MongoDB supports AWS and Azure private endpoints for Online Archives. You can set up the private endpoints from the Atlas UI and Atlas Administration API.
Note
You can set up private endpoints for a dedicated cluster. To learn more, see Configure Private Endpoints.
Required Access
To set up a private endpoint for an Online Archive, you must have
Project Owner access or higher to the project.
Prerequisites
The procedure differs depending on whether you use AWS or Azure for your cloud provider. Select the appropriate tab:
- Have an AWS user account with an IAM user policy that grants permissions to create, modify, describe, and delete endpoints. For more information on controlling the use of interface endpoints, see the AWS Documentation. 
- If you have not already done so, create your VPC and EC2 instances in AWS. See the AWS documentation for guidance. 
- Have an Azure user account with permissions to create resources like virtual networks and private endpoints. To learn more about the permissions required, see the Azure Documentation. 
Important
With Azure, you can create up to three private endpoints per project for an Online Archive due to an Azure-imposed limit. This is why Atlas prevents you from deleting an Atlas project before first deleting its private endpoints. To request more than three private endpoints for a project, contact MongoDB Support.
Note
You can't use your Atlas cluster private endpoint ID for an Online Archive. The Online Archive endpoint ID must be different from your Atlas cluster endpoint ID, if you have one.
Set Up Private Endpoint Through Atlas UI
You can create a new private endpoint or add an existing private endpoint for an Online Archive through your Atlas UI. To set up the private endpoint:
In Atlas, go to the Network Access page for your project.
WARNING: Navigation Improvements In Progress
We're currently rolling out a new and improved navigation experience. If the following steps don't match your view in the Atlas UI, see the preview documentation.
- If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar. 
- If it's not already displayed, select your project from the Projects menu in the navigation bar. 
- In the sidebar, click Network Access under the Security heading. - The Network Access page displays. 
Choose a cloud provider and region.
- Click the AWS button. 
- Click Next. 
- From the Choose a region list, select the region where you want to create the private endpoint. - You can select one of the following regions: Online Archive RegionsAWS Regions- Northern Virginia, North America - us-east-1 - Oregon, North America - us-west-2 - Ireland, Europe - eu-west-1 - London, Europe - eu-west-2 - Frankfurt, Europe - eu-central-1 - Tokyo, Japan - ap-northeast-1 - Mumbai, Asia - ap-south-1 - Sydney, Australia - ap-southeast-2 - Montreal, Canada - ca-central-1 - To learn more, see Atlas Data Federation Regions. 
- Click Next. 
Note
If your organization has no payment information stored, Atlas prompts you to add it before continuing.
Configure your private endpoint.
Tip
Click and expand Show instruction for a screenshot of the AWS console where you can find the necessary information for the following settings.
- Enter the following details about your AWS VPC: - WARNING: To avoid connection interruptions, you must specify the correct information. We recommend that you don't skip the commands and substeps in this step. - Your VPC ID - Unique identifier of the peer AWS VPC. Find this value on the VPC dashboard in your AWS account. - Your Subnet IDs - Unique identifiers of the subnets your AWS VPC uses. Find these values on the Subnet dashboard in your AWS account. - IMPORTANT: You must specify at least one subnet. If you don't, AWS won't provision an interface endpoint in your VPC. An interface endpoint is required for clients in your VPC to send traffic to the private endpoint. 
- Copy the command the dialog box displays and run it using the AWS CLI. - See Creating an Interface Endpoint to perform this task using the AWS CLI. 
- Enter your VPC Endpoint ID. This is a 22-character alphanumeric string that identifies your private endpoint. Find this value on the AWS VPC Dashboard under Endpoints > VPC ID. 
- Enter the alpha-numeric DNS hostname associated with your private endpoint on AWS in the Your VPC Endpoint DNS Name field. If you have multiple DNS names for your private endpoint, copy and paste the first name from your list. To learn more, see Manage DNS names for VPC endpoint services. 
In Atlas, go to the Network Access page for your project.
WARNING: Navigation Improvements In Progress
We're currently rolling out a new and improved navigation experience. If the following steps don't match your view in the Atlas UI, see the preview documentation.
- If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar. 
- If it's not already displayed, select your project from the Projects menu in the navigation bar. 
- In the sidebar, click Network Access under the Security heading. - The Network Access page displays. 
Choose a cloud provider and region.
- Click the AWS button. 
