How to connect to MongoDB cluster hosted on Azure using private endpoint

Question

Hello experts,

I have an application running in customer's plant on a Windows 10 PC that needs to send data to MongoDB Atlas cluster. The PC is behind the customer firewall, so they requested needed IPs and ports for the connection. Given that Mongo cluster IPs changed regularly, and for better secure design, I figured the best way is to have a private endpoint connection to the cluster.

Below is the setup I made so far

1. Azure
   1. Virtual Network created with no firewall, microsoft defender, peerings, route table or lock
   2. Subnet 10.0.64.0/18 created inside the VNet
   3. Private endpoint 10.0.64.4 with no security groups, locks, routings (Provisioning state: Succeeded, Connection status: Approved)
   4. Private DNS zone named mongodb.net linked to the VNet (Link Status: Completed) with a record set Type A named machinedata-pl-0.rcdjg
2. Mongo
   1. M10 cluster named MachineData, private connection string mongodb+srv://

Answer 1

Hi @Elie Sidnawy

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

Please follow the below steps to connect MongoDB cluster using Azure using private endpoint using azure portal.

To create a private endpoint to a node in an existing cluster, open the Networking page for the cluster.

1. Select Add private endpoint.
2. 
3. On the Basics tab of the Create a private endpoint screen, confirm the Subscription, Resource group, and Region. Enter a Name for the endpoint, such as my-cluster-1, and a Network interface name, such as my-cluster-1-nic.
4. Select Next: Resource. Choose "Microsoft.DocumentDB/mongoClusters" for Resource type, and choose the target cluster for Resource. For Target sub-resource, choose "MongoCluster".
5. Select Next: Virtual Network. Choose the desired Virtual network and Subnet. Under Private IP configuration, select Statically allocate IP address or keep the default, Dynamically allocate IP address.
6. Select Next: DNS.
7. Under Private DNS integration, for Integrate with private DNS zone, keep the default Yes or select No.
8. Select Next: Tags, and add any desired tags.
9. Select Review + create. Review the settings, and select Create when satisfied.
10. Refer: https://learn.microsoft.com/en-us/azure/cosmos-db/mongodb/vcore/how-to-private-link#enable-private-access-on-an-existing-cluster

https://learn.microsoft.com/en-us/azure/cosmos-db/mongodb/vcore/how-to-private-link?source=recommendations#create-a-cluster-with-a-private-endpoint-by-using-the-azure-portal

Additionally, you can enable using azure CLI commands.

Refer: https://learn.microsoft.com/en-us/azure/cosmos-db/mongodb/vcore/how-to-private-link?source=recommendations#create-a-private-endpoint-by-using-azure-cli

Refer below doc for MongoDB connectivity.

https://learn.microsoft.com/en-us/azure/cosmos-db/mongodb/connect-account

---

Kindly let us know if the above helps or you need further assistance on this issue.

Answer 2

Hello @Elie Sidnawy ,

Below is my understanding of your setup.

if this is true , there could be two possibilities:
Case 1. If you already have a private connectivity established between on-premises and Azure by using Expressroute, or Site to Site VPN.
So, you can follow the steps mentioned in document https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview.

Case 2: You don't have private connectivity between On-premises and Azure. In this case you won't be able to use private endpoint and private DNS zones. Instead you can use following solution.
2a. If the on-prem firewall supports URL based filtering, you can share the URL and they can whitelist it.

2b. If the on-prem has traditional firewall, you need to allow the complete IP range for mongodb in that region.
You get the region public ip address from here https://www.microsoft.com/en-us/download/details.aspx?id=56519&msockid=06daa8cb8b3961c2240fbc798ad16023

I hope this helps.