Note
This feature is not available for M0 Free clusters and
Flex clusters. To learn more about which features are
unavailable, see Atlas M0 (Free Cluster) Limits.
Follow these steps to enable a client to connect to a Atlas dedicated cluster using private endpoints.
To learn more about using private endpoints with Atlas, see Learn About Private Endpoints in Atlas.
Required Access
To set up a private endpoint for a dedicated cluster, you must have
Organization Owner or Project Owner access to
the project.
Prerequisites, Considerations, and Limitations
To learn the prerequisites, considerations, and limitations for setting up a private endpoint, see the following resources:
Follow These Steps
To set up AWS PrivateLink through the Atlas CLI, install the Atlas CLI and connect from the Atlas CLI. Then, complete the following steps:
Create the private endpoint service in Atlas.
- Run the Atlas CLI command to initiate the setup of AWS PrivateLink in Atlas. Atlas represents these resources in the form of a private endpoint service. Ensure that the value of - --regionmatches the region where you deployed your cluster:- atlas privateEndpoints aws create [options] - To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints aws create. - If you have a multi-region or multi-cloud cluster and you don't enable regionalized private endpoints, you must provision an endpoint for each provider and region. 
- Note the private endpoint service's ID in the response. In this example, the ID is - 6344ac8f51b94c6356527881.- Private endpoint '6344ac8f51b94c6356527881' created. 
Retrieve the private endpoint service name.
IMPORTANT: It might take Atlas some time to provision the private endpoint. Wait 1-2 minutes before you complete this step.
- Run the Atlas CLI command to describe the private endpoint using its ID: - atlas privateEndpoints aws describe <privateEndpointId> [options] - To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints aws describe. 
- Note the value for - ENDPOINT SERVICEin the response, which shows the name of the private endpoint service associated with this private endpoint. In this example, the endpoint service name is- com.amazonaws.vpce.us-east-1.vpce-svc-0705499aae25ac77c:- ID ENDPOINT SERVICE STATUS ERROR - 6344ac8f51b94c6356527881 com.amazonaws.vpce.us-east-1.vpce-svc-0705499aae25ac77c AVAILABLE - If the - STATUSvalue is- INITIATING, wait 1-2 more minutes for Atlas to provision the private endpoint. Then, try this step again.
Create the interface endpoint in AWS.
- Run the command in the AWS CLI, replacing the following placeholders with your values: PlaceholderDescription- {VPC-ID} - Unique string that identifies the peer AWS VPC. Find this value on the VPC dashboard in your AWS account. - {REGION} - AWS region in which your cluster resides. - {SUBNET-IDS} - Unique string that identifies the subnets that your AWS VPC uses. Find these values on the Subnet dashboard in your AWS account. - IMPORTANT: You must specify at least one subnet. If you don't, AWS won't provision an interface endpoint in your VPC. An interface endpoint is required for clients in your VPC to send traffic to the private endpoint. - {SERVICE-NAME} - Unique string identifying the private endpoint service that you retrieved previously. - aws ec2 create-vpc-endpoint --vpc-id {VPC-ID} \ - --region {REGION} --service-name {SERVICE-NAME} \ - --vpc-endpoint-type Interface --subnet-ids {SUBNET-IDS} - To learn more about the AWS CLI, see Creating an Interface Endpoint. 
- Note the value in the response for the field - VpcEndpointId. This is a 22-character alphanumeric string that identifies your private endpoint. You can also find this value on the AWS VPC Dashboard under Endpoints > VPC ID.
Update your private endpoint with the VPC Endpoint ID.
- Run the Atlas CLI command to provide the interface endpoint info to Atlas using the Atlas endpoint service ID and the VPC Endpoint ID. In this example, you would set the following parameters: ParameterTypeExample Value- endpointServiceId- Argument - 6344ac8f51b94c6356527881- privateEndpointId- Option - vpce-00713b5e644e830a3- atlas privateEndpoints aws interfaces create <endpointServiceId> [options] - To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints aws interfaces create. 
Configure your resources' security groups to send traffic to and receive traffic from the interface endpoint.
For each resource that needs to connect to your Atlas clusters using AWS PrivateLink, the resource's security group must allow outbound traffic to the interface endpoint's private IP addresses on all ports.
See Adding Rules to a Security Group for more information.
Create a security group for your interface endpoint to allow resources to access it.
This security group must allow inbound traffic on all ports from each resource that needs to connect to your Atlas clusters using AWS PrivateLink:
- In the AWS console, navigate to the VPC Dashboard. 
- Click Security Groups, then click Create security group. 
- Use the wizard to create a security group. Make sure you select your VPC from the VPC list. 
- Select the security group you just created, then click the Inbound Rules tab. 
- Click Edit Rules. 
- Add rules to allow all inbound traffic from each resource in your VPC that you want to connect to your Atlas cluster. 
- Click Save Rules. 
- Click Endpoints, then click the endpoint for your VPC. 
- Click the Security Groups tab, then click Edit Security Groups. 
- Add the security group you just created, then click Save. 
To learn more about VPC security groups, see the AWS documentation.
Verify the private endpoint's availability.
You can connect to the cluster using the AWS PrivateLink private endpoint after Atlas finishes configuring all of the resources and the private endpoint becomes available.
To verify that the AWS private endpoint is available:
- Run the Atlas CLI command to describe the interface endpoint using its ID. In this example, you would set the following parameters: ParameterTypeExample Value- interfaceEndpointId- Argument - vpce-00713b5e644e830a3- endpointServiceId- Option - 6344ac8f51b94c6356527881- atlas privateEndpoints aws interfaces describe <interfaceEndpointId> [options] - To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints aws interfaces describe. 
- Verify that the - STATUSfield's value is- AVAILABLEas shown in the following example:- ID STATUS ERROR - vpce-00713b5e644e830a3 AVAILABLE 
To set up AWS PrivateLink through the Atlas UI:
In Atlas, go to the Database & Network Access page for your project.
- If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar. 
- If it's not already displayed, select your project from the Projects menu in the navigation bar. 
- In the sidebar, click Database & Network Access under the Security heading. 
The Database & Network Access page displays.
Configure your private endpoint.
WARNING: To avoid connection interruptions, you must specify the correct information. We recommend that you don't skip the commands and substeps in this step.
