Skip to content
This repository has been archived by the owner on Aug 10, 2023. It is now read-only.

Latest commit

 

History

History
328 lines (192 loc) · 13.5 KB

index.md

File metadata and controls

328 lines (192 loc) · 13.5 KB
Raw
title description author tags date_published
Configure private access to MongoDB Atlas with Serverless VPC Access
Learn how to use Serverless VPC Access to allow App Engine, Cloud Functions, or Cloud Run access to a MongoDB Atlas cluster using private IP addressing.
russStarr
security, networking, RFC 1918
2021-05-18

Russ Starr | Customer Engineer | Google

Contributed by Google employees.

This tutorial shows you how to configure private IP access from serverless services such as App Engine, Cloud Functions, or Cloud Run to a MongoDB Atlas cluster. This is useful when you want to keep your MongoDB connections scoped to private IP addresses only, instead of allowing public access from the Internet.

In this tutorial, you learn how to use Serverless VPC Access to create a connector that routes traffic from the Google Cloud serverless services to the MongoDB Atlas cluster. You also learn how to establish VPC peering between your Google Cloud VPC network and your MongoDB Atlas VPC network.

This tutorial uses Cloud Functions, but you can take similar steps to configure App Engine or Cloud Run.

This tutorial uses Python, but you can adapt what you learn in this tutorial to other languages supported for Cloud Functions.

This tutorial assumes that you have basic familiarity using the Google Cloud Console, Cloud Shell, the MongoDB Atlas console, Python, and shell scripts.

The following diagram illustrates the architecture of the solution described in this tutorial:

architecture

Objectives

  • Create a MongoDB Atlas cluster.
  • Create a VPC peering relationship between MongoDB Atlas and your Google Cloud VPC network.
  • Create the Serverless VPC Access connector.
  • Create a Cloud Function that triggers on HTTP and makes a connection to the MongoDB cluster.
  • Verify that the Cloud Function is able to reach the MongoDB Atlas cluster.

Costs

This tutorial uses billable components of Google Cloud, including the following:

This tutorial also uses billable components of MongoDB Atlas to create a dedicated cluster. Shared clusters don't support VPC peering.

Use the Google Cloud pricing calculator and MongoDB pricing page to generate a cost estimate based on your projected usage.

Before you begin

This tutorial depends on you having some basic resources set up in Google Cloud and MongoDB Atlas.

Google Cloud setup

  1. Select or create a Google Cloud project.
  2. Enable billing for your project.

MongoDB Atlas setup

  1. Create a MongoDB Atlas account.
  2. Create a MongoDB organization.
  3. Create a MongoDB project.
  4. Enable billing for your MongoDB Atlas organization.
  5. Create a MongoDB Atlas user account, which is used by Cloud Functions to connect to the MongoDB database.

Enable the VPC Serverless Access API

  1. In the Google Cloud Console, select the project to use for this tutorial.

  2. Go to the Serverless VPC Access API page.

  3. Click Enable.

Create the VPC Serverless Access connector

  1. Go to the Serverless VPC Access page.

  2. Click Create Connector.

  3. Enter a name for the connector.

    This tutorial uses mongo-connector.

  4. Select a region that match the region of your serverless service.

  5. Keep the default network selected.

  6. Under Subnet, click Custom IP Range, and enter a private IP address range that fits your IP address scheme.

    This tutorial uses 10.8.0.0.

    You only have the option to use a /28 mask for this step, so don't include the mask in the field.

    This subnet is used in a later step when you configure the MongoDB Atlas access list.

Create the MongoDB Atlas cluster

For detailed instructions for creating a MongoDB Atlas cluster, see the MongoDB Atlas documentation.

  1. In the MongoDB Atlas console, select the project for your cluster.

  2. On the Clusters page, click Build a Cluster.

  3. Under Dedicated Clusters, click Create a Cluster.

    You can also select Dedicated Multi-Cloud & Multi-Region Clusters, but the steps in this tutorial assume that you are using a dedicated cluster because it is the minimum for VPC Network Peering.

  4. Click Google Cloud and your region.

  5. Select a Cluster Tier.

    This tutorial uses M10, but any of them will work.

  6. Enter a name for your cluster.

    This tutorial uses the default Cluster0.

  7. Click Create Cluster.

It takes a few minutes to create the cluster, but you can begin the next section before then.

Configure the MongoDB Atlas access list

For detailed instructions for adding IP addresses to the MongoDB IP access list, see the MongoDB Atlas documentation.

  1. In the MongoDB Atlas console, click Network Access in the Security section.

    networkAccess

  2. In the IP Access List tab, click Add IP Address.

  3. For Access List Entry, enter the /28 network that you created for the Serverless VPC Access connector.

    This tutorial uses 10.8.0.0/28.

