Set Up a Private Endpoint for a Dedicated Cluster

Create the private endpoint service in Atlas.

1. Run the Atlas CLI command to initiate the setup of AWS PrivateLink in Atlas. Atlas represents these resources in the form of a private endpoint service. Ensure that the value of --region matches the region where you deployed your cluster:

   atlas privateEndpoints aws create [options]

   To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints aws create.

   If you have a multi-region or multi-cloud cluster and you don't enable regionalized private endpoints, you must provision an endpoint for each provider and region.

2. Note the private endpoint service's ID in the response. In this example, the ID is 6344ac8f51b94c6356527881.

   Private endpoint '6344ac8f51b94c6356527881' created.

Retrieve the private endpoint service name.

1. Run the Atlas CLI command to describe the private endpoint using its ID:

   atlas privateEndpoints aws describe <privateEndpointId> [options]

   To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints aws describe.

2. Note the value for ENDPOINT SERVICE in the response, which shows the name of the private endpoint service associated with this private endpoint. In this example, the endpoint service name is com.amazonaws.vpce.us-east-1.vpce-svc-0705499aae25ac77c:

   ID                         ENDPOINT SERVICE                                           STATUS         ERROR
   6344ac8f51b94c6356527881   com.amazonaws.vpce.us-east-1.vpce-svc-0705499aae25ac77c   AVAILABLE

   If the STATUS value is INITIATING, wait 1-2 more minutes for Atlas to provision the private endpoint. Then, try this step again.

Create the interface endpoint in AWS.

1. Run the command in the AWS CLI, replacing the following placeholders with your values:

   Placeholder	Description
   {VPC-ID}	Unique string that identifies the peer AWS VPC. Find this value on the VPC dashboard in your AWS account.
   {REGION}	AWS region in which your cluster resides.
   {SUBNET-IDS}	Unique string that identifies the subnets that your AWS VPC uses. Find these values on the Subnet dashboard in your AWS account. Important You must specify at least one subnet. If you don't, AWS won't provision an interface endpoint in your VPC. An interface endpoint is required for clients in your VPC to send traffic to the private endpoint.
   {SERVICE-NAME}	Unique string identifying the private endpoint service that you retrieved previously.

   aws ec2 create-vpc-endpoint --vpc-id {VPC-ID} \
   --region {REGION} --service-name {SERVICE-NAME} \
   --vpc-endpoint-type Interface --subnet-ids {SUBNET-IDS}

   To learn more about the AWS CLI, see Creating an Interface Endpoint.

2. Note the value in the response for the field VpcEndpointId. This is a 22-character alphanumeric string that identifies your private endpoint. You can also find this value on the AWS VPC Dashboard under Endpoints > VPC ID.

Update your private endpoint with the VPC Endpoint ID.

1. Run the Atlas CLI command to provide the interface endpoint info to Atlas using the Atlas endpoint service ID and the VPC Endpoint ID. In this example, you would set the following parameters:

   Parameter	Type	Example Value
   endpointServiceId	Argument	6344ac8f51b94c6356527881
   privateEndpointId	Option	vpce-00713b5e644e830a3

   atlas privateEndpoints aws interfaces create <endpointServiceId> [options]

   To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints aws interfaces create.

Configure your resources' security groups to send traffic to and receive traffic from the interface endpoint.

For each resource that needs to connect to your Atlas clusters using AWS PrivateLink, the resource's security group must allow outbound traffic to the interface endpoint's private IP addresses on all ports.

See Adding Rules to a Security Group for more information.

Create a security group for your interface endpoint to allow resources to access it.

This security group must allow inbound traffic on all ports from each resource that needs to connect to your Atlas clusters using AWS PrivateLink:

1. In the AWS console, navigate to the VPC Dashboard.

2. Click Security Groups, then click Create security group.

3. Use the wizard to create a security group. Make sure you select your VPC from the VPC list.

4. Select the security group you just created, then click the Inbound Rules tab.

5. Click Edit Rules.

6. Add rules to allow all inbound traffic from each resource in your VPC that you want to connect to your Atlas cluster.

7. Click Save Rules.

8. Click Endpoints, then click the endpoint for your VPC.

9. Click the Security Groups tab, then click Edit Security Groups.

10. Add the security group you just created, then click Save.

To learn more about VPC security groups, see the AWS documentation.

Verify the private endpoint's availability.

You can connect to the cluster using the AWS PrivateLink private endpoint after Atlas finishes configuring all of the resources and the private endpoint becomes available.

To verify that the AWS private endpoint is available:

1. Run the Atlas CLI command to describe the interface endpoint using its ID. In this example, you would set the following parameters:

   Parameter	Type	Example Value
   interfaceEndpointId	Argument	vpce-00713b5e644e830a3
   endpointServiceId	Option	6344ac8f51b94c6356527881

   atlas privateEndpoints aws interfaces describe <interfaceEndpointId> [options]

   To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints aws interfaces describe.

2. Verify that the STATUS field's value is AVAILABLE as shown in the following example:

   ID                         STATUS         ERROR
   vpce-00713b5e644e830a3     AVAILABLE

In Atlas, go to the Network Access page for your project.

1. If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.

2. If it's not already displayed, select your project from the Projects menu in the navigation bar.

3. In the sidebar, click Network Access under the Security heading.

Click the Private Endpoint tab and then the following tab.

Click Dedicated Cluster for a private endpoint for your dedicated Atlas cluster. (default)

Click the button to set up the private endpoint.

Click the Add Private Endpoint button.

Choose a cloud provider.

Click the AWS logo, then click Next.

Choose a region.

1. From the Atlas Region list, select the region in which you want to create the private endpoint.

2. Click Next.

Configure your private endpoint.