- Enter the following details about your AWS VPC: - Your VPC ID - Unique identifier of the peer AWS VPC. Find this value on the VPC dashboard in your AWS account. - Your Subnet IDs - Unique identifiers of the subnets your AWS VPC uses. - Find these values on the Subnet dashboard in your AWS account. - You must specify at least one subnet. If you don't, AWS won't provision an interface endpoint in your VPC. An interface endpoint is required for clients in your VPC to send traffic to the private endpoint. 
- Copy the command the dialog box displays and run it using the AWS CLI. - IMPORTANT: If you skip this step, the interface endpoint for the Private Endpoint service isn't created. - You can't copy the command until Atlas finishes creating VPC resources in the background. - See Creating an Interface Endpoint to perform this task using the AWS CLI. 
- Click Next. 
Configure your resources' security groups to send traffic to and receive traffic from the interface endpoint.
For each resource that needs to connect to your Atlas clusters using AWS PrivateLink, the resource's security group must allow outbound traffic to the interface endpoint's private IP addresses on all ports.
See Adding Rules to a Security Group for more information.
Create a security group for your interface endpoint to allow resources to access it.
This security group must allow inbound traffic on all ports from each resource that needs to connect to your Atlas clusters using AWS PrivateLink:
- In the AWS console, navigate to the VPC Dashboard. 
- Click Security Groups, then click Create security group. 
- Use the wizard to create a security group. Make sure you select your VPC from the VPC list. 
- Select the security group you just created, then click the Inbound Rules tab. 
- Click Edit Rules. 
- Add rules to allow all inbound traffic from each resource in your VPC that you want to connect to your Atlas cluster. 
- Click Save Rules. 
- Click Endpoints, then click the endpoint for your VPC. 
- Click the Security Groups tab, then click Edit Security Groups. 
- Add the security group you just created, then click Save. 
To learn more about VPC security groups, see the AWS documentation.
In Atlas, go to the Database & Network Access page for your project.
- If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar. 
- If it's not already displayed, select your project from the Projects menu in the navigation bar. 
- In the sidebar, click Database & Network Access under the Security heading. 
The Database & Network Access page displays.
Verify that the private endpoint is available.
You can connect to an Atlas cluster using the AWS PrivateLink private endpoint when all of the resources are configured and the private endpoint becomes available.
To verify that the AWS PrivateLink private endpoint is available:
On the Private Endpoint tab, select a cluster type and verify the following statuses for the region that contains the cluster you want to connect to using AWS PrivateLink:
| Atlas Endpoint Service Status | Available | 
| Endpoint Status | Available | 
To learn more about possible status values, see Troubleshoot Private Endpoint Connection Issues.
If you do not see these statuses, see Troubleshoot Private Endpoint Connection Issues for additional information.
To set up Azure Private Link through the Atlas CLI, install the Atlas CLI and connect from the Atlas CLI. Then, complete the following steps:
Create the private endpoint service in Atlas.
- Run the Atlas CLI command to create a private endpoint and private endpoint service in Atlas. Ensure that the value of - --regionmatches the region where you deployed your cluster:- atlas privateEndpoints azure create [options] - To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints azure create. - If you have a multi-region or multi-cloud cluster and you don't enable regionalized private endpoints, you must provision an endpoint for each provider and region. 
- Note the private endpoint service's ID in the response. In this example, the ID is - 6344ac8f51b94c6356527881.- Private endpoint '6344ac8f51b94c6356527881' created. 
Retrieve the private endpoint service name.
IMPORTANT: It might take Atlas some time to provision the private endpoint. Wait 1-2 minutes before you complete this step.
- Run the Atlas CLI command to describe the private endpoint using its service ID: - atlas privateEndpoints azure describe <privateEndpointId> [options] - To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints azure describe. 
- Note the value for - ENDPOINT SERVICEin the response, which shows the endpoint service name. In this example, the endpoint service name is- pls_6344ac8f51b94c6356527881:- ID ENDPOINT SERVICE STATUS ERROR - 6344ac8f51b94c6356527881 pls_6344ac8f51b94c6356527881 AVAILABLE - If the - STATUSvalue is- INITIATING, wait 1-2 more minutes for Atlas to provision the private endpoint. Then, try this step again.
Create the endpoint in Azure.
- Run the - az network private-endpoint createcommand in the Azure CLI, replacing the following placeholders with your values:PlaceholderDescription- {RESOURCE-GROUP-NAME} - Name of the Azure resource group that contains the VNet that you want to use to connect to Atlas. You can find this value on the Resource Group Properties page on your Azure dashboard. - {VIRTUAL-NETWORK-NAME} - Name of the VNet that you want to use to connect to Atlas. You can find this value on the Virtual Network page on your Azure dashboard. - {SUBNET-NAME} - Name of the subnet in your Azure VNet. You can find this value on the Virtual Network Subnets page on your Azure dashboard. - {PRIVATE-ENDPOINT-NAME} - Human-readable label that identifies the private endpoint within your Azure resource group. - {SUBSCRIPTION-ID} - Unique string that identifies your subscription in Azure. You can find this value on the Subscriptions page in Azure. - {RESOURCE-GROUP-ID} - Unique string that identifies your Azure resource group on Atlas. You can find this value on under the Private Endpoint tab on the Network Access page in the Atlas UI. - This value begins with - rg_and contains a combination of letters and numbers, that resembles- rg_65c66a56a3a43....- {ENDPOINT-SERVICE-NAME} - Unique string that identifies the endpoint service. This is the endpoint service name returned in a previous step. - az network private-endpoint create --resource-group {RESOURCE-GROUP-NAME} --name {PRIVATE-ENDPOINT-NAME} --vnet-name {VIRTUAL-NETWORK-NAME} --subnet {SUBNET-NAME} --private-connection-resource-id /subscriptions/{SUBSCRIPTION-ID}/resourceGroups/{RESOURCE-GROUP-ID}/providers/Microsoft.Network/privateLinkServices/{ENDPOINT-SERVICE-NAME} --connection-name {ENDPOINT-SERVICE-NAME} --manual-request true - To learn more about the Azure CLI, see Create a Private Endpoint by Using the Azure CLI. 
