endpoint interface that you specify. using the Atlas CLI, run the following command:
atlas privateEndpoints azure interfaces describe <privateEndpointResourceId> [options]
To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints azure interfaces describe.
In Atlas, go to the Network Access page for your project.
If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.
If it's not already displayed, select your project from the Projects menu in the navigation bar.
In the sidebar, click Network Access under the Security heading.
The Network Access page displays.
Endpoints
To return the details of the Google Cloud private endpoint you specify using the Atlas CLI, run the following command:
atlas privateEndpoints gcp describe <privateEndpointId> [options]
To list all Google Cloud private endpoints in a project using the Atlas CLI, run the following command:
atlas privateEndpoints gcp list [options]
To learn more about the syntax and parameters for the previous commands, see the Atlas CLI documentation for atlas privateEndpoints gcp describe and atlas privateEndpoints gcp list.
Interface Endpoints
To return the Google Cloud private endpoint interface that you specify. using the Atlas CLI, run the following command:
atlas privateEndpoints gcp interfaces describe <id> [options]
To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints gcp interfaces describe.
In Atlas, go to the Network Access page for your project.
If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.
If it's not already displayed, select your project from the Projects menu in the navigation bar.
In the sidebar, click Network Access under the Security heading.
The Network Access page displays.
In Atlas, go to the Network Access page for your project.
If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.
If it's not already displayed, select your project from the Projects menu in the navigation bar.
In the sidebar, click Network Access under the Security heading.
The Network Access page displays.
Choose a serverless instance.
From the Serverless Instance dropdown, select the serverless instance you want to connect using a private endpoint. The cloud provider and region for the serverless instance populate automatically.
Click Confirm. Atlas begins allocating the endpoint service, which might take several minutes to complete. You can continue to the next steps while Atlas allocates the endpoint service.
Configure your resources' security groups to send traffic to and receive traffic from the interface endpoint.
For each resource that needs to connect to your Atlas clusters using AWS PrivateLink, the resource's security group must allow outbound traffic to the interface endpoint's private IP addresses on all ports.
See Adding Rules to a Security Group for more information.
Create a security group for your interface endpoint to allow resources to access it.
This security group must allow inbound traffic on all ports from each resource that needs to connect to your Atlas clusters using AWS PrivateLink:
In the AWS console, navigate to the VPC Dashboard.
Click Security Groups, then click Create security group.
Use the wizard to create a security group. Make sure you select your VPC from the VPC list.
Select the security group you just created, then click the Inbound Rules tab.
Click Edit Rules.
Add rules to allow all inbound traffic from each resource in your VPC that you want to connect to your Atlas cluster.
Click Save Rules.
Click Endpoints, then click the endpoint for your VPC.
Click the Security Groups tab, then click Edit Security Groups.
Add the security group you just created, then click Save.
To learn more about VPC security groups, see the AWS documentation.
In Atlas, go to the Network Access page for your project.
If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.
If it's not already displayed, select your project from the Projects menu in the navigation bar.
In the sidebar, click Network Access under the Security heading.
The Network Access page displays.
Verify that the private endpoint is available.
You can connect to an Atlas cluster using the AWS PrivateLink private endpoint when all of the resources are configured and the private endpoint becomes available.
To verify that the AWS PrivateLink private endpoint is available:
On the Private Endpoint tab, select a cluster type and verify the following statuses for the region that contains the cluster you want to connect to using AWS PrivateLink:
Atlas Endpoint Service Status | Available |
Endpoint Status | Available |
To learn more about possible status values, see Troubleshoot Private Endpoint Connection Issues.
If you do not see these statuses, see Troubleshoot Private Endpoint Connection Issues for additional information.
In Atlas, go to the Network Access page for your project.
If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.
If it's not already displayed, select your project from the Projects menu in the navigation bar.
In the sidebar, click Network Access under the Security heading.
The Network Access page displays.
Choose a serverless instance.
From the Serverless Instance dropdown, select the serverless instance you want to connect using a private endpoint. The cloud provider and region for the serverless instance populate automatically.
Click Confirm. Atlas begins allocating the endpoint service, which might take several minutes to complete. You can continue to the next steps while Atlas allocates the endpoint service.
