HomeLearnHow-to

CIDR Subnet Selection for MongoDB Atlas

Published: Jan 12, 2017

  • Atlas
  • Security
  • ...

By Jay Gordon

Share

#Introduction

One of the best features of MongoDB Atlas is the ability to peer your host VPC on your own Amazon Web Services (AWS) account to your Atlas VPC. VPC peering provides you with the ability to use the private IP range of your hosts and MongoDB Atlas cluster. This allows you to reduce your network exposure and improve security of your data. If you chose to use peering there are some considerations you should think about first in selecting the right IP block for your private traffic.

#Host VPC

The host VPC is where you configure the systems that your application will use to connect to your MongoDB Atlas cluster. AWS provides your account with a default VPC for your hosts You may need to modify the default VPC or create a new one to work alongside MongoDB Atlas.

MongoDB Atlas requires your host VPC to follow the RFC-1918 standard for creating private ranges. The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets:

  • 10.0.0.0 - 10.255.255.255 (10/8 prefix)
  • 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
  • 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

Don't overlap your ranges!

The point of peering is to permit two private IP ranges to work in conjunction to keep your network traffic off the public internet. This will require you to use separate private IP ranges that do not conflict.

AWS standard states the following in their "Invalid VPC Peering" document:

You cannot create a VPC peering connection between VPCs with matching or overlapping IPv4 CIDR blocks.

Cannot create a VPC peering connection between VPCs with matching or overlapping IPv4 CIDR blocks

#MongoDB Atlas VPC

When you create a group in MongoDB Atlas, by default we provide you with an AWS VPC which you can only modify before launching your first cluster. Groups with an existing cluster CANNOT MODIFY their VPC CIDR block - this is to comply with the AWS requirement for peering. By default we create a VPC with IP range 192.168.248.0/21. To specify your IP block prior to configuring peering and launching your cluster, follow these steps:

  1. Sign up for MongoDB Atlas and ensure your payment method is completed.
  2. Click on the Network Access tab, then select Peering. You should see a page such as this which shows you that you have not launched a cluster yet:

    Create new peering connection
  3. Click on the New Peering Connection button. You will be given a new "Peering Connection" window to add your peering details. At the bottom of this page you'll see a section to modify "Your Atlas VPC"

    Modify your Atlas VPC
  4. If you would like to specify a different IP range, you may use one of the RFC-1918 ranges with the appropriate subnet and enter it here. It's extremely important to ensure that you choose two distinct RFC-1918 ranges. These two cannot overlap their subnets:

    Choose two distinct RFC-1918 ranges
  5. Click on the Initiate Peering button and follow the directions to add the appropriate subnet ranges.

#Conclusion

Using peering ensures that your database traffic remains off the public network. This provides you with a much more secure solution allowing you to easily scale up and down without specifying IP addresses each time, and reduces costs on transporting your data from server to server. At any time if you run into problems with this, our support team is always available by clicking the SUPPORT link in the lower left of your window. Our support team is happy to assist in ensuring your peering connection is properly configured.