- Copy and save the following values: - Resource ID - Unique string that identifies the private endpoint in your Azure VNet. Find this value in one of the following ways: - Use the Azure dashboard to retrieve this value. The Properties page for your private endpoint on your Azure dashboard displays this property in the Resource ID field. 
- Use the output from the following command, which returns the highlighted value in the - idfield:- 1 - azure network private-endpoint create - 1 - { - 2 - "customDnsConfigs": [], - 3 - "etag": "W/\"00000000-0000-0000-0000-000000000000\"", - 4 - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink", - 5 - "location": "eastus2", - 6 - "manualPrivateLinkServiceConnections": [ - 7 - { - 8 - "etag": "W/\"00000000-0000-0000-0000-000000000000\"", - 9 - "groupIds": null, - 10 - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink/manualPrivateLinkServiceConnections/pls_5f860388d432510d5a6e1a3e", - 11 - "name": "pls_5f860388d432510d5a6e1a3e", - 12 - "privateLinkServiceConnectionState": { - 13 - "actionsRequired": "None", - 14 - "description": "Connection deleted by service provider", - 15 - "status": "Disconnected" - 16 - }, - 17 - "privateLinkServiceId": "pls_5f860388d432510d5a6e1a3e.00000000-0000-0000-0000-000000000000.eastus2.privatelinkservice", - 18 - "provisioningState": "Succeeded", - 19 - "requestMessage": null, - 20 - "resourceGroup": "privatelink", - 21 - "type": "Microsoft.Network/privateEndpoints/manualPrivateLinkServiceConnections" - 22 - } - 23 - ], - 24 - "name": "privatelink", - 25 - "networkInterfaces": [ - 26 - { - 27 - "dnsSettings": null, - 28 - "dscpConfiguration": null, - 29 - "enableAcceleratedNetworking": null, - 30 - "enableIpForwarding": null, - 31 - "etag": null, - 32 - "hostedWorkloads": null, - 33 - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000", - 34 - "ipConfigurations": null, - 35 - "location": null, - 36 - "macAddress": null, - 37 - "name": null, - 38 - "networkSecurityGroup": null, - 39 - "primary": null, - 40 - "privateEndpoint": null, - 41 - "provisioningState": null, - 42 - "resourceGroup": "privatelink", - 43 - "resourceGuid": null, - 44 - "tags": null, - 45 - "tapConfigurations": null, - 46 - "type": null, - 47 - "virtualMachine": null - 48 - } - 49 - ], - 50 - "privateLinkServiceConnections": [], - 51 - "provisioningState": "Succeeded", - 52 - "resourceGroup": "privatelink", - 53 - "subnet": { - 54 - "addressPrefix": null, - 55 - "addressPrefixes": null, - 56 - "delegations": null, - 57 - "etag": null, - 58 - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/virtualNetworks/privatelink/subnets/privatelink", - 59 - "ipAllocations": null, - 60 - "ipConfigurationProfiles": null, - 61 - "ipConfigurations": null, - 62 - "name": null, - 63 - "natGateway": null, - 64 - "networkSecurityGroup": null, - 65 - "privateEndpointNetworkPolicies": null, - 66 - "privateEndpoints": null, - 67 - "privateLinkServiceNetworkPolicies": null, - 68 - "provisioningState": null, - 69 - "purpose": null, - 70 - "resourceGroup": "privatelink", - 71 - "resourceNavigationLinks": null, - 72 - "routeTable": null, - 73 - "serviceAssociationLinks": null, - 74 - "serviceEndpointPolicies": null, - 75 - "serviceEndpoints": null - 76 - }, - 77 - "tags": null, - 78 - "type": "Microsoft.Network/privateEndpoints" - 79 - } - You can also return this value using the azure network private-endpoint list CLI command. 
 - Private IP - Private IP address of the private endpoint network interface you created in your Azure VNet. Find this value in one of the following ways: - Use the Azure dashboard to retrieve this value. The Overview page for your private endpoint on your Azure dashboard displays this property in the Private IP field. 
- Use the Azure CLI to retrieve this value: - Use the output from the following command, which returns the ID of the network interface in the highlighted - networkInterfaces.idfield:- 1 - azure network private-endpoint create - 1 - { - 2 - "customDnsConfigs": [], - 3 - "etag": "W/\"00000000-0000-0000-0000-000000000000\"", - 4 - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink", - 5 - "location": "eastus2", - 6 - "manualPrivateLinkServiceConnections": [ - 7 - { - 8 - "etag": "W/\"00000000-0000-0000-0000-000000000000\"", - 9 - "groupIds": null, - 10 - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink/manualPrivateLinkServiceConnections/pls_5f860388d432510d5a6e1a3e", - 11 - "name": "pls_5f860388d432510d5a6e1a3e", - 12 - "privateLinkServiceConnectionState": { - 13 - "actionsRequired": "None", - 14 - "description": "Connection deleted by service provider", - 15 - "status": "Disconnected" - 16 - }, - 17 - "privateLinkServiceId": "pls_5f860388d432510d5a6e1a3e.00000000-0000-0000-0000-000000000000.eastus2.privatelinkservice", - 18 - "provisioningState": "Succeeded", - 19 - "requestMessage": null, - 20 - "resourceGroup": "privatelink", - 21 - "type": "Microsoft.Network/privateEndpoints/manualPrivateLinkServiceConnections" - 22 - } - 23 - ], - 24 - "name": "privatelink", - 25 - "networkInterfaces": [ - 26 - { - 27 - "dnsSettings": null, - 28 - "dscpConfiguration": null, - 29 - "enableAcceleratedNetworking": null, - 30 - "enableIpForwarding": null, - 31 - "etag": null, - 32 - "hostedWorkloads": null, - 33 - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000", - 34 - "ipConfigurations": null, - 35 - "location": null, - 36 - "macAddress": null, - 37 - "name": null, - 38 - "networkSecurityGroup": null, - 39 - "primary": null, - 40 - "privateEndpoint": null, - 41 - "provisioningState": null, - 42 - "resourceGroup": "privatelink", - 43 - "resourceGuid": null, - 44 - "tags": null, - 