Connecting to more than one ATLAS AWS PrivateLink

I’m working within the AWS infrastructure and have successfully made a connection between a FARGATE task and ATLAS using the PrivateLink connection. This all works nicely when I have a single PrivateLink, however it is not possible to make a connection to additional PrivateLinks created within the same Region.

The documentation states that there are limitations on creating multiple PrivateLinks but only across Regions.

Is there a single PrivateLink limitation within a single region?

Hi Chris,

For a single-region Atlas Project (e.g. with a single VPC on the Atlas backend in a single region), you can set up multiple AWS Privatelinks.

It’s specifically where your Atlas Project’s cluster(s) involves multiple AWS regions and hence multiple VPCs in different regions on the Atlas backend that we limit you to setting up one AWS Privatelink per region.

Importantly, because AWS Privatelink is transitive you can set up your own peering connections within your app tier VPCs and hence reach the AWS Privatelink you’ve set up to reach Atlas from multiple VPCs within your AWS account.

-Andrew

1 Like

Hi @Andrew_Davidson, thanks for the prompt reply.

I’m probably misunderstanding something, but in practice, I’m not able to get an ATLAS connection from a second app tier VPC created in the same region as the first (which has a working vpce/PrivateLink connection). Each app tier has its own AWS vpce connected to its own ATLAS Private Endpoint (PrivateLink connection).

The ATLAS cluster is a single region cluster, each app tier is using an identical connection string.

The following exception is thrown from the second app tier -

System.TimeoutException:
A timeout occured after 30000ms selecting a server using CompositeServerSelector
{
	Selectors = 
		MongoDB.Driver.MongoClient+AreSessionsSupportedServerSelector, 
		LatencyLimitingServerSelector { AllowedLatencyRange = 00:00:00.0150000 } 
}
Client view of cluster state is 
{ 
	ClusterId : "1", 
	ConnectionMode : "ReplicaSet", 
	Type : "ReplicaSet", 
	State : "Disconnected", 
	Servers : [
		{ 
			ServerId: "{ ClusterId : 1, EndPoint : "Unspecified/pl-0-eu-west-2.uagzl.mongodb.net:1024" }", 
			EndPoint: "Unspecified/pl-0-eu-west-2.uagzl.mongodb.net:1024", 
			State: "Disconnected", 
			Type: "Unknown", 
			LastUpdateTimestamp: "2020-07-01T13:30:51.2980600Z" 
		}, 
		{ 
			ServerId: "{ ClusterId : 1, EndPoint : "Unspecified/pl-0-eu-west-2.uagzl.mongodb.net:1025" }", 
			EndPoint: "Unspecified/pl-0-eu-west-2.uagzl.mongodb.net:1025", 
			State: "Disconnected", 
			Type: "Unknown", 
			LastUpdateTimestamp: "2020-07-01T13:30:51.2983032Z"
		},
		{ 
			ServerId: "{ ClusterId : 1, EndPoint : "Unspecified/pl-0-eu-west-2.uagzl.mongodb.net:1026" }", 
			EndPoint: "Unspecified/pl-0-eu-west-2.uagzl.mongodb.net:1026", 
			State: "Disconnected", 
			Type: "Unknown", 
			LastUpdateTimestamp: "2020-07-01T13:30:51.2774193Z" 
		}
	]
}

Any further help much appreciated.

Hi Chris,

You’re going to need to work with the MongoDB support team to get to the bottom of this one, I suspect.

A couple possibilities: are you sure that the peered VPC has a route-back CIDR range that includes the private IP of the PrivateLink?

-Andrew

Hi Andrew,

Of the 3 Network Access options available within the ATLAS console (IP Whitelist, Peering and Private Endpoint) I’m using the Private Endpoint option which gives provides the ‘Add PrivateLink Connection’ wizard. It’s this wizard that I’m using to set up access for my AWS app tier to ATLAS, so I’m not using the Peering option. My app tier VPCs are not peered with the ATLAS one.

I’ve been following this documentation - Set up a Private Endpoint.

Am I missing something? Is peering required to establish more than one PrivateLink?

Chris

Hi Chris,

Apologies. I had assumed you had connected 1 VPC “VPC A” in your applications tier to Atlas using an Atlas Private Endpoint / AWS Privatelink and then had another VPC “VPC B” in your app tier peered to your first VPC A.

I understand you have set up two Atlas Private Endpoints, one in each of VPC A and VPC B.

Therefore, I wonder if you might be using the connection string associated with Private Endpoint A from VPC B or vice versa? The Atlas connect modal should offer both options in the drop-down with the Private Endpoint selector. Since each endpoint is specifically associated with one VPC on your side, if they might have been reversed that could explain the issue.

Cheers
Andrew

Hi Andrew,

I had thought that there should be a different connection string for each Endpoint but when I first looked at the 2 options they appeared to be the same. Now that you mention that I might be using the same connection string for both (which is what I’ve been doing), upon closer inspection I see that there is a difference - an incrementing numeric on the -pl-0- portion of the connection string for each PrivateLink created.

Thanks for your help, I now have an additional app tier connection from another VPC.

Chris

Great to hear it! And good feedback that that nuance can be easy to miss.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.