1. Enter the following details about your AWS VPC:

   Your VPC ID	Unique identifier of the peer AWS VPC. Find this value on the VPC dashboard in your AWS account.
   Your Subnet IDs	Unique identifiers of the subnets your AWS VPC uses. Find these values on the Subnet dashboard in your AWS account. Important You must specify at least one subnet. If you don't, AWS won't provision an interface endpoint in your VPC. An interface endpoint is required for clients in your VPC to send traffic to the private endpoint.

2. Copy the command the dialog box displays and run it using the AWS CLI.

   Note

   You can't copy the command until Atlas finishes creating VPC resources in the background.

   See Creating an Interface Endpoint to perform this task using the AWS CLI.

3. Click Next.

Finalize your private endpoint connection.

1. Enter your VPC Endpoint ID. This is a 22-character alphanumeric string that identifies your private endpoint. Find this value on the AWS VPC Dashboard under Endpoints > VPC ID.

2. Click Create.

Configure your resources' security groups to send traffic to and receive traffic from the interface endpoint.

For each resource that needs to connect to your Atlas clusters using AWS PrivateLink, the resource's security group must allow outbound traffic to the interface endpoint's private IP addresses on all ports.

See Adding Rules to a Security Group for more information.

Create a security group for your interface endpoint to allow resources to access it.

This security group must allow inbound traffic on all ports from each resource that needs to connect to your Atlas clusters using AWS PrivateLink:

1. In the AWS console, navigate to the VPC Dashboard.

2. Click Security Groups, then click Create security group.

3. Use the wizard to create a security group. Make sure you select your VPC from the VPC list.

4. Select the security group you just created, then click the Inbound Rules tab.

5. Click Edit Rules.

6. Add rules to allow all inbound traffic from each resource in your VPC that you want to connect to your Atlas cluster.

7. Click Save Rules.

8. Click Endpoints, then click the endpoint for your VPC.

9. Click the Security Groups tab, then click Edit Security Groups.

10. Add the security group you just created, then click Save.

To learn more about VPC security groups, see the AWS documentation.

In Atlas, go to the Network Access page for your project.

1. If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.

2. If it's not already displayed, select your project from the Projects menu in the navigation bar.

3. In the sidebar, click Network Access under the Security heading.

Verify that the private endpoint is available.

You can connect to an Atlas cluster using the AWS PrivateLink private endpoint when all of the resources are configured and the private endpoint becomes available.

To verify that the AWS PrivateLink private endpoint is available:

On the Private Endpoint tab, select a cluster type and verify the following statuses for the region that contains the cluster you want to connect to using AWS PrivateLink:

To learn more about possible status values, see Troubleshoot Private Endpoint Connection Issues.

If you do not see these statuses, see Troubleshoot Private Endpoint Connection Issues for additional information.

Create the private endpoint service in Atlas.

1. Run the Atlas CLI command to create a private endpoint and private endpoint service in Atlas. Ensure that the value of --region matches the region where you deployed your cluster:

   atlas privateEndpoints azure create [options]

   To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints azure create.

   If you have a multi-region or multi-cloud cluster and you don't enable regionalized private endpoints, you must provision an endpoint for each provider and region.

2. Note the private endpoint service's ID in the response. In this example, the ID is 6344ac8f51b94c6356527881.

   Private endpoint '6344ac8f51b94c6356527881' created.

Retrieve the private endpoint service name.

1. Run the Atlas CLI command to describe the private endpoint using its service ID:

   atlas privateEndpoints azure describe <privateEndpointId> [options]

   To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints azure describe.

2. Note the value for ENDPOINT SERVICE in the response, which shows the endpoint service name. In this example, the endpoint service name is pls_6344ac8f51b94c6356527881:

   ID                         ENDPOINT SERVICE                                                STATUS         ERROR
   6344ac8f51b94c6356527881   pls_6344ac8f51b94c6356527881   AVAILABLE

   If the STATUS value is INITIATING, wait 1-2 more minutes for Atlas to provision the private endpoint. Then, try this step again.

Create the endpoint in Azure.

1. Disable network policies for private endpoints, replacing the following placeholders with your values:

   Placeholder	Description
   {RESOURCE-GROUP-NAME}	Name of the Azure resource group that contains the VNet that you want to use to connect to Atlas. You can find this value on the Resource Group Properties page on your Azure dashboard.
   {VIRTUAL-NETWORK-NAME}	Name of the VNet that you want to use to connect to Atlas. You can find this value on the Virtual Network page on your Azure dashboard.
   {SUBNET-NAME}	Name of the subnet in your Azure VNet. You can find this value on the Virtual Network Subnets page on your Azure dashboard.

   az network vnet subnet update --resource-group {RESOURCE-GROUP-NAME} --vnet-name {VIRTUAL-NETWORK-NAME} --name {SUBNET-NAME} --disable-private-endpoint-network-policies true

2. Run the az network private-endpoint create command in the Azure CLI, replacing the following placeholders with your values:

   Placeholder	Description
   {RESOURCE-GROUP-NAME}	Name of the Azure resource group that contains the VNet that you want to use to connect to Atlas. You can find this value on the Resource Group Properties page on your Azure dashboard.
   {VIRTUAL-NETWORK-NAME}	Name of the VNet that you want to use to connect to Atlas. You can find this value on the Virtual Network page on your Azure dashboard.
   {SUBNET-NAME}	Name of the subnet in your Azure VNet. You can find this value on the Virtual Network Subnets page on your Azure dashboard.
   {PRIVATE-ENDPOINT-NAME}	Human-readable label that identifies the private endpoint within your Azure resource group.
   {SUBSCRIPTION-ID}	Unique string that identifies your subscription in Azure. You can find this value on the Subscriptions page in Azure.
   {RESOURCE-GROUP-ID}	Unique string that identifies your Azure resource group. You can find this value on the Resource Group Properties page on your Azure dashboard.
   {ENDPOINT-SERVICE-NAME}	Unique string that identifies the endpoint service. This is the endpoint service name returned in a previous step.

   az network private-endpoint create --resource-group {RESOURCE-GROUP-NAME} --name {PRIVATE-ENDPOINT-NAME} --vnet-name {VIRTUAL-NETWORK-NAME} --subnet {SUBNET-NAME} --private-connection-resource-id /subscriptions/{SUBSCRIPTION-ID}/resourceGroups/{RESOURCE-GROUP-ID}/providers/Microsoft.Network/privateLinkServices/{ENDPOINT-SERVICE-NAME} --connection-name {ENDPOINT-SERVICE-NAME} --manual-request true

   To learn more about the Azure CLI, see Create a Private Endpoint by Using the Azure CLI.