45 - "tapConfigurations": null, - 46 - "type": null, - 47 - "virtualMachine": null - 48 - } - 49 - ], - 50 - "privateLinkServiceConnections": [], - 51 - "provisioningState": "Succeeded", - 52 - "resourceGroup": "privatelink", - 53 - "subnet": { - 54 - "addressPrefix": null, - 55 - "addressPrefixes": null, - 56 - "delegations": null, - 57 - "etag": null, - 58 - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/virtualNetworks/privatelink/subnets/privatelink", - 59 - "ipAllocations": null, - 60 - "ipConfigurationProfiles": null, - 61 - "ipConfigurations": null, - 62 - "name": null, - 63 - "natGateway": null, - 64 - "networkSecurityGroup": null, - 65 - "privateEndpointNetworkPolicies": null, - 66 - "privateEndpoints": null, - 67 - "privateLinkServiceNetworkPolicies": null, - 68 - "provisioningState": null, - 69 - "purpose": null, - 70 - "resourceGroup": "privatelink", - 71 - "resourceNavigationLinks": null, - 72 - "routeTable": null, - 73 - "serviceAssociationLinks": null, - 74 - "serviceEndpointPolicies": null, - 75 - "serviceEndpoints": null - 76 - }, - 77 - "tags": null, - 78 - "type": "Microsoft.Network/privateEndpoints" - 79 - } 
- Run the az network nic show --id {networkInterface.id} Azure CLI command with the value of the - networkInterfaces.idfield to retrieve the- ipConfigurations.privateIPAddressfor the private endpoint network interface. The value of this field is your Private IP. The input and output should look similar to the following. Note the highlighted value of the Private Endpoint IP Address field.- 1 - az network nic show --id /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000 - 1 - { - 2 - "dnsSettings": { - 3 - "appliedDnsServers": [], - 4 - "dnsServers": [], - 5 - "internalDnsNameLabel": null, - 6 - "internalDomainNameSuffix": "<>.cx.internal.cloudapp.net", - 7 - "internalFqdn": null - 8 - }, - 9 - "dscpConfiguration": null, - 10 - "enableAcceleratedNetworking": false, - 11 - "enableIpForwarding": false, - 12 - "etag": "W/\"00000000-0000-0000-0000-000000000000\"", - 13 - "hostedWorkloads": [], - 14 - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000", - 15 - "ipConfigurations": [ - 16 - { - 17 - "applicationGatewayBackendAddressPools": null, - 18 - "applicationSecurityGroups": null, - 19 - "etag": "W/\"00000000-0000-0000-0000-000000000000\"", - 20 - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000/ipConfigurations/privateEndpointIpConfig", - 21 - "loadBalancerBackendAddressPools": null, - 22 - "loadBalancerInboundNatRules": null, - 23 - "name": "privateEndpointIpConfig", - 24 - "primary": true, - 25 - "privateIpAddress": "10.0.0.4", - 26 - "privateIpAddressVersion": "IPv4", - 27 - "privateIpAllocationMethod": "Dynamic", - 28 - "privateLinkConnectionProperties": { - 29 - "fqdns": [], - 30 - "groupId": "", - 31 - "requiredMemberName": "" - 32 - }, - 33 - "provisioningState": "Succeeded", - 34 - "publicIpAddress": null, - 35 - "resourceGroup": "privatelink", - 36 - "subnet": { - 37 - "addressPrefix": null, - 38 - "addressPrefixes": null, - 39 - "delegations": null, - 40 - "etag": null, - 41 - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/virtualNetworks/privatelink/subnets/privatelink", - 42 - "ipAllocations": null, - 43 - "ipConfigurationProfiles": null, - 44 - "ipConfigurations": null, - 45 - "name": null, - 46 - "natGateway": null, - 47 - "networkSecurityGroup": null, - 48 - "privateEndpointNetworkPolicies": null, - 49 - "privateEndpoints": null, - 50 - "privateLinkServiceNetworkPolicies": null, - 51 - "provisioningState": null, - 52 - "purpose": null, - 53 - "resourceGroup": "privatelink", - 54 - "resourceNavigationLinks": null, - 55 - "routeTable": null, - 56 - "serviceAssociationLinks": null, - 57 - "serviceEndpointPolicies": null, - 58 - "serviceEndpoints": null - 59 - }, - 60 - "type": "Microsoft.Network/networkInterfaces/ipConfigurations", - 61 - "virtualNetworkTaps": null - 62 - } - 63 - ], - 64 - "location": "eastus2", - 65 - "macAddress": "", - 66 - "name": "privatelink.nic.00000000-0000-0000-0000-000000000000", - 67 - "networkSecurityGroup": null, - 68 - "primary": null, - 69 - "privateEndpoint": { - 70 - "customDnsConfigs": null, - 71 - "etag": null, - 72 - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink", - 73 - "location": null, - 74 - "manualPrivateLinkServiceConnections": null, - 75 - "name": null, - 76 - "networkInterfaces": null, - 77 - "privateLinkServiceConnections": null, - 78 - "provisioningState": null, - 79 - "resourceGroup": "privatelink", - 80 - "subnet": null, - 81 - "tags": null, - 82 - "type": null - 83 - }, - 84 - "provisioningState": "Succeeded", - 85 - "resourceGroup": "privatelink", - 86 - "resourceGuid": "00000000-0000-0000-0000-000000000000", - 87 - "tags": null, - 88 - "tapConfigurations": [], - 89 - "type": "Microsoft.Network/networkInterfaces", - 90 - "virtualMachine": null - 91 - } 
 
 
Update your private endpoint with the Resource ID and Private IP.
- Run the Atlas CLI command to create an interface endpoint in Atlas using the Atlas endpoint service ID, the Azure Resource ID, and the Azure Private IP. In this example, you would set the following parameters: ParameterTypeExample Value- endpointServiceId- Argument - 6344ac8f51b94c6356527881- privateEndpointId- Option - /subscriptions/4e133d35-e734-4385-a565-c0945567ae346/- resourceGroups/rg_95847a959b876e255dbb9b33_dfragd7w/- providers/Microsoft.Network/privateEndpoints/- test-endpoint- privateEndpointIpAddress- Option - 10.0.0.4- atlas privateEndpoints azure interfaces create <endpointServiceId> [options] - To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints azure interfaces create. 
