how to connect MongoDB Atlas to GCP(Google Cloud Platform)?
Question
I try to connect my app that is hosted on google cloud platform(gcp) app Engine to my Mongo Atlas DB. And Mongo wants me to whitelist the gcp app ip. But gcp doesn't have a static IP for me to whitelist.
I want to make sure I apply security best practices, and as far as I understand whitelisting my DB for all the ips is not secures. So how can I do it without opening all ips?
3 answers
solution1
2 2020-07-05 18:42:27
You have 2 solutions
- You can grant the App Engine IP ranges. But it's not secured as described in the documentation :
From this example, we see that both the 8.34.208.0/20 and 8.35.192.0/21 IP ranges can be used for App Engine traffic. Other queries for any additional netblocks may return additional IP ranges.
Note that using static IP address filtering is not considered a safe and effective means of protection. For example, an attacker could set up a malicious App Engine app which could share the same IP address range as your application. Instead, we suggest that you take a defense in depth approach using OAuth and Certs.
- You can perform VPC peering. This required several things
- Have a paid subscription to Mongo Atlas
- Create a {peering between Mongo Atlas and your project]( https://docs.atlas.mongodb.com/security-vpc-peering/ )
- Create a serverless VPC connector and add it to your App Engine to allow it to reach private IP on the VPC (and peering attached to the VPC, like your Mongo Atlas DB)
solution2
0 2020-11-04 10:18:49
You have the option of reserving a static IP while creating a VM.
On the"create instance" page, scroll to "networking" you are presented with options for your I. Internal IP II. External IP
solution3
0 2021-08-17 13:42:46
If you are running M10-Cluster (or higher) on Atlas, VPC-Peering is your way to go. I'd recommend trying this tutorial . They're explaining what CIDR-ranges (what you referred to as IPs) to whitelist.
One thing to notice here, they are using GCPs Kubernetes Engine. With App Engine there is a little extra effort as it is one of GCPs "Serverless"-Solutions, which is the reason why you should not use static IPs or anything like that. You will need to connect your App to the VPC-Network via a Connector:
Create a connector in the same region as your GAE-App following these instructions . You can find out the current region of your GAE-App with gcloud app describe. Just give the connector the range
10.8.0.0for now (/28is added automatically). Remember the name you gave it.Depending on your environment your app has to point to that connector. In NodeJS its your app.yaml file and it looks similar to this:
runtime: nodejs10
vpc_access_connector:
name: projects/GCLOUD_PROJECT_ID/locations/REGION_WHERE_GAE_RUNS/connectors/NAME_YOU_ENTERED_IN_STEP_1
- Go to your Atlas project, navigate to Network Access and whitelist the CIDR-range you set for the connector in Step 1
- You may also need to whitelist the CIDR-range from Step 1 for the VPC-Network. You can do that in GCP by navigating to VPC-Network -> Firewall
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.