3. Copy and save the following values:

   Resource ID	Unique string that identifies the private endpoint in your Azure VNet. Find this value in one of the following ways: Use the Azure dashboard to retrieve this value. The Properties page for your private endpoint on your Azure dashboard displays this property in the Resource ID field. Use the output from the following command, which returns the highlighted value in the id field: 1 azure network private-endpoint create HIDE OUTPUT 1 { 2 "customDnsConfigs": [], 3 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 4 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink", 5 "location": "eastus2", 6 "manualPrivateLinkServiceConnections": [ 7 { 8 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 9 "groupIds": null, 10 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink/manualPrivateLinkServiceConnections/pls_5f860388d432510d5a6e1a3e", 11 "name": "pls_5f860388d432510d5a6e1a3e", 12 "privateLinkServiceConnectionState": { 13 "actionsRequired": "None", 14 "description": "Connection deleted by service provider", 15 "status": "Disconnected" 16 }, 17 "privateLinkServiceId": "pls_5f860388d432510d5a6e1a3e.00000000-0000-0000-0000-000000000000.eastus2.privatelinkservice", 18 "provisioningState": "Succeeded", 19 "requestMessage": null, 20 "resourceGroup": "privatelink", 21 "type": "Microsoft.Network/privateEndpoints/manualPrivateLinkServiceConnections" 22 } 23 ], 24 "name": "privatelink", 25 "networkInterfaces": [ 26 { 27 "dnsSettings": null, 28 "dscpConfiguration": null, 29 "enableAcceleratedNetworking": null, 30 "enableIpForwarding": null, 31 "etag": null, 32 "hostedWorkloads": null, 33 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000", 34 "ipConfigurations": null, 35 "location": null, 36 "macAddress": null, 37 "name": null, 38 "networkSecurityGroup": null, 39 "primary": null, 40 "privateEndpoint": null, 41 "provisioningState": null, 42 "resourceGroup": "privatelink", 43 "resourceGuid": null, 44 "tags": null, 45 "tapConfigurations": null, 46 "type": null, 47 "virtualMachine": null 48 } 49 ], 50 "privateLinkServiceConnections": [], 51 "provisioningState": "Succeeded", 52 "resourceGroup": "privatelink", 53 "subnet": { 54 "addressPrefix": null, 55 "addressPrefixes": null, 56 "delegations": null, 57 "etag": null, 58 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/virtualNetworks/privatelink/subnets/privatelink", 59 "ipAllocations": null, 60 "ipConfigurationProfiles": null, 61 "ipConfigurations": null, 62 "name": null, 63 "natGateway": null, 64 "networkSecurityGroup": null, 65 "privateEndpointNetworkPolicies": null, 66 "privateEndpoints": null, 67 "privateLinkServiceNetworkPolicies": null, 68 "provisioningState": null, 69 "purpose": null, 70 "resourceGroup": "privatelink", 71 "resourceNavigationLinks": null, 72 "routeTable": null, 73 "serviceAssociationLinks": null, 74 "serviceEndpointPolicies": null, 75 "serviceEndpoints": null 76 }, 77 "tags": null, 78 "type": "Microsoft.Network/privateEndpoints" 79 } You can also return this value using the azure network private-endpoint list CLI command.
   Private IP	Private IP address of the private endpoint network interface you created in your Azure VNet. Find this value in one of the following ways: Use the Azure dashboard to retrieve this value. The Overview page for your private endpoint on your Azure dashboard displays this property in the Private IP field. Use the Azure CLI to retrieve this value: Use the output from the following command, which returns the ID of the network interface in the highlighted networkInterfaces.id field: 1 azure network private-endpoint create HIDE OUTPUT 1 { 2 "customDnsConfigs": [], 3 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 4 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink", 5 "location": "eastus2", 6 "manualPrivateLinkServiceConnections": [ 7 { 8 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 9 "groupIds": null, 10 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink/manualPrivateLinkServiceConnections/pls_5f860388d432510d5a6e1a3e", 11 "name": "pls_5f860388d432510d5a6e1a3e", 12 "privateLinkServiceConnectionState": { 13 "actionsRequired": "None", 14 "description": "Connection deleted by service provider", 15 "status": "Disconnected" 16 }, 17 "privateLinkServiceId": "pls_5f860388d432510d5a6e1a3e.00000000-0000-0000-0000-000000000000.eastus2.privatelinkservice", 18 "provisioningState": "Succeeded", 19 "requestMessage": null, 20 "resourceGroup": "privatelink", 21 "type": "Microsoft.Network/privateEndpoints/manualPrivateLinkServiceConnections" 22 } 23 ], 24 "name": "privatelink", 25 "networkInterfaces": [ 26 { 27 "dnsSettings": null, 28 "dscpConfiguration": null, 29 "enableAcceleratedNetworking": null, 30 "enableIpForwarding": null, 31 "etag": null, 32 "hostedWorkloads": null, 33 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000", 34 "ipConfigurations": null, 35 "location": null, 36 "macAddress": null, 37 "name": null, 38 "networkSecurityGroup": null, 39 "primary": null, 40 "privateEndpoint": null, 41 "provisioningState": null, 42 "resourceGroup": "privatelink", 43 "resourceGuid": null, 44 "tags": null, 45 "tapConfigurations": null, 46 "type": null, 47 "virtualMachine": null 48 } 49 ], 50 "privateLinkServiceConnections": [], 51 "provisioningState": "Succeeded", 52 "resourceGroup": "privatelink", 53 "subnet": { 54 "addressPrefix": null, 55 "addressPrefixes": null, 56 "delegations": null, 57 "etag": null, 58 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/virtualNetworks/privatelink/subnets/privatelink", 59 "ipAllocations": null, 60 "ipConfigurationProfiles": null, 61 "ipConfigurations": null, 62 "name": null, 63 "natGateway": null, 64 "networkSecurityGroup": null, 65 "privateEndpointNetworkPolicies": null, 66 "privateEndpoints": null, 67 "privateLinkServiceNetworkPolicies": null, 68 "provisioningState": null, 69 "purpose": null, 70 "resourceGroup": "privatelink", 71 "resourceNavigationLinks": null, 72 "routeTable": null, 73 "serviceAssociationLinks": null, 74 "serviceEndpointPolicies": null, 75 "serviceEndpoints": null 76 }, 77 "tags": null, 78 "type": "Microsoft.Network/privateEndpoints" 79 } Run the az network nic show --id {networkInterface.id} Azure CLI command with the value of the networkInterfaces.id field to retrieve the ipConfigurations.privateIPAddress for the private endpoint network interface. The value of this field is your Private IP. The input and output should look similar to the following. Note the highlighted value of the Private Endpoint IP Address field. 1 az network nic show --id /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000 HIDE OUTPUT 1 { 2 "dnsSettings": { 3 "appliedDnsServers": [], 4 "dnsServers": [], 5 "internalDnsNameLabel": null, 6 "internalDomainNameSuffix": "<>.cx.internal.cloudapp.net", 7 "internalFqdn": null 8 }, 9 "dscpConfiguration": null, 10 "enableAcceleratedNetworking": false, 11 "enableIpForwarding": false, 12 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 13 "hostedWorkloads": [], 14 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000", 15 "ipConfigurations": [ 16 { 17 "applicationGatewayBackendAddressPools": null, 18 "applicationSecurityGroups": null, 19 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 20 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000/ipConfigurations/privateEndpointIpConfig", 21 "loadBalancerBackendAddressPools": null, 22 "loadBalancerInboundNatRules": null, 23 "name": "privateEndpointIpConfig", 24 "primary": true, 25 "privateIpAddress": "10.0.0.4", 26 "privateIpAddressVersion": "IPv4", 27 "privateIpAllocationMethod": "Dynamic", 28 "privateLinkConnectionProperties": { 29 "fqdns": [], 30 "groupId": "", 31 "requiredMemberName": "" 32 }, 33 "provisioningState": "Succeeded", 34 "publicIpAddress": null, 35 "resourceGroup": "privatelink", 36 "subnet": { 37 "addressPrefix": null, 38 "addressPrefixes": null, 39 "delegations": null, 40 "etag": null, 41 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/virtualNetworks/privatelink/subnets/privatelink", 42 "ipAllocations": null, 43 "ipConfigurationProfiles": null, 44 "ipConfigurations": null, 45 "name": null, 46 "natGateway": null, 47 "networkSecurityGroup": null, 48 "privateEndpointNetworkPolicies": null, 49 "privateEndpoints": null, 50 "privateLinkServiceNetworkPolicies": null, 51 "provisioningState": null, 52 "purpose": null, 53 "resourceGroup": "privatelink", 54 "resourceNavigationLinks": null, 55 "routeTable": null, 56 "serviceAssociationLinks": null, 57 "serviceEndpointPolicies": null, 58 "serviceEndpoints": null 59 }, 60 "type": "Microsoft.Network/networkInterfaces/ipConfigurations", 61 "virtualNetworkTaps": null 62 } 63 ], 64 "location": "eastus2", 65 "macAddress": "", 66 "name": "privatelink.nic.00000000-0000-0000-0000-000000000000", 67 "networkSecurityGroup": null, 68 "primary": null, 69 "privateEndpoint": { 70 "customDnsConfigs": null, 71 "etag": null, 72 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink", 73 "location": null, 74 "manualPrivateLinkServiceConnections": null, 75 "name": null, 76 "networkInterfaces": null, 77 "privateLinkServiceConnections": null, 78 "provisioningState": null, 79 "resourceGroup": "privatelink", 80 "subnet": null, 81 "tags": null, 82 "type": null 83 }, 84 "provisioningState": "Succeeded", 85 "resourceGroup": "privatelink", 86 "resourceGuid": "00000000-0000-0000-0000-000000000000", 87 "tags": null, 88 "tapConfigurations": [], 89 "type": "Microsoft.Network/networkInterfaces", 90 "virtualMachine": null 91 }

