2

I have a VPC running on AWS which was created using kops, and the databases are running on mongo-atlas using GCP as a cloud provider.

The mongo database servers are open to the world, what I'm trying to do is find a way to set up one IP through with my VPC can talk to database or get a range of IPs or if any other solution possible?

Here is what I have already tried:

  1. VPC peering:- not possible because the database is running on GCP
  2. add all the public ip of the current running nodes to mongo atls: cant do that because I'm using autoscaling
  3. using elastic IPs, because I'm using autoscaling
kasperd
  • 29,894
  • 16
  • 72
  • 122
gagan trivedi
  • 123
  • 5
  • Sounds like you need a VPN connection: https://cloud.google.com/vpn/docs/ https://docs.aws.amazon.com/vpc/latest/userguide/vpn-connections.html – kasperd Oct 17 '18 at 15:05
  • 1
    Your options are limited. Use a [private subnet and a NAT in AWS](https://kubecloud.io/setting-up-a-highly-available-kubernetes-cluster-with-private-networking-on-aws-using-kops-65f7a94782ef) or VPN...maybe a proxy? – kenlukas Oct 17 '18 at 15:26
  • Perhaps a single elastic IP assigned to a NAT instance? If a NAT Gateway has a static IP then that would be better. – Tim Oct 17 '18 at 21:47
  • Although Atlas does require auth & SSL, "open to the world" is definitely not an ideal security practice. Outside of options already mentioned in MLu's answer, have you considered using an Atlas deployment on AWS so you can take advantage of in-region [VPC Peering](https://docs.atlas.mongodb.com/security-vpc-peering/)? That would also significantly reduce your data transfer costs as compared to the GCP/AWS approach. – Stennie Oct 17 '18 at 23:45

1 Answers1

1

Does your AWS cluster really need public IPs? If you're using kops, hence presumably Kubernetes, you should have the worker nodes in private subnets and only have internet facing load balancers in the public subnet with public IPs.

You've got a couple of options:

  • VPN between AWS and GCP - that will allow your AWS resources talk to the GCP resources over their private IPs. This should work even if your nodes have public IPs.

  • NAT your outbound AWS traffic using NAT gateway(s), one per AWS availability zone.

    NAT gateways have fixed, Elastic IP that you can then whitelist on the GCP side.

BTW NAT may be a bit tricky if your worker nodes have public IPs. You will essentially need only specific addresses routed through the NAT gateway. E.g. if your Mongo nodes have IPs 192.0.2.1 and 192.0.2.100 your AWS route table will be:

  • 192.0.2.1/32 and 192.0.2.100/32 -> NAT gateway
  • 0.0.0.0/0 -> IGW (AWS Internet Gateway)

I suggest you move the worker nodes to private subnet and use NAT for all outbound traffic, that will make the routing and whitelisting easier.

Hope that helps :)

Community
  • 1
MLu
  • 23,798
  • 5
  • 54
  • 81