0

Are there any gotchas I'm missing to set up a Zappa project on AWS with Mongodb Atlas? I started following the guide on this page and have branched out to various other resources since: https://docs.atlas.mongodb.com/security-vpc-peering/

I have a VPC peered with my Atlas Cluster. Both sides say the connection is Active.

I have a Route Table with 2 routes:

Destination: <My VPC CIDR>       Target: local
Destination: <My Atlas CIDR>     Target: <My Atlas Peering ID>

The Route Table's VPG has Propogate set to True, but none of the Routes are Propogated.

There are 4 Subnets associated with that Route Table.

All 4 Subnets and the VPC are connected to the Zappa Function on Lambda.

Also connected to the Function are a very liberal Execution Role and Security Group.

The Security Group and VPC CIDR are both Active on Atlas' IP Whitelist page.

There is also a Network ACL associated with all 4 Subnets with very liberal Inbound and Outbound Rules.

The Atlas Cluster and AWS Region are the same.

I tried Whitelisting all IPS and that did not work

The API Gateway does not have a VPC Link, no NLB's exist (Is that strictly an EC2 thing? The plan is to deploy on Lambda and since I'm in early dev I don't have a Certificate to select yet.)

thekthuser
  • 706
  • 1
  • 12
  • 28

1 Answers1

0

The gotcha ended up being that my Atlas Tier did not support Peering Connections.

Here are two other solutions, both of which send traffic across the internet instead of within AWS.

1:

Whitelist all IPs (add 0.0.0.0/0) in MongoDB Atlas.

2:

On your VPC Dashboard:

Attach an Internet Gateway to your VPC.

Create a new EIP.

Create a Public Subnet and a Private Subnet. (By this I mean include 'public' and 'private' in the name. We will actually make them public and private when we associate Routing Tables later).

Create a NAT Gateway and connect it to the EIP and the Public Subnet.

Create a Private Routing Table which routes all traffic to the NAT Gateway (keep the existing route from your VPC CIDR to local).

Create a Public Routing Table which routes all traffic to the Internet Gateway (keep the existing route from your VPC CIDR to local).

Associate your Public Subnet to the Public Routing Table and your Private Subnet to the Private Routing Table.

Create a Network ACL and associate with any Subnets if needed.

On your Lamda Function Dashboard:

Associate your VPC.

Associate your Private Subnet.

Associate any Security Groups if needed.

On your MongoDB Atlas Dashboard:

Whitelist your EIP in MongoDB Atlas.

Note: Amazon charges you for the NAT Gateway. That's the only non-free part of this if you are on the free tier.

thekthuser
  • 706
  • 1
  • 12
  • 28