Update your private endpoint with the Resource ID and Private IP.

1. Run the Atlas CLI command to create an interface endpoint in Atlas using the Atlas endpoint service ID, the Azure Resource ID, and the Azure Private IP. In this example, you would set the following parameters:

   Parameter	Type	Example Value
   endpointServiceId	Argument	6344ac8f51b94c6356527881
   privateEndpointId	Option	/subscriptions/4e133d35-e734-4385-a565-c0945567ae346/ resourceGroups/rg_95847a959b876e255dbb9b33_dfragd7w/ providers/Microsoft.Network/privateEndpoints/ test-endpoint
   privateEndpointIpAddress	Option	10.0.0.4

   atlas privateEndpoints azure interfaces create <endpointServiceId> [options]

   To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints azure interfaces create.

2. Note the private endpoint's interface endpoint ID in the response. In this example, the ID is /subscriptions/ 4e133d35-e734-4385-a565-c0945567ae346/resourceGroups/ rg_95847a959b876e255dbb9b33_dfragd7w/providers/ Microsoft.Network/privateEndpoints/cli-test.

   Interface endpoint '/subscriptions/4e133d35-e734-4385-a565-c0945567ae346/resourceGroups/rg_95847a959b876e255dbb9b33_dfragd7w/providers/Microsoft.Network/privateEndpoints/cli-test' created.

Verify the private endpoint's availability.

You can connect to the cluster using the Azure Private Link private endpoint after Atlas finishes configuring all of the resources and the private endpoint becomes available.

To verify that the Azure private endpoint is available:

1. Run the Atlas CLI command to describe the interface endpoint using its ID and the interface endpoint ID you retrieved in the previous step. In this example, you would set the following parameters:

   Parameter	Type	Example Value
   privateEndpointResourceId	Argument	/subscriptions/4e133d35-e734-4385-a565-c0945567ae346/ resourceGroups/rg_95847a959b876e255dbb9b33_dfragd7w/ providers/Microsoft.Network/privateEndpoints/cli-test
   endpointServiceId	Option	6344ac8f51b94c6356527881

   atlas privateEndpoints azure interfaces describe <privateEndpointResourceId> [options]

   To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints azure interfaces describe.

2. Verify that the STATUS field's value is AVAILABLE as shown in the following example:

   ID                             STATUS         ERROR
   pls_6344ac8f51b94c6356527881   AVAILABLE

In Atlas, go to the Network Access page for your project.

1. If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.

2. If it's not already displayed, select your project from the Projects menu in the navigation bar.

3. In the sidebar, click Network Access under the Security heading.

Click the Private Endpoint tab and then the following tab.

Click Dedicated Cluster for a private endpoint for your dedicated Atlas cluster. (default)

Click the button to set up the private endpoint.

Click the Add Private Endpoint button.

Choose a cloud provider.

Click the Azure logo, then click Next.

Choose a region.

1. From the Atlas Region list, select the region in which you want to create the private endpoint.

2. Click Next.

Configure your private endpoint.

1. Enter the following details about your Azure VNet:

   Resource Group Name	The name of the resource group that contains the VNet that you want to use to connect to Atlas. Find this value on the Resource Group Properties page on your Azure dashboard.
   Virtual Network Name	The name of the VNet that you want to use to connect to Atlas. Find this value on the Virtual Network page on your Azure dashboard.
   Subnet Name	The name of the subnet in your Azure VNet. Find this value on the Virtual Network Subnets page on your Azure dashboard.

2. Enter a unique name for your private endpoint in the Private Endpoint Name field.

3. Disable private endpoint network policies by copying the az network vnet subnet update command the dialog box displays and running it using the Azure CLI.

   For more information about this command, see the Azure documentation.

4. Create the private endpoint in your VNet by copying the az network private-endpoint create command the dialog box displays and running it using the Azure CLI.

   Note

   You can't copy the command until Atlas finishes creating VNet resources in the background.

   For more information about this command, see the Azure documentation.

5. You might receive an error like the following when you create the private endpoint:

   ServiceError: code: LinkedAuthorizationFailed - , The client has permission to perform action 'Microsoft.Network/privateLinkServices/PrivateEndpointConnectionsApproval/action' on scope '/subscriptions/<subscription-id>/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink', however the current tenant '<tenant-id>' is not authorized to access linked subscription '<tenant-id>'.

   If you receive this error, you must add the --manual-request true parameter to the Azure CLI command you used to create the private endpoint, then run the command again.

6. Click Next.

Finalize your private endpoint connection.