  4. Under Comment, enter mongo-connector so that you remember the relationship with the Google Cloud resource name.

Following these steps restricts your MongoDB Atlas cluster to only the 10.8.0.0/28 subnet.

Configure MongoDB Atlas VPC peering

For detailed instructions for adding a VPC peering connection, see the MongoDB Atlas documentation.

  1. In the Network Access section, click Peering.

  2. Click Add Peering Connection.

  3. Click Google Cloud, and then click Next.

  4. Enter the project ID of your Google Cloud project.

  5. Enter the VPC network name.

    This tutorial uses default.

  6. Click Initiate Peering.

    Keep this browser tab open so that you can use the project ID and VPC network name in the next section.

    The status remains Pending until you configure peering on the Google Cloud side in the next section.

Configure VPC Network Peering on Google Cloud

  1. In the Google Cloud Console, go to the VPC network peering page.

  2. Click Create connection, and then click Continue.

  3. Enter name for the connection.

    This tutorial uses googlecloud2mongo.

  4. Under Your VPC network, select default .

  5. Under Peered VPC Network, click in another project.

  6. Enter the project ID and VPC network name that were provided at the end of the previous section, in which you configured MongoDB Atlas VPC peering.

  7. Click Create.

    These steps are successful when you see the Active status for the peering connection. The MongoDB Atlas screen should show the Available status when the connection is complete.

Retrieve the connection string for your cluster

  1. In the MongoDB Atlas console, on the Cluster page for your newly created cluster, click Connect.

  2. For Choose Connection Type, select Private IP for Peering.

  3. Click Choose a connection method.

  4. Click Connect your application.

  5. Select Python 3.11 or later.

  6. Copy the connection string, which you use in the Cloud Function in a later section.

    The connection string is in the following format:

    mongodb+srv://[USERNAME]:[PASSWORD]@[CLUSTER_NAME]-pri.[SUBDOMAIN].mongodb.net/

    For more information about the MongoDB connection string format, see Private Connection Strings.

  7. Click Close.

Create an empty database

  1. In the MongoDB Atlas console, on the Cluster page, click Collections.

  2. Click Add Your First Database.

  3. For the database name, enter empty_db.

  4. For the collection name, enter empty_collection.

  5. Click Create.

Create a Cloud Function

In this section, you create and configure a basic Cloud Function, set its requirements, and then add the Python code for the main body of the function.

Configure the Cloud Function

  1. In the Google Cloud Console, go to the Cloud Functions page.

  2. Click Create Function.

  3. Click Save, keeping all settings at their default values.

  4. At the bottom of the page, click Runtime, Build and Connection Settings, and then click then Connections.

  5. Under Egress settings, for VPC connector, select mongo-connector.

  6. Click Next.

Deploy the requirements for the Cloud Function

  1. For Runtime, select Python 3.9.

  2. If you are prompted to enable the Cloud Build API, click Enable API, and then click Enable.

  3. On the left side of the Cloud Functions page, click requirements.txt and paste the following code:

    # Function dependencies, for example:
# package>=version
pymongo
dnspython

  4. Click Deploy to install the required dependencies.

    Before proceeding to the next section, wait for the Cloud Function status to turn green, indicating that the requirements have been deployed..

Deploy the main Python code for the Cloud Function

  1. Select the Cloud Function.

  2. Click Edit, and then click Next.

  3. Click main.py and replace all Python code with the following:

    from pymongo import MongoClient
from flask import make_response

connection_string = "mongodb+srv://[USERNAME]:[PASSWORD]@[CLUSTER_NAME].[SUBDOMAIN].mongodb.net/"

def hello_world(request):
    request_json = request.get_json()
    if request.args and 'message' in request.args:
        return request.args.get('message')
    elif request_json and 'message' in request_json:
        return request_json['message']
    else:
        client = MongoClient(connection_string)
        db = client.empty_db
        response = make_response()
        response.data = str(db.command("serverStatus"))
        response.headers["Content-Type"] = "application/json"
        return response

  4. Update the connection_string variable to reflect your user account, password, and subdomain.

  5. Click Deploy.

Verify that the Cloud Function connects to the MongoDB Atlas cluster

  1. Select the Cloud Function.

  2. Click Trigger and copy the trigger URL to your clipboard.

  3. Click the Activate Cloud Shell button in the upper-right corner of the Cloud Console.

  4. Enter the following command in Cloud Shell, updating the CFURL variable with the URL on the clipboard.

    export CFURL="<insert URL here>"
curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" $CFURL

    Success! You should see JSON output of the server status information from your MongoDB Atlas cluster, which shows that you have connectivity.

    success

Cleaning up

To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, you can delete the project.

  1. In the Cloud Console, go to the Projects page.
  2. In the project list, select the project you want to delete and click Delete.
  3. In the dialog, type the project ID, and then click Shut down to delete the project.

You can also delete your MongoDB Atlas cluster if you no longer need it.

What's next