- From the Choose a region list, select the region where you want to create the private endpoint. - You can select one of the following regions: Atlas Data Federation RegionsAWS Regions- Northern Virginia, North America - us-east-1 - Oregon, North America - us-west-2 - Ireland, Europe - eu-west-1 - London, Europe - eu-west-2 - Frankfurt, Europe - eu-central-1 - Tokyo, Japan - ap-northeast-1 - Mumbai, Asia - ap-south-1 - Sydney, Australia - ap-southeast-2 - Montreal, Canada - ca-central-1 
Enter your VPC endpoint ID and DNS name.
- Enter the 22-character alphanumeric string that identifies your private endpoint in the Your VPC Endpoint ID field. 
- Enter the alpha-numeric DNS hostname associated with your private endpoint on AWS in the Your VPC Endpoint DNS Name field. If you have multiple DNS names for your private endpoint, copy and paste the first name from your list. To learn more, see Manage DNS names for VPC endpoint services. 
Tip
Click and expand Show instruction in the dialog box for a visual clue as to where you can find the necessary information in the AWS console.
Add a comment to associate with this endpoint. You can enter your subnet ID, VPC ID, AWS region, and other information to associate with this endpoint.
In Atlas, go to the Network Access page for your project.
WARNING: Navigation Improvements In Progress
We're currently rolling out a new and improved navigation experience. If the following steps don't match your view in the Atlas UI, see the preview documentation.
- If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar. 
- If it's not already displayed, select your project from the Projects menu in the navigation bar. 
- In the sidebar, click Network Access under the Security heading. - The Network Access page displays. 
Choose a cloud provider and region.
- Click the Azure button. 
- From the dropdown, select the region where you want to create the private endpoint. - You can select one of the following regions: Data Federation RegionAzure RegionAtlas Region- Virginia, USA - eastus2- US_EAST_2- Sao Paulo, Brazil - brazilsouth- BRAZIL_SOUTH- Netherlands - westeurope- EUROPE_WEST- To learn more, see Atlas Data Federation Regions. 
- Click Next. 
Configure your private endpoint.
- Enter the following details about your Azure private endpoint: - Tip- You can click Show instruction in the Atlas UI for the following settings to display a screenshot of the Azure Dashboard where you can find the value for the setting. - Resource Group Name - Name of the Azure resource group that contains the VNet that you want to use to connect to Atlas. Find this value in your Azure account. - Virtual Network Name - Name of the VNet that you want to use to connect to Atlas. Find this value in your Azure account. - Subnet ID - Identifier of the subnet in your Azure VNet. Find this value in your Azure account. - Private Endpoint Name - Unique alphanumeric string that identifies the private endpoint within your Azure resource group. Any private endpoint name that exceeds 24 characters is automatically transformed into a unique identifier in your private endpoint URI connection string. 
- Click Next. 
- Copy the command the dialog box displays and run it using the Azure CLI. - Note- You can't copy the command until Atlas finishes creating virtual network resources in the background. 
- Click Finish. 
In Atlas, go to the Network Access page for your project.
WARNING: Navigation Improvements In Progress
We're currently rolling out a new and improved navigation experience. If the following steps don't match your view in the Atlas UI, see the preview documentation.
- If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar. 
- If it's not already displayed, select your project from the Projects menu in the navigation bar. 
- In the sidebar, click Network Access under the Security heading. - The Network Access page displays. 
Enter your endpoint details.
- Click the Azure button. 
- From the dropdown, select the region where you want to create the private endpoint. - You can select one of the following regions: Data Federation RegionAzure RegionAtlas Region- Virginia, USA - eastus2- US_EAST_2- Sao Paulo, Brazil - brazilsouth- BRAZIL_SOUTH- Netherlands - westeurope- EUROPE_WEST- To learn more, see Atlas Data Federation Regions. 
- Enter the 22-character alphanumeric string that identifies your private endpoint in the Your Private Endpoint ID field. Find this value in your Azure account. - Tip- You can click Show instruction in the Atlas UI for the following settings to display a screenshot of the Azure Dashboard where you can find the value for the setting. 
- Add a comment to associate with this endpoint. You can enter your subnet ID, VNet, Azure region, and other information to associate with this endpoint. 
- Enter the private IP address for your endpoint in the Your Endpoint Private IP Address field. Find this value in your Azure account. 
- Click Confirm to add the existing private endpoint. 
Set Up Private Endpoint Through the API
To configure a private endpoint for an online archive from the API,
send a POST request with the private endpoint ID to the
privateNetworkSettings endpoint.
- If the endpoint ID already exists and there is no change to the comment associated with the endpoint, Atlas makes no change to the endpoint ID list. 
- If the endpoint ID already exists and there is a change to the associated comment, Atlas updates the - commentvalue only in the endpoint ID list.
- If the endpoint ID doesn't exist, Atlas appends the new endpoint to the list of endpoints in the endpoint ID list. 
To learn more about the syntax and options, see API.