1. Enter the following details about your private endpoint:

   Private Endpoint Resource ID	The unique identifier of the private endpoint you created in your Azure VNet. Find this value in one of the following ways: The Properties page for your private endpoint on your Azure dashboard displays this property in the Resource ID field. The output from the following command that you ran earlier to create the private endpoint returns the highlighted value in the id field: 1 azure network private-endpoint create HIDE OUTPUT 1 { 2 "customDnsConfigs": [], 3 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 4 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink", 5 "location": "eastus2", 6 "manualPrivateLinkServiceConnections": [ 7 { 8 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 9 "groupIds": null, 10 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink/manualPrivateLinkServiceConnections/pls_5f860388d432510d5a6e1a3e", 11 "name": "pls_5f860388d432510d5a6e1a3e", 12 "privateLinkServiceConnectionState": { 13 "actionsRequired": "None", 14 "description": "Connection deleted by service provider", 15 "status": "Disconnected" 16 }, 17 "privateLinkServiceId": "pls_5f860388d432510d5a6e1a3e.00000000-0000-0000-0000-000000000000.eastus2.privatelinkservice", 18 "provisioningState": "Succeeded", 19 "requestMessage": null, 20 "resourceGroup": "privatelink", 21 "type": "Microsoft.Network/privateEndpoints/manualPrivateLinkServiceConnections" 22 } 23 ], 24 "name": "privatelink", 25 "networkInterfaces": [ 26 { 27 "dnsSettings": null, 28 "dscpConfiguration": null, 29 "enableAcceleratedNetworking": null, 30 "enableIpForwarding": null, 31 "etag": null, 32 "hostedWorkloads": null, 33 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000", 34 "ipConfigurations": null, 35 "location": null, 36 "macAddress": null, 37 "name": null, 38 "networkSecurityGroup": null, 39 "primary": null, 40 "privateEndpoint": null, 41 "provisioningState": null, 42 "resourceGroup": "privatelink", 43 "resourceGuid": null, 44 "tags": null, 45 "tapConfigurations": null, 46 "type": null, 47 "virtualMachine": null 48 } 49 ], 50 "privateLinkServiceConnections": [], 51 "provisioningState": "Succeeded", 52 "resourceGroup": "privatelink", 53 "subnet": { 54 "addressPrefix": null, 55 "addressPrefixes": null, 56 "delegations": null, 57 "etag": null, 58 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/virtualNetworks/privatelink/subnets/privatelink", 59 "ipAllocations": null, 60 "ipConfigurationProfiles": null, 61 "ipConfigurations": null, 62 "name": null, 63 "natGateway": null, 64 "networkSecurityGroup": null, 65 "privateEndpointNetworkPolicies": null, 66 "privateEndpoints": null, 67 "privateLinkServiceNetworkPolicies": null, 68 "provisioningState": null, 69 "purpose": null, 70 "resourceGroup": "privatelink", 71 "resourceNavigationLinks": null, 72 "routeTable": null, 73 "serviceAssociationLinks": null, 74 "serviceEndpointPolicies": null, 75 "serviceEndpoints": null 76 }, 77 "tags": null, 78 "type": "Microsoft.Network/privateEndpoints" 79 }
   Private Endpoint IP Address	The private IP address of the private endpoint network interface you created in your Azure VNet. Find this value in one of the following ways: Use the Azure dashboard to retrieve this value. The Overview page for your private endpoint on your Azure dashboard displays this property in the Private IP field. Use the Azure CLI to retrieve this value: The output from the following command that you ran earlier to create the private endpoint includes the ID of the network interface in the highlighted networkInterfaces.id field: 1 azure network private-endpoint create HIDE OUTPUT 1 { 2 "customDnsConfigs": [], 3 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 4 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink", 5 "location": "eastus2", 6 "manualPrivateLinkServiceConnections": [ 7 { 8 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 9 "groupIds": null, 10 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink/manualPrivateLinkServiceConnections/pls_5f860388d432510d5a6e1a3e", 11 "name": "pls_5f860388d432510d5a6e1a3e", 12 "privateLinkServiceConnectionState": { 13 "actionsRequired": "None", 14 "description": "Connection deleted by service provider", 15 "status": "Disconnected" 16 }, 17 "privateLinkServiceId": "pls_5f860388d432510d5a6e1a3e.00000000-0000-0000-0000-000000000000.eastus2.privatelinkservice", 18 "provisioningState": "Succeeded", 19 "requestMessage": null, 20 "resourceGroup": "privatelink", 21 "type": "Microsoft.Network/privateEndpoints/manualPrivateLinkServiceConnections" 22 } 23 ], 24 "name": "privatelink", 25 "networkInterfaces": [ 26 { 27 "dnsSettings": null, 28 "dscpConfiguration": null, 29 "enableAcceleratedNetworking": null, 30 "enableIpForwarding": null, 