Mongodb Atlas VPC Peering Network not connecting to GCP VPC

Question

(EDITED) I want to connect a GKE pod to Atlas.

I have an Atlas db with a VPC peering connection set up to a GCP VPC Network. I am trying to apply things I learnt in these tuts:

Configuring VPC Network Peering

Controlling Access to VPC Networks

When I look at VPC network peering > Routes > Peering in the GCP console, I seeing automatically configured peering routes. I'm at a loss how to set one up or how to test the connection. I ping the atlas IP from my pod and it gets 100% packet loss, but then there are no routes so it shouldn't get through. I go to VM instances and SSH from my pod there, then run

docker run --rm busybox ping 192.168.0.0 -c 3

but, predictably, the result is the same.

From the gcloud shell I do:

gcloud compute firewall-rules list

and get:

NAME: allow-monolith-nodeport
NETWORK: default
DIRECTION: INGRESS
PRIORITY: 1000
ALLOW: tcp:31000
DENY:
DISABLED: False

NAME: default-allow-icmp
NETWORK: default
DIRECTION: INGRESS
PRIORITY: 65534
ALLOW: icmp
DENY:
DISABLED: False

NAME: default-allow-internal
NETWORK: default
DIRECTION: INGRESS
PRIORITY: 65534
ALLOW: tcp:0-65535,udp:0-65535,icmp
DENY:
DISABLED: False

NAME: default-allow-rdp
NETWORK: default
DIRECTION: INGRESS
PRIORITY: 65534
ALLOW: tcp:3389
DENY:
DISABLED: False

NAME: default-allow-ssh
NETWORK: default
DIRECTION: INGRESS
PRIORITY: 65534
ALLOW: tcp:22
DENY:
DISABLED: False

NAME: gke-my-cluster-94435ead-all
NETWORK: default
DIRECTION: INGRESS
PRIORITY: 1000
ALLOW: icmp,esp,ah,sctp,tcp,udp
DENY:
DISABLED: False

NAME: gke-my-cluster-94435ead-ssh
NETWORK: default
DIRECTION: INGRESS
PRIORITY: 1000
ALLOW: tcp:22
DENY:
DISABLED: False

NAME: gke-my-cluster-94435ead-vms
NETWORK: default
DIRECTION: INGRESS
PRIORITY: 1000
ALLOW: icmp,tcp:1-65535,udp:1-65535
DENY:
DISABLED: False

NAME: k8s-fw-l7--ca9214afee2f865d
NETWORK: default
DIRECTION: INGRESS
PRIORITY: 1000
ALLOW: tcp:30000-32767
DENY:
DISABLED: False

In GKE I have created a Service account with the Compute Network Admin role, but not sure how to link it to the VMs for my pods? I need this to change the firewall rules for the pod VMs - tho it would be better if I could just do it declarative from the pod/service manifest.

In Atlas I added the external IPs of my pod VMs to the Network Access IP Access List.

How can I set up VPC Network Peering between Mongodb Atlas and a GKE pod so when I ping the Atlas CIDR I get packets back?

****** EDIT *****

When following this tut atlas k8s peering tut I find I can't alter my k8s networking on GKE? Do I need to recreate the cluster from scratch?

Did you follow https://docs.atlas.mongodb.com/security-vpc-peering/#configure-an-service-network-peering-connection ? — Gari Singh, Nov 07 '21 at 10:18
Yes! There are also the same instructions from the Atlas Network Access Network Peering tab — Davtho1983, Nov 07 '21 at 10:21

score 0 · Answer 1 · answered Nov 08 '21 at 17:54

0

I would start by making sure that the VPC peering link is Active. If you are not seeing any routes in the Peering section, most probably the link is not Active and therefore not passing traffic.

Here's a comprehensive tutorial on how to Peer an Atlas db to a VPC network [1]; as you can see, there are some specific parameters you need to fill in on both sides, such as the project id, VPC name, etc.

[1] https://www.mongodb.com/developer/how-to/connect-atlas-cloud-kubernetes-peering/

answered Nov 08 '21 at 17:54

Gabriel Robledo Ahumada

1,542
2
14

Yeah I found that one - it's not comprehensive enough! I still don't understand how to set up a VM in the Atlas VPC to ping the GCP VPC Network or how to ping the Atlas VPC from my GKE pods? I have edited the question because I re-set-up the peering connection and all the peering routes automatically configured - so I think I had extra spaces at the end of my Atlas Project ID field, but now I know I have peering routes I'm not sure how to use them – Davtho1983 Nov 08 '21 at 18:04
I'm not sure how to configure the Networking bit - do I have to do this right from the start when I create the GKE cluster? See edited question – Davtho1983 Nov 08 '21 at 18:10
The resources allocation in Atlas is done automatically, you cannot "set up" a VM. What you get when you configure a database cluster is a URI which you can connect to. By default, you will get a URI pointing to a public ip address, and the whole purpose of the Peer link is to create a URI pointing to a private ip address that will be only accessible by the whitelisted subnet configured in the Peering set-up. Be aware that peering connections are only allowed for M10 and above clusters. – Gabriel Robledo Ahumada Nov 08 '21 at 21:01
To identify the specific ip address of a database cluster, you will need to connect to it through the Atlas console and run a nslookup from there. Finally, yes you need to create the Kubernetes cluster with the --network and --subnetwork flags, you can find plenty of google’s public documentation on this. – Gabriel Robledo Ahumada Nov 08 '21 at 21:01

Mongodb Atlas VPC Peering Network not connecting to GCP VPC

1 Answers1