- Note the private endpoint's interface endpoint ID in the response. In this example, the ID is - /subscriptions/- 4e133d35-e734-4385-a565-c0945567ae346/resourceGroups/- rg_95847a959b876e255dbb9b33_dfragd7w/providers/- Microsoft.Network/privateEndpoints/cli-test.- Interface endpoint '/subscriptions/4e133d35-e734-4385-a565-c0945567ae346/resourceGroups/rg_95847a959b876e255dbb9b33_dfragd7w/providers/Microsoft.Network/privateEndpoints/cli-test' created. 
Verify the private endpoint's availability.
You can connect to the cluster using the Azure Private Link private endpoint after Atlas finishes configuring all of the resources and the private endpoint becomes available.
To verify that the Azure private endpoint is available:
- Run the Atlas CLI command to describe the interface endpoint using its ID and the interface endpoint ID you retrieved in the previous step. In this example, you would set the following parameters: ParameterTypeExample Value- privateEndpointResourceId- Argument - /subscriptions/4e133d35-e734-4385-a565-c0945567ae346/- resourceGroups/rg_95847a959b876e255dbb9b33_dfragd7w/- providers/Microsoft.Network/privateEndpoints/cli-test- endpointServiceId- Option - 6344ac8f51b94c6356527881- atlas privateEndpoints azure interfaces describe <privateEndpointResourceId> [options] - To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints azure interfaces describe. 
- Verify that the - STATUSfield's value is- AVAILABLEas shown in the following example:- ID STATUS ERROR - pls_6344ac8f51b94c6356527881 AVAILABLE 
To set up Azure Private Link through the Atlas UI:
In Atlas, go to the Database & Network Access page for your project.
- If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar. 
- If it's not already displayed, select your project from the Projects menu in the navigation bar. 
- In the sidebar, click Database & Network Access under the Security heading. 
The Database & Network Access page displays.
Configure your private endpoint.
WARNING: To avoid connection interruptions, you must specify the correct information. We recommend that you don't skip the commands and substeps in this step.
- Enter the following details about your Azure VNet: - Resource Group Name - The name of the resource group that contains the VNet that you want to use to connect to Atlas. Find this value on the Resource Group Properties page on your Azure dashboard. - Virtual Network Name - The name of the VNet that you want to use to connect to Atlas. Find this value on the Virtual Network page on your Azure dashboard. - Subnet Name - The name of the subnet in your Azure VNet. Find this value on the Virtual Network Subnets page on your Azure dashboard. 
- Enter a unique name for your private endpoint in the Private Endpoint Name field. 
- Create the private endpoint in your VNet by copying the - az network private-endpoint createcommand the dialog box displays and running it using the Azure CLI.- IMPORTANT: You can't copy the command until Atlas finishes creating VNet resources in the background. - For more information about this command, see the Azure documentation. 
- You might receive an error like the following when you create the private endpoint: - ServiceError: code: LinkedAuthorizationFailed - , The client has permission to perform action 'Microsoft.Network/privateLinkServices/PrivateEndpointConnectionsApproval/action' on scope '/subscriptions/<subscription-id>/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink', however the current tenant '<tenant-id>' is not authorized to access linked subscription '<tenant-id>'. - If you receive this error, you must add the - --manual-request trueparameter to the Azure CLI command you used to create the private endpoint, then run the command again.
- Click Next. 
Finalize your private endpoint connection.
WARNING: To avoid connection interruptions, you must specify the correct information. We recommend that you don't skip the commands and substeps in this step.
- Enter the following details about your private endpoint: - Private Endpoint Resource ID - The unique identifier of the private endpoint you created in your Azure VNet. Find this value in one of the following ways: - The Properties page for your private endpoint on your Azure dashboard displays this property in the Resource ID field. 
- The output from the following command that you ran earlier to create the private endpoint returns the highlighted value in the id field: - 1 - azure network private-endpoint create - 1 - { - 2 - "customDnsConfigs": [], - 3 - "etag": "W/\"00000000-0000-0000-0000-000000000000\"", - 4 - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink", - 5 - "location": "eastus2", - 6 - "manualPrivateLinkServiceConnections": [ - 7 - { - 8 - "etag": "W/\"00000000-0000-0000-0000-000000000000\"", - 9 - "groupIds": null, - 10 - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink/manualPrivateLinkServiceConnections/pls_5f860388d432510d5a6e1a3e", - 11 - "name": "pls_5f860388d432510d5a6e1a3e", - 12 - "privateLinkServiceConnectionState": { - 13 - "actionsRequired": "None", - 14 - "description": "Connection deleted by service provider", - 15 - "status": "Disconnected" - 16 - }, - 17 - "privateLinkServiceId": "pls_5f860388d432510d5a6e1a3e.00000000-0000-0000-0000-000000000000.eastus2.privatelinkservice", - 18 - "provisioningState": "Succeeded", - 19 - "requestMessage": null, - 20 - "resourceGroup": "privatelink", - 21 - "type": "Microsoft.Network/privateEndpoints/manualPrivateLinkServiceConnections" - 22 - } - 23 - ], - 24 - "name": "privatelink", - 25 - "networkInterfaces": [ - 26 - { - 27 - "dnsSettings": null, - 28 - "dscpConfiguration": null, - 29 - "enableAcceleratedNetworking": null, - 30 - "enableIpForwarding": null, - 31 - "etag": null, - 32 - "hostedWorkloads": null, - 33 - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000", - 34 - "ipConfigurations": null, - 35 - "location": null, - 36 - "macAddress": null, - 37 - "name": null, - 38 - "networkSecurityGroup": null, - 39 - "primary": null, - 40 - "privateEndpoint": null, - 41 - "provisioningState": null, - 42 - "resourceGroup": "privatelink", - 43 - "resourceGuid": null, - 44 - "tags": null, - 45 - "tapConfigurations": null, - 46 - "type": null, - 47 - "virtualMachine": null - 48 - } - 49 - ], - 50 - "privateLinkServiceConnections": [], - 51 - "provisioningState": "Succeeded", - 52 - "resourceGroup": "privatelink", - 53 - "subnet": { - 54 - "addressPrefix": null, - 55 - "addressPrefixes": null, - 56 - "delegations": null, - 57 - "etag": null, - 58 - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/virtualNetworks/privatelink/subnets/privatelink", - 59 - "ipAllocations": null, - 60 - "ipConfigurationProfiles": null, - 61 - "ipConfigurations": null, - 62 - "name": null, - 63 - "natGateway": null, - 64 - "networkSecurityGroup": null, - 65 - "privateEndpointNetworkPolicies": null, - 66 - "privateEndpoints": null, - 67 - "privateLinkServiceNetworkPolicies": null, - 68 - "provisioningState": null, - 69 - "purpose": null, - 70 - "resourceGroup": "privatelink", - 71 - "resourceNavigationLinks": null, - 72 - "routeTable": null, - 73 - "serviceAssociationLinks": null, - 74 - "serviceEndpointPolicies": null, - 75 - "serviceEndpoints": null - 76 - }, - 77 - "tags": null, - 78 - "type": "Microsoft.Network/privateEndpoints" - 79 - } 
 - Private Endpoint IP Address - The private IP address of the private endpoint network interface you created in your Azure VNet. Find this value in one of the following ways: - Use the Azure dashboard to retrieve this value. The Overview page for your private endpoint on your Azure dashboard displays this property in the Private IP field. 