31 "etag": null, 32 "hostedWorkloads": null, 33 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000", 34 "ipConfigurations": null, 35 "location": null, 36 "macAddress": null, 37 "name": null, 38 "networkSecurityGroup": null, 39 "primary": null, 40 "privateEndpoint": null, 41 "provisioningState": null, 42 "resourceGroup": "privatelink", 43 "resourceGuid": null, 44 "tags": null, 45 "tapConfigurations": null, 46 "type": null, 47 "virtualMachine": null 48 } 49 ], 50 "privateLinkServiceConnections": [], 51 "provisioningState": "Succeeded", 52 "resourceGroup": "privatelink", 53 "subnet": { 54 "addressPrefix": null, 55 "addressPrefixes": null, 56 "delegations": null, 57 "etag": null, 58 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/virtualNetworks/privatelink/subnets/privatelink", 59 "ipAllocations": null, 60 "ipConfigurationProfiles": null, 61 "ipConfigurations": null, 62 "name": null, 63 "natGateway": null, 64 "networkSecurityGroup": null, 65 "privateEndpointNetworkPolicies": null, 66 "privateEndpoints": null, 67 "privateLinkServiceNetworkPolicies": null, 68 "provisioningState": null, 69 "purpose": null, 70 "resourceGroup": "privatelink", 71 "resourceNavigationLinks": null, 72 "routeTable": null, 73 "serviceAssociationLinks": null, 74 "serviceEndpointPolicies": null, 75 "serviceEndpoints": null 76 }, 77 "tags": null, 78 "type": "Microsoft.Network/privateEndpoints" 79 } Run the az network nic show --id {networkInterface.id} Azure CLI command with the value of the networkInterfaces.id field to retrieve the ipConfigurations.privateIPAddress for the private endpoint network interface. The value of this field is your Private Endpoint IP Address. The input and output should look similar to the following. Note the highlighted value of the Private Endpoint IP Address field. 1 az network nic show --id /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000 HIDE OUTPUT 1 { 2 "dnsSettings": { 3 "appliedDnsServers": [], 4 "dnsServers": [], 5 "internalDnsNameLabel": null, 6 "internalDomainNameSuffix": "<>.cx.internal.cloudapp.net", 7 "internalFqdn": null 8 }, 9 "dscpConfiguration": null, 10 "enableAcceleratedNetworking": false, 11 "enableIpForwarding": false, 12 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 13 "hostedWorkloads": [], 14 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000", 15 "ipConfigurations": [ 16 { 17 "applicationGatewayBackendAddressPools": null, 18 "applicationSecurityGroups": null, 19 "etag": "W/\"00000000-0000-0000-0000-000000000000\"", 20 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000/ipConfigurations/privateEndpointIpConfig", 21 "loadBalancerBackendAddressPools": null, 22 "loadBalancerInboundNatRules": null, 23 "name": "privateEndpointIpConfig", 24 "primary": true, 25 "privateIpAddress": "10.0.0.4", 26 "privateIpAddressVersion": "IPv4", 27 "privateIpAllocationMethod": "Dynamic", 28 "privateLinkConnectionProperties": { 29 "fqdns": [], 30 "groupId": "", 31 "requiredMemberName": "" 32 }, 33 "provisioningState": "Succeeded", 34 "publicIpAddress": null, 35 "resourceGroup": "privatelink", 36 "subnet": { 37 "addressPrefix": null, 38 "addressPrefixes": null, 39 "delegations": null, 40 "etag": null, 41 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/virtualNetworks/privatelink/subnets/privatelink", 42 "ipAllocations": null, 43 "ipConfigurationProfiles": null, 44 "ipConfigurations": null, 45 "name": null, 46 "natGateway": null, 47 "networkSecurityGroup": null, 48 "privateEndpointNetworkPolicies": null, 49 "privateEndpoints": null, 50 "privateLinkServiceNetworkPolicies": null, 51 "provisioningState": null, 52 "purpose": null, 53 "resourceGroup": "privatelink", 54 "resourceNavigationLinks": null, 55 "routeTable": null, 56 "serviceAssociationLinks": null, 57 "serviceEndpointPolicies": null, 58 "serviceEndpoints": null 59 }, 60 "type": "Microsoft.Network/networkInterfaces/ipConfigurations", 61 "virtualNetworkTaps": null 62 } 63 ], 64 "location": "eastus2", 65 "macAddress": "", 66 "name": "privatelink.nic.00000000-0000-0000-0000-000000000000", 67 "networkSecurityGroup": null, 68 "primary": null, 69 "privateEndpoint": { 70 "customDnsConfigs": null, 71 "etag": null, 72 "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink", 73 "location": null, 74 "manualPrivateLinkServiceConnections": null, 75 "name": null, 76 "networkInterfaces": null, 77 "privateLinkServiceConnections": null, 78 "provisioningState": null, 79 "resourceGroup": "privatelink", 80 "subnet": null, 81 "tags": null, 82 "type": null 83 }, 84 "provisioningState": "Succeeded", 85 "resourceGroup": "privatelink", 86 "resourceGuid": "00000000-0000-0000-0000-000000000000", 87 "tags": null, 88 "tapConfigurations": [], 89 "type": "Microsoft.Network/networkInterfaces", 90 "virtualMachine": null 91 }