Configure your resources' security groups to send traffic to and receive traffic from the interface endpoint.
For each resource that needs to connect to your Atlas clusters using AWS PrivateLink, the resource's security group must allow outbound traffic to the interface endpoint's private IP addresses on all ports.
See Adding Rules to a Security Group for more information.
Create a security group for your interface endpoint to allow resources to access it.
This security group must allow inbound traffic on all ports from each resource that needs to connect to your Atlas clusters using AWS PrivateLink:
In the AWS console, navigate to the VPC Dashboard.
Click Security Groups, then click Create security group.
Use the wizard to create a security group. Make sure you select your VPC from the VPC list.
Select the security group you just created, then click the Inbound Rules tab.
Click Edit Rules.
Add rules to allow all inbound traffic from each resource in your VPC that you want to connect to your Atlas cluster.
Click Save Rules.
Click Endpoints, then click the endpoint for your VPC.
Click the Security Groups tab, then click Edit Security Groups.
Add the security group you just created, then click Save.
To learn more about VPC security groups, see the AWS documentation.
In Atlas, go to the Network Access page for your project.
If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.
If it's not already displayed, select your project from the Projects menu in the navigation bar.
In the sidebar, click Network Access under the Security heading.
The Network Access page displays.
Verify that the private endpoint is available.
You can connect to an Atlas cluster using the AWS PrivateLink private endpoint when all of the resources are configured and the private endpoint becomes available.
To verify that the AWS PrivateLink private endpoint is available:
On the Private Endpoint tab, select a cluster type and verify the following statuses for the region that contains the cluster you want to connect to using AWS PrivateLink:
Atlas Endpoint Service Status | Available |
Endpoint Status | Available |
To learn more about possible status values, see Troubleshoot Private Endpoint Connection Issues.
If you do not see these statuses, see Troubleshoot Private Endpoint Connection Issues for additional information.
Remove a Private Endpoint from Atlas
Endpoints
To delete the AWS private endpoint you specify using the Atlas CLI, run the following command:
atlas privateEndpoints aws delete <privateEndpointId> [options]
To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints aws delete.
Interface Endpoints
To delete the AWS private endpoint interface you specify using the Atlas CLI, run the following command:
atlas privateEndpoints aws interfaces delete <interfaceEndpointId> [options]
To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints aws interfaces delete.
In Atlas, go to the Network Access page for your project.
If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.
If it's not already displayed, select your project from the Projects menu in the navigation bar.
In the sidebar, click Network Access under the Security heading.
The Network Access page displays.
Endpoints
To delete the Azure private endpoint you specify using the Atlas CLI, run the following command:
atlas privateEndpoints azure delete <privateEndpointId> [options]
To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints azure delete.
Interface Endpoints
To delete the Azure private endpoint interface you specify using the Atlas CLI, run the following command:
atlas privateEndpoints azure interfaces delete <privateEndpointResourceId> [options]
To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints azure interfaces delete.
In Atlas, go to the Network Access page for your project.
If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.
If it's not already displayed, select your project from the Projects menu in the navigation bar.
In the sidebar, click Network Access under the Security heading.
The Network Access page displays.
Endpoints
To delete the Google Cloud private endpoint you specify using the Atlas CLI, run the following command:
atlas privateEndpoints gcp delete <privateEndpointId> [options]
To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints gcp delete.
Interface Endpoints
To delete the Google Cloud private endpoint interface you specify using the Atlas CLI, run the following command:
atlas privateEndpoints gcp interfaces delete <id> [options]
To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints gcp interfaces delete.
In Atlas, go to the Network Access page for your project.
If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.
If it's not already displayed, select your project from the Projects menu in the navigation bar.
In the sidebar, click Network Access under the Security heading.
The Network Access page displays.
In Atlas, go to the Network Access page for your project.
If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.
If it's not already displayed, select your project from the Projects menu in the navigation bar.
In the sidebar, click Network Access under the Security heading.
The Network Access page displays.
In Atlas, go to the Network Access page for your project.
If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.
If it's not already displayed, select your project from the Projects menu in the navigation bar.
In the sidebar, click Network Access under the Security heading.
The Network Access page displays.