- Use the Azure CLI to retrieve this value: - The output from the following command that you ran earlier to create the private endpoint includes the ID of the network interface in the highlighted networkInterfaces.id field: - 1 - azure network private-endpoint create - 1 - { - 2 - "customDnsConfigs": [], - 3 - "etag": "W/\"00000000-0000-0000-0000-000000000000\"", - 4 - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink", - 5 - "location": "eastus2", - 6 - "manualPrivateLinkServiceConnections": [ - 7 - { - 8 - "etag": "W/\"00000000-0000-0000-0000-000000000000\"", - 9 - "groupIds": null, - 10 - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink/manualPrivateLinkServiceConnections/pls_5f860388d432510d5a6e1a3e", - 11 - "name": "pls_5f860388d432510d5a6e1a3e", - 12 - "privateLinkServiceConnectionState": { - 13 - "actionsRequired": "None", - 14 - "description": "Connection deleted by service provider", - 15 - "status": "Disconnected" - 16 - }, - 17 - "privateLinkServiceId": "pls_5f860388d432510d5a6e1a3e.00000000-0000-0000-0000-000000000000.eastus2.privatelinkservice", - 18 - "provisioningState": "Succeeded", - 19 - "requestMessage": null, - 20 - "resourceGroup": "privatelink", - 21 - "type": "Microsoft.Network/privateEndpoints/manualPrivateLinkServiceConnections" - 22 - } - 23 - ], - 24 - "name": "privatelink", - 25 - "networkInterfaces": [ - 26 - { - 27 - "dnsSettings": null, - 28 - "dscpConfiguration": null, - 29 - "enableAcceleratedNetworking": null, - 30 - "enableIpForwarding": null, - 31 - "etag": null, - 32 - "hostedWorkloads": null, - 33 - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000", - 34 - "ipConfigurations": null, - 35 - "location": null, - 36 - "macAddress": null, - 37 - "name": null, - 38 - "networkSecurityGroup": null, - 39 - "primary": null, - 40 - "privateEndpoint": null, - 41 - "provisioningState": null, - 42 - "resourceGroup": "privatelink", - 43 - "resourceGuid": null, - 44 - "tags": null, - 45 - "tapConfigurations": null, - 46 - "type": null, - 47 - "virtualMachine": null - 48 - } - 49 - ], - 50 - "privateLinkServiceConnections": [], - 51 - "provisioningState": "Succeeded", - 52 - "resourceGroup": "privatelink", - 53 - "subnet": { - 54 - "addressPrefix": null, - 55 - "addressPrefixes": null, - 56 - "delegations": null, - 57 - "etag": null, - 58 - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/virtualNetworks/privatelink/subnets/privatelink", - 59 - "ipAllocations": null, - 60 - "ipConfigurationProfiles": null, - 61 - "ipConfigurations": null, - 62 - "name": null, - 63 - "natGateway": null, - 64 - "networkSecurityGroup": null, - 65 - "privateEndpointNetworkPolicies": null, - 66 - "privateEndpoints": null, - 67 - "privateLinkServiceNetworkPolicies": null, - 68 - "provisioningState": null, - 69 - "purpose": null, - 70 - "resourceGroup": "privatelink", - 71 - "resourceNavigationLinks": null, - 72 - "routeTable": null, - 73 - "serviceAssociationLinks": null, - 74 - "serviceEndpointPolicies": null, - 75 - "serviceEndpoints": null - 76 - }, - 77 - "tags": null, - 78 - "type": "Microsoft.Network/privateEndpoints" - 79 - } 
- Run the az network nic show --id {networkInterface.id} Azure CLI command with the value of the networkInterfaces.id field to retrieve the ipConfigurations.privateIPAddress for the private endpoint network interface. The value of this field is your Private Endpoint IP Address. The input and output should look similar to the following. Note the highlighted value of the Private Endpoint IP Address field. - 1 - az network nic show --id /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000 - 1 - { - 2 - "dnsSettings": { - 3 - "appliedDnsServers": [], - 4 - "dnsServers": [], - 5 - "internalDnsNameLabel": null, - 6 - "internalDomainNameSuffix": "<>.cx.internal.cloudapp.net", - 7 - "internalFqdn": null - 8 - }, - 9 - "dscpConfiguration": null, - 10 - "enableAcceleratedNetworking": false, - 11 - "enableIpForwarding": false, - 12 - "etag": "W/\"00000000-0000-0000-0000-000000000000\"", - 13 - "hostedWorkloads": [], - 14 - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000", - 15 - "ipConfigurations": [ - 16 - { - 17 - "applicationGatewayBackendAddressPools": null, - 18 - "applicationSecurityGroups": null, - 19 - "etag": "W/\"00000000-0000-0000-0000-000000000000\"", - 20 - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/networkInterfaces/privatelink.nic.00000000-0000-0000-0000-000000000000/ipConfigurations/privateEndpointIpConfig", - 21 - "loadBalancerBackendAddressPools": null, - 22 - "loadBalancerInboundNatRules": null, - 23 - "name": "privateEndpointIpConfig", - 24 - "primary": true, - 25 - "privateIpAddress": "10.0.0.4", - 26 - "privateIpAddressVersion": "IPv4", - 27 - "privateIpAllocationMethod": "Dynamic", - 28 - "privateLinkConnectionProperties": { - 29 - "fqdns": [], - 30 - "groupId": "", - 31 - "requiredMemberName": "" - 32 - }, - 33 - "provisioningState": "Succeeded", - 34 - "publicIpAddress": null, - 35 - "resourceGroup": "privatelink", - 36 - "subnet": { - 37 - "addressPrefix": null, - 38 - "addressPrefixes": null, - 39 - "delegations": null, - 40 - "etag": null, - 41 - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/virtualNetworks/privatelink/subnets/privatelink", - 42 - "ipAllocations": null, - 43 - "ipConfigurationProfiles": null, - 44 - "ipConfigurations": null, - 45 - "name": null, - 46 - "natGateway": null, - 47 - "networkSecurityGroup": null, - 48 - "privateEndpointNetworkPolicies": null, - 49 - "privateEndpoints": null, - 50 - "privateLinkServiceNetworkPolicies": null, - 51 - "provisioningState": null, - 52 - "purpose": null, - 53 - "resourceGroup": "privatelink", - 54 - "resourceNavigationLinks": null, - 55 - "routeTable": null, - 56 - "serviceAssociationLinks": null, - 57 - "serviceEndpointPolicies": null, - 58 - "serviceEndpoints": null - 59 - }, - 60 - "type": "Microsoft.Network/networkInterfaces/ipConfigurations", - 61 - "virtualNetworkTaps": null - 62 - } - 63 - ], - 64 - "location": "eastus2", - 65 - "macAddress": "", - 66 - "name": "privatelink.nic.00000000-0000-0000-0000-000000000000", - 67 - "networkSecurityGroup": null, - 68 - "primary": null, - 69 - "privateEndpoint": { - 70 - "customDnsConfigs": null, - 71 - "etag": null, - 72 - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/privatelink/providers/Microsoft.Network/privateEndpoints/privatelink", - 73 - "location": null, - 74 - "manualPrivateLinkServiceConnections": null, - 75 - "name": null, - 76 - "networkInterfaces": null, - 77 - "privateLinkServiceConnections": null, - 78 - "provisioningState": null, - 79 - "resourceGroup": "privatelink", - 80 - "subnet": null, - 81 - "tags": null, - 82 - "type": null - 83 - }, - 84 - "provisioningState": "Succeeded", - 85 - "resourceGroup": "privatelink", - 86 - "resourceGuid": "00000000-0000-0000-0000-000000000000", - 87 - "tags": null, - 88 - "tapConfigurations": [], - 89 - "type": "Microsoft.Network/networkInterfaces", - 90 - "virtualMachine": null - 91 - } 
 
 