2. Enter an optional description for the endpoint.

3. Click Create.

In Atlas, go to the Network Access page for your project.

1. If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.

2. If it's not already displayed, select your project from the Projects menu in the navigation bar.

3. In the sidebar, click Network Access under the Security heading.

Verify that the private endpoint is available.

You can connect to an Atlas cluster using the Azure Private Link private endpoint when all of the resources are configured and the private endpoint becomes available.

To verify that the Azure Private Link private endpoint is available:

On the Private Endpoint tab, select a cluster type and verify the following statuses for the region that contains the cluster you want to connect to using Azure Private Link:

To learn more about possible status values, see Troubleshoot Private Endpoint Connection Issues.

If you do not see these statuses, see Troubleshoot Private Endpoint Connection Issues for additional information.

Create the private endpoint in Atlas.

1. Run the Atlas CLI command to create a private endpoint in Atlas. Ensure that the value of --region matches the region where you deployed your cluster:

   atlas privateEndpoints gcp create [options]

   To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints gcp create.

   If you have a multi-region or multi-cloud cluster and you don't enable regionalized private endpoints, you must provision an endpoint for each provider and region.

2. Note the private endpoint's ID in the response. In this example, the ID is 6344ac8f51b94c6356527881.

   Private endpoint '6344ac8f51b94c6356527881' created.

Wait for the private endpoint to become available.

Run the Atlas CLI command to describe the private endpoint using its ID:

atlas privateEndpoints gcp describe <privateEndpointId> [options]

To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints gcp describe.

The following shows a sample output:

ID                          GROUP NAME      REGION        STATUS          ERROR
6344ac8f51b94c6356527881    N/A             CENTRAL_US    AVAILABLE

If the STATUS value is INITIATING, wait 1-2 more minutes for Atlas to provision the private endpoint. Then, try this step again.

Create the endpoint in GCP.

1. Create a shell script file named setup_psc.sh.

2. Copy and paste the following code into the setup_psc.sh file, replacing the following placeholders with your values:

   Placeholder	Description
   {GCP-PROJECT-ID}	Unique string that identifies your Google Cloud project in Google Cloud.
   {ATLAS-GCP-PROJECT-ID}	Unique string that identifies the Google Cloud project in which Atlas deploys your resources.
   {ENDPOINT}	Unique string that identifies your private endpoint. This is the prefix for all forwarding rules you create.
   {REGION}	Google Cloud region in which your cluster resides.
   {SUBNET}	When you create Private Service Connect endpoints, you specify a subnet in your VPC network; you may either create a new subnet to encapsulate your endpoints or use an existing one. This subnet needs to have at least 50 unassigned IP addresses.
   {VPC-NAME}	Name of the VNet that you want to use to connect to Atlas. You can find this value on the VPC Network page on your Google Cloud dashboard.
   {GROUP-ID}	Unique 24-character hexadecimal string that identifies your project in Atlas.

   #!/bin/bash
   gcloud config set project {GCP-PROJECT-ID}
   for i in {0..49}
   do
     gcloud compute addresses create {ENDPOINT}-ip-$i --region={REGION} --subnet={SUBNET}
   done
   for i in {0..49}
   do
     if [ $(gcloud compute addresses describe {ENDPOINT}-ip-$i --region={REGION} --format="value(status)") != "RESERVED" ]; then
       echo "{ENDPOINT}-ip-$i is not RESERVED";
       exit 1;
     fi
   done
   for i in {0..49}
   do
     gcloud compute forwarding-rules create {ENDPOINT}-$i --region={REGION} --network={VPC-NAME} --address={ENDPOINT}-ip-$i --target-service-attachment=projects/{ATLAS-GCP-PROJECT-ID}/regions/{REGION}/serviceAttachments/sa-{REGION}-{GROUP-ID}-$i
   done

