0

I have an AWS Lightsail instance (deployed in AWS Managed VPC) that I want to connect to my Mongo ATLAS (deployed in Mongo Managed VPC).

I was able to connect my AWS Services (Lambda, API Gateway) to ATLAS internally, without going through the internet.

I have a peering connection from ATLAS to AWS (New VPC without internet) I have a peering connection from Lightsail to AWS (default VPC)

I need to be able to route the connection from Lightsail to ATLAS.

I created a peering connection between my "New VPC" and "default VPC", and updated the routing table. But still, the lightsail tries to go through the internet. It gets connected only when I whitelist the lightsail public IP.

Peering Default VPC Route Table AWS New VPC Route Table

Dushyant Bangal
  • 123
  • 1
  • 1
  • 9
  • Is Lightsail using an IP address or DNS name to connect? If the latter, what does it resolve to? – kenlukas Sep 17 '18 at 14:19
  • Just checking if you found my answer informative, if you needed any further clarification? – Alex Moore Sep 19 '18 at 07:10
  • @kenlukas, We're using the host connection string given by ATLAS, which contains the domain name. I think it resolves to the public IP of the ATLAS instance – Dushyant Bangal Sep 22 '18 at 07:01
  • @AlexMoore, I've marked it as helpful, but I'm gonna keep the question open in case someone has a way to do it. – Dushyant Bangal Sep 22 '18 at 07:02
  • I think you need to be more clear about your current state and what you're trying to achieve. What is in your Lightsail account? What is in your AWS "new VPC" and what role does it play? Based on what you've said above all I can see is that you need to peer each VPC(s) your instance(s) are in with the Mongo VPC. There's no transit, peering is 1:1 with no traffic passing through to another. – Tim Sep 22 '18 at 08:00
  • @Tim, I have a lightsail VM that needs to connect to the mongo ATLAS. All I want to achieve here is to make the connection within the region, instead of going through the internet. The "New VPC" is for my lambda and ATLAS connection, as atlas recommends we dont use the "default" one. Lightsail gets peered to the "default" VPC. AWS deploys Lightsail in their own managed VPC, and not ours. – Dushyant Bangal Sep 22 '18 at 08:37
  • Ah ok. I don't know much about Lightsail, but I don't know if this is possible based on what you say. If the two instances are in the same region you won't go out to the internet even if you don't peer the VPCs, based on information I got directly from an AWS networking specialist. If you really want this level of control I suggest you either get rid of Lightsail and use EC2 (though you pay a lot more for bandwidth that way) or just worry less about how your connection is routed. If it's fast enough I wouldn't bother doing anything. – Tim Sep 22 '18 at 09:16
  • 1
    @Tim, thats what I thought, but someone from Mongo ATLAS said that VPC peering will result into "same region" data charges, else it will be "over the internet". May I'll just look at the billing for a few days. – Dushyant Bangal Sep 24 '18 at 11:18

1 Answers1

2

You have two challenges here.

  1. Lightsail currently only supports peering to the Default VPC, although it doesn't make it super clear, you can read it here

  2. You cannot natively do transitive peering, that is route from the Lightsail VPC to your Default VPC and then onwards to Atlas. See more information on this here.

Your primary option really is to connect publically, which if you are using TLS/SSL and restricting based on IP isn't too bad. Although granted it isn't as good as a fully private connection.

There is an option to deploy your own routing appliance into the default VPC to make it a 'Transit VPC' and handle routing yourself between the different peering links, but the overhead/complexity of managing that arrangement might not be worth it. More details on such topologies can be found here.

Alex Moore
  • 1,704
  • 5
  • 12
  • Transit VPC is likely far too complex and expensive for a system this simple. PrivateLInk or an additional VPC peer would be a better option. – Tim Sep 20 '18 at 04:51
  • Absolutely, except I don't believe Atlas provides a PrivateLink solution today, although if that is wrong let me know and I'll update. Can you clarify what you mean by additional VP.C Peer? – Alex Moore Sep 20 '18 at 06:16
  • I hadn't read the question carefully enough, plus I know AWS but not Lightsail. The question isn't as clear as it could be, but I first look at peering Lightsail directly with Atlas. If that's not possible I'd just use the public endpoint, I'm fairly sure based on a recent call with an AWS networking specialist the traffic will stay within the AWS internal network and you'll be charged internal rates - assuming same region. – Tim Sep 20 '18 at 07:47
  • Exactly. Even the lightsail docs aren't 100% explicit about the peering limitations, you have to read between the lines a bit. – Alex Moore Sep 20 '18 at 19:46
  • @Tim basically I want the communication to happen in the same region instead of over the internet. I think Lightsail is managed by a different entity, so they need to use peering connections to connect to your AWS services, unlike EC2 which you can directly add to your VPC. Can you please tell me if and how it can be possible by public endpoint? – Dushyant Bangal Sep 22 '18 at 07:05
  • Lightsail exists in its own AWS Managed VPC, which is why you use peering to reach the default VPC (and only the default VPC) today - as I reference above. And Atlas also exists in a separate VPC and you also use peering to reach it privately. So you want a) peer directly from atlas to lightsail - not possible today b) transitively route through your default VPC between the two peers - also not natively possible, unless you deploy your own routing appliances, again as I explained or c) use a PrivateLink interface in your default VPC, but again Atlas isn't available via this method today. – Alex Moore Sep 22 '18 at 08:06