- Enter an optional description for the endpoint. 
- Click Create. 
In Atlas, go to the Database & Network Access page for your project.
- If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar. 
- If it's not already displayed, select your project from the Projects menu in the navigation bar. 
- In the sidebar, click Database & Network Access under the Security heading. 
The Database & Network Access page displays.
Verify that the private endpoint is available.
You can connect to an Atlas cluster using the Azure Private Link private endpoint when all of the resources are configured and the private endpoint becomes available.
To verify that the Azure Private Link private endpoint is available:
On the Private Endpoint tab, select a cluster type and verify the following statuses for the region that contains the cluster you want to connect to using Azure Private Link:
| Atlas Endpoint Service Status | Available | 
| Endpoint Status | Available | 
To learn more about possible status values, see Troubleshoot Private Endpoint Connection Issues.
If you do not see these statuses, see Troubleshoot Private Endpoint Connection Issues for additional information.
To set up GCP Private Service Connect in Google Cloud through the Atlas CLI, install the Atlas CLI and connect from the Atlas CLI. Then, complete the following steps:
Create the private endpoint in Atlas.
- Run the Atlas CLI command to create a private endpoint in Atlas. Ensure that the value of - --regionmatches the region where you deployed your cluster:- atlas privateEndpoints gcp create [options] - To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints gcp create. - If you have a multi-region or multi-cloud cluster and you don't enable regionalized private endpoints, you must provision an endpoint for each provider and region. 
- Note the private endpoint's ID in the response. In this example, the ID is - 6344ac8f51b94c6356527881.- Private endpoint '6344ac8f51b94c6356527881' created. 
Wait for the private endpoint to become available.
IMPORTANT: It might take Atlas some time to provision the private endpoint. Wait 1-2 minutes before you complete this step.
Run the Atlas CLI command to describe the private endpoint using its ID:
atlas privateEndpoints gcp describe <privateEndpointId> [options] 
To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints gcp describe.
The following shows a sample output:
ID                          GROUP NAME      REGION        STATUS          ERROR 6344ac8f51b94c6356527881    N/A             CENTRAL_US    AVAILABLE 
If the STATUS value is INITIATING, wait 1-2 more
minutes for Atlas to provision the private endpoint. Then, try this step again.
Create the endpoint in GCP.
- Create a shell script file named - setup_psc.sh.
- Copy and paste the following code into the - setup_psc.shfile, replacing the following placeholders with your values:PlaceholderDescription- {GCP-PROJECT-ID} - Unique string that identifies your Google Cloud project in Google Cloud. - {ATLAS-GCP-PROJECT-ID} - Unique string that identifies the Google Cloud project in which Atlas deploys your resources. - {ENDPOINT} - Unique string that identifies your private endpoint. This is the prefix for all forwarding rules you create. - {REGION} - Google Cloud region in which your cluster resides. - {SUBNET} - When you create Private Service Connect endpoints, you specify a subnet in your VPC network; you may either create a new subnet to encapsulate your endpoints or use an existing one. This subnet needs to have at least 50 unassigned IP addresses. - {VPC-NAME} - Name of the VNet that you want to use to connect to Atlas. You can find this value on the VPC Network page on your Google Cloud dashboard. - {GROUP-ID} - Unique 24-character hexadecimal string that identifies your project in Atlas. - !/bin/bash - gcloud config set project {GCP-PROJECT-ID} - for i in {0..49} - do - gcloud compute addresses create {ENDPOINT}-ip-$i --region={REGION} --subnet={SUBNET} - done - for i in {0..49} - do - if [ $(gcloud compute addresses describe {ENDPOINT}-ip-$i --region={REGION} --format="value(status)") != "RESERVED" ]; then - echo "{ENDPOINT}-ip-$i is not RESERVED"; - exit 1; - fi - done - for i in {0..49} - do - gcloud compute forwarding-rules create {ENDPOINT}-$i --region={REGION} --network={VPC-NAME} --address={ENDPOINT}-ip-$i --target-service-attachment=projects/{ATLAS-GCP-PROJECT-ID}/regions/{REGION}/serviceAttachments/sa-{REGION}-{GROUP-ID}-$i - done 
- Run the shell file - sh setup_psc.sh - Created [https://www.googleapis.com/compute/v1/projects/<PROJECT-ID>/regions/<REGION>/addresses/-ip-0]., - Created [https://www.googleapis.com/compute/v1/projects/<PROJECT-ID>/regions/<REGION>/addresses/-ip-1]., - ... - Created [https://www.googleapis.com/compute/v1/projects/<PROJECT-ID>/regions/<REGION>/addresses/-ip-49]., - Created [https://www.googleapis.com/compute/v1/projects/<PROJECT-ID>/regions/<REGION>/forwardingRules/-ip-0]., - Created [https://www.googleapis.com/compute/v1/projects/<PROJECT-ID>/regions/<REGION>/forwardingRules/-ip-1]., - ... - Created [https://www.googleapis.com/compute/v1/projects/<PROJECT-ID>/regions/<REGION>/forwardingRules/-ip-49]. 
