Reputation: 31
VPC peering between Atlas cluster and AWS failing without 0.0.0.0/0 IP whitelisted
I have set up VPC peering between my AWS VPC and my mongodb Cluster. A lambda function is connected to the VPC, triggered by cognito, and responsible for talking to Mongo.
The VPC is configured as follows in terraform:
data "aws_availability_zones" "available" {}
# VPC
resource "aws_vpc" "lambda_vpc" {
cidr_block = var.vpc_cidr
enable_dns_hostnames = true
enable_dns_support = true
tags = {
"Name" = "${terraform.workspace}_vpc_for_lambda"
}
}
# Subnets
resource "aws_subnet" "vpc_private_subnet" {
depends_on = [aws_vpc.lambda_vpc]
count = length(data.aws_availability_zones.available.names)
vpc_id = aws_vpc.lambda_vpc.id
cidr_block = # the cidr for the subnet (removed for this post)
availability_zone = data.aws_availability_zones.available.names[count.index]
}
# Route table
resource "aws_route_table" "lambda_route_table" {
vpc_id = aws_vpc.lambda_vpc.id
}
# Security Groups
resource "aws_security_group" "lambda_security" {
name = "lambda_vpc_security_group"
vpc_id = aws_vpc.lambda_vpc.id
egress {
description = "The required network traffic rule for connecting to Atlas" # https://www.mongodb.com/docs/atlas/security-vpc-peering/#aws-vpc-peering-prerequisites"
protocol = "6" # this is TCP
from_port = 27015
to_port = 27017
cidr_blocks = var.mongodb_cidr_block
}
}
I have then:
- manually created the peering connection from MongoDB cluster to the AWS VPC and accepted it.
- Added the route to the peering connection to the Route table.
As can be seen from the terraform config, I have no internet Gateway. This is on purpose, the lambda does not need to talk to the internet, only to the MongoDB cluster through the VPC Peering connection.
The security group that the lambda is attached to (the same one as in the config) has the rule that is specified in the mongo docs --> https://www.mongodb.com/docs/atlas/security-vpc-peering/#aws-vpc-peering-prerequisites
On the Mongo side, my initial IP addresses that were whitelisted included the AWS VPC CIDR block, and 0.0.0.0/0 . And it seemed that everything was working. However, I wanted to lock down the Whitelisted IPs to only the VPC CIDR and the IPs that I use. As far as I understood, the traffic coming to Mongo would always be from the AWS VPC since that is what the configuration says in terraform and in AWS console. However, when I removed the 0.0.0.0/0 rule, the lambda was no longer able to connect to the MongoDB cluster. I don't understand why this is the case, surely it doesn't need this rule to connect as the traffic is not coming from any IPs that are not part of the VPC CIDR.
Since then, I have also tried adding the security group ID to the list of Whitelisted IPs (this is something that Mongo IP Access List seems to support.) but this too has not solved the problem.
Does any one know why this is happening?
EDIT:
I have since added Flow Logs to the VPC to try to debug the traffic as per the docs here --> https://aws.amazon.com/blogs/aws/learn-from-your-vpc-flow-logs-with-additional-meta-data/
I made sure to make the flow logs show the source and destination IP as well as other fields I thought would be interesting. From the result, it seems that absolutely no traffic from my lambda is passing through the VPC. screenshot of log flow.
Is it possible for the lambda's traffic to not go through the VPC since it is attached to it ?? Any Ideas on what could be wrong?
Upvotes: 2
Views: 297
Answers (2)
Reputation: 1
I faced a similar issue when setting up VPC peering between my MongoDB Atlas cluster and AWS. Initially, I could not connect without whitelisting 0.0.0.0/0, which wasn’t secure or ideal.
The solution that worked for me was to whitelist the IP address of my NAT Gateway instead of using 0.0.0.0/0. Here’s what I did:
Identify the NAT Gateway IP
Add the NAT Gateway IP to MongoDB Atlas Network Access:
Why This Works with AWS Lambda in a Private Subnet Since my Lambda function was deployed in a private subnet, it needed to route traffic through a NAT Gateway to access resources outside the VPC.
Traffic from the Lambda function flows through the NAT Gateway when it accesses MongoDB Atlas over the internet. Therefore, the outbound traffic from Lambda appears as coming from the NAT Gateway's IP. By adding the NAT Gateway's IP to the MongoDB Atlas whitelist, MongoDB recognized Lambda’s traffic as originating from an allowed IP, allowing the connection to succeed without using 0.0.0.0/0 in the whitelist.
Upvotes: 0
Reputation: 29
Some MongoDB Instances don't support VPC Peering
If the instance is the problem, the solution would be to change the instance type to any that is not: Atlas M0 (free cluster), M2, M5 or Serverless Instance.
The configuration you shared seems correct, so it should be normal to connect without 0.0.0.0/0 in the IP Whitelist after changing the instance.
Upvotes: 0
Related Questions
- atlas mongodb serverless and aws lambda connection issue
- Connecting a MongoDB Atlas cluster to 2 AWS VPCs
- VPC peering MongoDB Atlas with GCP Kubernetes engin
- Jump box to MongoDB Atlas with VPC Peering
- Mongodb atlas dedicated cluster: how to create peering connection with AWS and then access the cluster without whitelisting ips
- Google Compute Engine timeout when attempting connection over VPC to MongoDB Atlas
- Mongodb Atlas Google Cloud peering fails with an ip range in the local network overlaps with an ip range in an active peer
- How do you connect to MongoDB Atlas from Google Cloud Run when using VPC and peer networking?
- Terraform Lambda in VPC (Peered with MongoDB Atlas) Connection NAT Gateway
- Cannot connect to Mongo Atlas using VPC peering from GCP cluster