3. Run the shell file

   sh setup_psc.sh

   HIDE OUTPUT

   Created [https://www.googleapis.com/compute/v1/projects/<PROJECT-ID>/regions/<REGION>/addresses/-ip-0].,
   Created [https://www.googleapis.com/compute/v1/projects/<PROJECT-ID>/regions/<REGION>/addresses/-ip-1].,
   ...
   Created [https://www.googleapis.com/compute/v1/projects/<PROJECT-ID>/regions/<REGION>/addresses/-ip-49].,
   Created [https://www.googleapis.com/compute/v1/projects/<PROJECT-ID>/regions/<REGION>/forwardingRules/-ip-0].,
   Created [https://www.googleapis.com/compute/v1/projects/<PROJECT-ID>/regions/<REGION>/forwardingRules/-ip-1].,
   ...
   Created [https://www.googleapis.com/compute/v1/projects/<PROJECT-ID>/regions/<REGION>/forwardingRules/-ip-49].

4. Run the following command to generate a list of your Google Cloud forwarding addresses and store them in a file called atlasEndpoints.txt, replacing the following placeholders from the previous step:

   Placeholder	Description
   {REGION}	Google Cloud region in which your cluster resides.
   {ENDPOINT}	Unique string that identifies your private endpoint. This is the prefix for all forwarding rules you create.

   gcloud compute forwarding-rules list --regions={REGION} --format="csv(name,IPAddress)" --filter="name:({ENDPOINT}*)" > atlasEndpoints.txt

Update the format of the atlasEndpoints.txt file.

Run the following command to reformat the contents of atlasEndpoints.txt:

sed -i '' '1d' atlasEndpoints.txt
tr -s ',' '@' <atlasEndpoints.txt>atlasEndpoints2.txt
tr -s '\n' ',' <atlasEndpoints2.txt>atlasEndpoints.txt
sed -i '' '$ s/.$//' atlasEndpoints.txt
rm atlasEndpoints2.txt

Update your private endpoint with the VPC Endpoint ID.

1. Run the Atlas CLI command to create an interface endpoint in Atlas using the Atlas endpoint ID and the VPC Endpoint ID. In this example, you would set the following parameters:

   Parameter	Type	Example Value
   endpointGroupId	Argument	tester-1
   endpointServiceId	Option	6344ac8f51b94c6356527881
   gcpProjectId	Option	atlascli-private-endpoints
   endpoint	Option	tester-1@10.142.0.1,tester-2@10.142.0.2, ... , tester-49@10.142.0.49, tester-50@10.142.0.50 Note The ... represents 46 other endpoints in between.

   To add a new interface for an Google Cloud private endpoint using the Atlas CLI, run the following command:

   atlas privateEndpoints gcp interfaces create <endpointGroupId> [options]

   To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints gcp interfaces create.

Verify the private endpoint's availability.

You can connect to the cluster using the GCP Private Service Connect private endpoint after Atlas finishes configuring all of the resources and the private endpoint becomes available.

To verify that the Google Cloud private endpoint is available:

1. Run the Atlas CLI command to describe the interface endpoint using its ID. In this example, you would use the following parameters from the previous step:

   Parameter	Type	Example Value
   id	Argument	tester-1
   endpointServiceId	Option	6344ac8f51b94c6356527881

   To return the Google Cloud private endpoint interface that you specify. using the Atlas CLI, run the following command:

   atlas privateEndpoints gcp interfaces describe <id> [options]

   To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints gcp interfaces describe.

2. Verify that the STATUS field's value is AVAILABLE as shown in the following example:

   ENDPOINT              STATUS            DELETE REQUESTED
   tester-1              AVAILABLE         false

   If the STATUS value is VERIFIED, wait 1-2 more minutes for Atlas to make your private endpoint available.

In Atlas, go to the Network Access page for your project.

1. If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.

2. If it's not already displayed, select your project from the Projects menu in the navigation bar.

3. In the sidebar, click Network Access under the Security heading.

Click the Private Endpoint tab and then the following tab.

Choose a cloud provider.

Click the Google Cloud logo, then click Next.

Choose a region.

1. From the Atlas Region list, select the region in which you want to create the private endpoint.

2. Click Next.

Configure your private endpoint.

1. Enter the following details about your Google Cloud VPC:

   Google Cloud Project ID	The unique ID for your project. Find this value on the Dashboard page on your Google Cloud platform.
   VPC Name	The name of the VPC that you want to use to connect to Atlas. Find this value on the VPC Networks page on your Google Cloud dashboard.
   Subnet Name	The name of the subnet in your Google Cloud VPC. Find this value on the VPC Networks page on your Google Cloud dashboard.

2. Enter a unique name for your private endpoint in the Private Service Connect Endpoint Prefix field. This will be the prefix for all endpoints created and the name of the endpoint group. Click Next.

3. Create the forwarding rules in your Google Cloud VPC by downloading the shell script and running it using the gcloud CLI. This will output a JSON file containing a list of IP addresses and endpoint names that you will need in the next step. Click Next.

4. Click Upload JSON File to select and upload the outputted JSON file.

5. Click Create Private Endpoint.

In Atlas, go to the Network Access page for your project.

1. If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.

2. If it's not already displayed, select your project from the Projects menu in the navigation bar.

3. In the sidebar, click Network Access under the Security heading.

Verify that the private endpoint is available.

You can connect to an Atlas cluster using the GCP Private Service Connect private endpoint when all of the resources are configured and the private endpoint becomes available.

To verify that the GCP Private Service Connect private endpoint is available:

On the Private Endpoint tab, verify the following statuses for the region that contains the cluster you want to connect to using GCP Private Service Connect:

To learn more about possible status values, see Troubleshoot Private Endpoint Connection Issues.

If you do not see these statuses, see Troubleshoot Private Endpoint Connection Issues for additional information.