- Run the following command to generate a list of your Google Cloud forwarding addresses and store them in a file called - atlasEndpoints.txt, replacing the following placeholders from the previous step:PlaceholderDescription- {REGION} - Google Cloud region in which your cluster resides. - {ENDPOINT} - Unique string that identifies your private endpoint. This is the prefix for all forwarding rules you create. - gcloud compute forwarding-rules list --regions={REGION} --format="csv(name,IPAddress)" --filter="name:({ENDPOINT}*)" > atlasEndpoints.txt 
Update the format of the atlasEndpoints.txt file.
Run the following command to reformat the contents of
atlasEndpoints.txt:
sed -i '' '1d' atlasEndpoints.txt tr -s ',' '@' <atlasEndpoints.txt>atlasEndpoints2.txt tr -s '\n' ',' <atlasEndpoints2.txt>atlasEndpoints.txt sed -i '' '$ s/.$//' atlasEndpoints.txt rm atlasEndpoints2.txt 
IMPORTANT: You use the contents of atlasEndpoints.txt in the next
step as the value for the endpoint parameter.
Update your private endpoint with the VPC Endpoint ID.
- Run the Atlas CLI command to create an interface endpoint in Atlas using the Atlas endpoint ID and the VPC Endpoint ID. In this example, you would set the following parameters: ParameterTypeExample Value- endpointGroupId- Argument - tester-1- endpointServiceId- Option - 6344ac8f51b94c6356527881- gcpProjectId- Option - atlascli-private-endpoints- endpoint- Option - tester-1@10.142.0.1,tester-2@10.142.0.2, ... , tester-49@10.142.0.49, tester-50@10.142.0.50- The - ...represents 46 other endpoints in between.- To add a new interface for an Google Cloud private endpoint using the Atlas CLI, run the following command: - atlas privateEndpoints gcp interfaces create <endpointGroupId> [options] - To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints gcp interfaces create. 
Verify the private endpoint's availability.
You can connect to the cluster using the GCP Private Service Connect private endpoint after Atlas finishes configuring all of the resources and the private endpoint becomes available.
To verify that the Google Cloud private endpoint is available:
- Run the Atlas CLI command to describe the interface endpoint using its ID. In this example, you would use the following parameters from the previous step: ParameterTypeExample Value- id- Argument - tester-1- endpointServiceId- Option - 6344ac8f51b94c6356527881- To return the Google Cloud private endpoint interface that you specify. using the Atlas CLI, run the following command: - atlas privateEndpoints gcp interfaces describe <id> [options] - To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas privateEndpoints gcp interfaces describe. 
- Verify that the - STATUSfield's value is- AVAILABLEas shown in the following example:- ENDPOINT STATUS DELETE REQUESTED - tester-1 AVAILABLE false - If the - STATUSvalue is- VERIFIED, wait 1-2 more minutes for Atlas to make your private endpoint available.
To set up GCP Private Service Connect in Google Cloud through the Atlas UI:
In Atlas, go to the Database & Network Access page for your project.
- If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar. 
- If it's not already displayed, select your project from the Projects menu in the navigation bar. 
- In the sidebar, click Database & Network Access under the Security heading. 
The Database & Network Access page displays.
Configure your private endpoint.
WARNING: To avoid connection interruptions, you must specify the correct information. We recommend that you don't skip the commands and substeps in this step.
- Enter the following details about your Google Cloud VPC: - Google Cloud Project ID - The unique ID for your project. Find this value on the Dashboard page on your Google Cloud platform. - VPC Name - The name of the VPC that you want to use to connect to Atlas. Find this value on the VPC Networks page on your Google Cloud dashboard. - Subnet Name - The name of the subnet in your Google Cloud VPC. Find this value on the VPC Networks page on your Google Cloud dashboard. 
- Enter a unique name for your private endpoint in the Private Service Connect Endpoint Prefix field. This will be the prefix for all endpoints created and the name of the endpoint group. Click Next. 
- Create the forwarding rules in your Google Cloud VPC by downloading the shell script and running it using the gcloud CLI. This will output a JSON file containing a list of IP addresses and endpoint names that you will need in the next step. Click Next. 
- Click Upload JSON File to select and upload the outputted JSON file. 
- Click Create Private Endpoint. 
In Atlas, go to the Database & Network Access page for your project.
- If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar. 
- If it's not already displayed, select your project from the Projects menu in the navigation bar. 
- In the sidebar, click Database & Network Access under the Security heading. 
The Database & Network Access page displays.
Verify that the private endpoint is available.
You can connect to an Atlas cluster using the GCP Private Service Connect private endpoint when all of the resources are configured and the private endpoint becomes available.
To verify that the GCP Private Service Connect private endpoint is available:
On the Private Endpoint tab, verify the following statuses for the region that contains the cluster you want to connect to using GCP Private Service Connect:
| Atlas Endpoint Service Status | Available | 
| Endpoint Status | Available | 
To learn more about possible status values, see Troubleshoot Private Endpoint Connection Issues.
If you do not see these statuses, see Troubleshoot Private Endpoint Connection Issues for additional information.