How do you connect to MongoDB Atlas from Google Cloud Run when using VPC and peer networking?

5
votes

I'm trying to connect from Google Cloud Run to MongoDB using VPC and peer networking but I can't seem to establish a connection. The goal is to be able to connect from Cloud Run to Atlas while only allowing a certain IP range.

My setup is:

  • MongoDB Atlas running on Google Cloud.
  • A Google Cloud Run container running a NodeJS server on the same region as MongoDB atlas (although that shouldn't matter as far as I can tell).

I have taken the following steps:

  1. Create a VPC on the Google Cloud side following instructions from https://cloud.google.com/vpc/docs/using-vpc.

  2. Setup a network peering between my VPC and the MongoDB Atlas VPC: https://docs.atlas.mongodb.com/security-vpc-peering/

  3. Setup serverless VPC access using a connector: https://cloud.google.com/vpc/docs/configure-serverless-vpc-access

  4. Re-deployed cloud run container using the connector above: https://cloud.google.com/run/docs/configuring/connecting-vpc

  5. Added the CIDR range from step 3 to the whitelist in MongoDB atlas and removed the previous open range 0.0.0.0/0.

All steps succeed (green dots etc) but when I try to connect after step 5 the connection fails. What am I missing?

1
mongodbgoogle-cloud-platformgoogle-cloud-runmongodb-atlas
Do you mind explaining what GCD is? Cloud Run will soon allow defining static IP addresses for outbound connections, that way, you will be able to whitelist certain IPs and they would be coming from your Cloud Run apps.Ahmet Alp Balkan
What is GCD & add full failure message to question, also try connecting from mongo shell with --verbose.D. SM
VPC Peering is not transitive. This means that you cannot arrive on one network and be routed to another network. You have Network A (Cloud Run) -> Network B (your VPC) -> Network C (MongoDB). Network A will not be routed to Network C.John Hanley
@AhmetB-Google Sorry I misspelled. I meant GCP, MongoDB is running on Google Cloud. So does that mean there is currently no way of establishing a connection through network peering between cloud run and mongodb atlas?Stefan
@JohnHanley Thank you for your reply. So: 1. The "connector" for cloud run only allows me to connect to hosts on Network B (if I had other services running there). 2. If I was actually running something on Network B (my VPC) e.g. App Engine, I would be able to through the VPC peering connect from that to Network C but right now the peer connection does nothing for me. Am I understanding that correctly?Stefan

1 Answers

3
votes

Solved this so answering my own question. Turns out the approach outlined in the question does work. I was missing two things:

  1. You need to change the MongoDB connection string to the private connection string. You can retrieve this by clicking on "Connect" under "Clusters" in the MongoDB dashboard. This is as far as I could see not documented anywhere in the MongoDB peer networking guide.

  2. Whitelist the CIDR range from both the VPC itself (step 1) and the CIDR range from the serverless connector (step 3) in the MongoDB Atlas network settings.