Whitelisting IPs of a Node.js App (hosted on GAE) to access MongoDB Atlas (hosted on GCP)

Question

I want my backend server (Node.js, hosted on Google App Engine, flexible environment if that matters) to be able to grab and pass data from my database (MongoDB, through Atlas, also hosted on Google Cloud platform, in the same region as my backend server). Ideally, I'd like to keep a tight whitelist of IPs that can access my database, but I'm not sure how to identify them.

My understanding is that Google will use a range of IPs. I might be able to access these by querying Google from time to time (Google App Engine - list of IP addresses?).

I also found a nice tutorial from Google about how to connect App Engine to MongoDB Atlas, but they conveniently left out how to whitelist the correct IPs (https://cloud.google.com/community/tutorials/mongodb-atlas-appengineflex-nodejs-app).

I also found some notes from Atlas about using network peering within GCP (which I qualify for? see link: https://docs.atlas.mongodb.com/security-vpc-peering/) but there are significant restrictions, including that other IPs aren't allowed? I'm having a hard time understanding their documentation.

Key Question: Is there an easier way to do this than the first link above? Or am I stuck querying this frequently and changing it by hand?

Answer 1

If you are running M10-Cluster (or higher) on Atlas, VPC-Peering is your way to go. As you said, you are having a hard time reading the documentation. I'd recommend trying this tutorial. They're explaining what CIDR-ranges (what you referred to as IPs) to whitelist.

One thing to notice here, they are using GCPs Kubernetes Engine. With App Engine there is a little extra effort as it is one of GCPs "Serverless"-Solutions, which is the reason why you should not use static IPs or anything like that. You will need to connect your App to the VPC-Network via a Connector:

1. create a connector in the same region as your GAE-App following these instructions. You can find out the current region of your GAE-App with gcloud app describe. Just give the connector the range 10.8.0.0 for now (/28 is added automatically). Remember the name you gave it.

2. your app.yaml has to point to that connector like this

runtime: nodejs10

vpc_access_connector:
  name: projects/GCLOUD_PROJECT_ID/locations/REGION_WHERE_GAE_RUNS/connectors/NAME_YOU_ENTERED_IN_STEP_1

3. Go to your Atlas project, navigate to Network Access and whitelist the CIDR-range you set for the connector in Step 1

4. You may also need to whitelist the CIDR-range from Step 1 for the VPC-Network. You can do that in GCP by navigating to VPC-Network -> Firewall

Answer 2

I believe there are different accounts for Google App engine. It is very difficult to precisely find out the GAE IP to connect to MongoDB Atlas.

So, to be precise I would recommend you to use the VPC peering feature of mongoDB Atlas .

Answer 3

It's not very easy or good to use IPs with App Engine. For cases like this, I would say that using VM on GCE - which you can configure external and internal static IP addresses - with the use of Proxy.

You can find more information on Reserving a static external IP address and Reserving a Static Internal IP Address , if you think this is a method that would help you.

There is a Feature Request open for static IP to be checked and possibly implemented by Google that you can access here:

• Provide static IP for outbound urlfetch requests

Besides that, you can access the documentation Static IP Addresses and App Engine apps, to find out more information on options already available on App Engine.

Please, let me know if the information helped you.