Whitelisting IPs of a Node.js App (hosted on GAE) to access MongoDB Atlas (hosted on GCP)

Question

I want my backend server (Node.js, hosted on Google App Engine, flexible environment if that matters) to be able to grab and pass data from my database (MongoDB, through Atlas, also hosted on Google Cloud platform, in the same region as my backend server). Ideally, I'd like to keep a tight whitelist of IPs that can access my database, but I'm not sure how to identify them.

My understanding is that Google will use a range of IPs. I might be able to access these by querying Google from time to time (Google App Engine - list of IP addresses?).

I also found a nice tutorial from Google about how to connect App Engine to MongoDB Atlas, but they conveniently left out how to whitelist the correct IPs (https://cloud.google.com/community/tutorials/mongodb-atlas-appengineflex-nodejs-app).

I also found some notes from Atlas about using network peering within GCP (which I qualify for? see link: https://docs.atlas.mongodb.com/security-vpc-peering/) but there are significant restrictions, including that other IPs aren't allowed? I'm having a hard time understanding their documentation.

Key Question: Is there an easier way to do this than the first link above? Or am I stuck querying this frequently and changing it by hand?

Answer 1

If you are running M10-Cluster (or higher) on Atlas, VPC-Peering is your way to go. As you said, you are having a hard time reading the documentation. I'd recommend trying this tutorial. They're explaining what CIDR-ranges (what you referred to as IPs) to whitelist.

One thing to notice here, they are using GCPs Kubernetes Engine. With App Engine there is a little extra effort as it is one of GCPs "Serverless"-Solutions, which is the reason why you should not use static IPs or anything like that. You will need to connect your App to the VPC-Network via a Connector:

1. create a connector in the same region as your GAE-App following these instructions. You can find out the current region of your GAE-App with gcloud app describe. Just give the connector the range 10.8.0.0 for now (/28 is added automatically). Remember the name you gave it.

2. your app.yaml has to point to that connector like this

runtime: nodejs10

vpc_access_connector:
  name: projects/GCLOUD_PROJECT_ID/locations/REGION_WHERE_GAE_RUNS/connectors/NAME_YOU_ENTERED_IN_STEP_1

3. Go to your Atlas project, navigate to Network Access and whitelist the CIDR-range you set for the connector in Step 1

4. You may also need to whitelist the CIDR-range from Step 1 for the VPC-Network. You can do that in GCP by navigating to VPC-Network -> Firewall