CIDR Subnet Selection for MongoDB Atlas

January 11, 2017

One of the best features of MongoDB Atlas is the ability to peer your host VPC on your own Amazon Web Services (AWS) account to your Atlas VPC. VPC peering provides you with the ability to use the private IP range of your hosts and MongoDB Atlas cluster. This allows you to reduce your network exposure and improve security of your data. If you chose to use peering there are some considerations you should think about first in selecting the right IP block for your private traffic.

NOTE - As of the writing of this post, AWS standards require both VPCs to be located in the same AWS region. Example: You can peer us-east-1 VPCs to other us-east-1 VPCs, but you cannot peer a us-east-1 VPC to a us-west-2 VPC.

Host VPC

The host VPC is where you configure the systems that your application will use to connect to your MongoDB Atlas cluster. AWS provides your account with a default VPC for your hosts You may need to modify the default VPC or create a new one to work alongside MongoDB Atlas. Regardless of your use case, it's important to ensure a few basics when configuring your host VPC:

  • Host VPC must be in the same region as your Atlas Cluster

  • Use a RFC-1918 private IP Range

MongoDB Atlas requires your host VPC follow the RFC-1918 standard for creating private ranges. The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets:

| 10.0.0.0 - 10.255.255.255 (10/8 prefix) |
| 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) |
| 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) |

  • Don't overlap your ranges!

The point of peering is to permit two private IP ranges to work in conjunction to keep your network traffic off the public internet. This will require you to use separate private IP ranges that do not conflict.

AWS standard states the following in their "Invalid VPC Peering" document:

"You cannot create a VPC peering connection between VPCs with matching or overlapping IPv4 CIDR blocks."

Cannot create a VPC peering connection between VPCs with matching or overlapping IPv4 CIDR blocks

MongoDB Atlas VPC

When you create a group in MongoDB Atlas, by default we provide you with an AWS VPC which you can only modify before launching your first cluster. Groups with an existing cluster CANNOT MODIFY their VPC CIDR block– this is to comply with the AWS requirement for peering. By default we create a VPC with IP range 192.168.248.0/21. To specify your IP block prior to configuring peering and launching your cluster, follow these steps:

  1. Sign up for MongoDB Atlas and ensure your payment method is completed.
  2. Click on the SECURITY tab, then select PEERING. You should see a page such as this which shows you that you have not launched a cluster yet: Create new peering connection
  3. Click on the New Peering Connection button. You will be given a new "Peering Connection" window to add your peering details. At the bottom of this page you'll see a section to modify "Your Atlas VPC" Modify your Atlas VPC
  4. If you would like to specify a different IP range, you may use one of the RFC-1918 ranges with the appropriate subnet and enter it here. It's extremely important to ensure that you choose two distinct RFC-1918 ranges. These two cannot overlap their subnets: Choose two distinct RFC-1918 ranges
  5. Click on the INITIATE PEERING button and follow the directions to add the appropriate subnet ranges.

Conclusion

Using peering ensures that your database traffic remains off the public network. This provides you with a much more secure solution allowing you to easily scale up and down without specifying IP addresses each time, and reduces costs on transporting your data from server to server. At any time if you run into problems with this, our support team is always available by clicking the SUPPORT icon in the lower left of your window. Our support team is happy to assist in ensuring your peering connection is properly configured.


About the Author - Jay Gordon

Jay is a Technical Account Manager with MongoDB and is available via our chat to discuss MongoDB Cloud Products at https://cloud.mongodb.com.

Previous Article
Providing Least Privileged Data Access in MongoDB
Providing Least Privileged Data Access in MongoDB

Many years ago I took a semester off from college and worked as a software developer intern for a consultin...

Next Article
Why the Diversity Scholars Loved MongoDB World
Why the Diversity Scholars Loved MongoDB World

Hi MongoDB Community Members! Thinking about applying for a Diversity Scholarship for MongoDB World? You sh...