无法使用来自GCP群集的VPC对等连接到Mongo Atlas [英] Cannot connect to Mongo Atlas using VPC peering from GCP cluster

问题描述

我正在尝试将在GCP Kubernetes引擎集群上运行的Java应用程序与Mongo Atlas集群(M20)连接起来.以前，当我没有打开VPC Peering并使用常规连接字符串时，它运行良好.但是我现在尝试在我的GCP项目中将VPC网络与 default VPC网络一起使用.我按照 https://docs.atlas.mongodb.com/security-vpc-peering/.我选择了192.168.0.0/18的Atlas CIDR(b/c"Atlas CIDR块必须至少为/18")，在将GCP项目和Atlas集群链接之后，将10.128.0.0/9添加到IP白名单中Atlas群集(b/c表示这是GCP项目中auto的默认范围).

I am trying to connect a Java app running on a GCP Kubernetes engine cluster, with a Mongo Atlas cluster (M20). Before, it worked fine, when I didn't have VPC Peering turned on and I was using the regular connection string. But I am trying to use VPC Peering now, with the default VPC network in my GCP project. I followed the steps in https://docs.atlas.mongodb.com/security-vpc-peering/. I chose Atlas CIDR of 192.168.0.0/18 (b/c "The Atlas CIDR block must be at least a /18"), and after linking the GCP project and the Atlas cluster, added 10.128.0.0/9 to the IP whitelist for the Atlas cluster (b/c it says that is the default range for auto in GCP projects).

我实际上可以通过Mongo Shell通过 mongo"mongodb + srv://< cluster_name> -pri.crum0.gcp.mongodb.net/itls" 通过Mongo Shell连接，在我的GCP项目中.但是在我的GCP群集中的Pod上运行的应用无法连接.我在Java应用程序中看到的确切错误是

I am actually able to connect via Mongo shell via mongo "mongodb+srv://<cluster_name>-pri.crum0.gcp.mongodb.net/itls", from some other VM in my GCP project. But the app running on a pod in my GCP cluster is unable to connect. The exact error that I am seeing in the Java app is

Caused by: com.mongodb.MongoTimeoutException: Timed out after 30000 ms while waiting for a server that matches com.mongodb.client.internal.MongoClientDelegate$1@a07fbd8. Client view of cluster state is {type=REPLICA_SET, servers=[{address=<cluster_name>-shard-00-00-pri.crum0.gcp.mongodb.net:27017, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSocketOpenException: Exception opening socket}, caused by {java.net.SocketTimeoutException: connect timed out}}, {address=<cluster_name>-shard-00-01-pri.crum0.gcp.mongodb.net:27017, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSocketOpenException: Exception opening socket}, caused by {java.net.SocketTimeoutException: connect timed out}}, {address=<cluster_new>-shard-00-02-pri.crum0.gcp.mongodb.net:27017, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSocketOpenException: Exception opening socket}, caused by {java.net.SocketTimeoutException: connect timed out}}]

可能的问题:

1) is it possible to connect from a GCP cluster at all (or perhaps, why is this cluster somehow not part of default VPC network)?
2) is there something wrong in the Atlas CIDR range or my IP whitelist range?

任何帮助将不胜感激.

推荐答案

我最终进行了2处更改以使其正常运行.第一次更改是我缺席的明确要求.尚不确定是否绝对有必要进行第二次更改.

I ended up making 2 changes to make it work. First change is a definite requirement I was missing. Not sure yet if second change is absolutely necessary.

1)我必须创建一个新的GCP群集，并且在其中默认情况下启用了VPC本地(启用IP别名).在我的旧群集中，此设置已禁用，我无法为正在运行的群集更改它.为了解决该问题，肯定需要打开此设置.

1) I had to create a new GCP cluster, and in it, the VPC-native (enable IP alias) was enabled by default. In my old cluster, this setting was disabled, and I couldn't change it for a running cluster. This setting definitely needs to be turned on, to fix the problem.

2)尽管我使用的是Mongo Java驱动程序3.11.1，但我确实使用了 nslookup 命令，并发现使用较旧的驱动程序风格的连接URI字符串(即 mongodb://<用户名>:<密码> @<集群名称> -shard-00-00-pri.crum0.gcp.mongodb.net:27017，< cluster_name> -shard-00-01-pri.crum0.gcp.mongodb.net:27017，< cluster_name> -shard-00-02-pri.crum0.gcp.mongodb.net:27017/itls?ssl = true& replicaSet =< cluster_name> -shard-0& authSource = admin& retryWrites =true& w = majority )，因为 nslookup 实际上为旧样式提供了真实的IP地址，而不是新样式.

2) Although I'm using Mongo Java driver 3.11.1, I did couple nslookup commands and figured it's safer to use the older-driver-style connection URI string (i.e. mongodb://<username>:<password>@<cluster_name>-shard-00-00-pri.crum0.gcp.mongodb.net:27017,<cluster_name>-shard-00-01-pri.crum0.gcp.mongodb.net:27017,<cluster_name>-shard-00-02-pri.crum0.gcp.mongodb.net:27017/itls?ssl=true&replicaSet=<cluster_name>-shard-0&authSource=admin&retryWrites=true&w=majority), since nslookup actually gave real IP address for the old style but not the new.

nslookup 命令有助于:

>> nslookup <cluster_name>-shard-00-00-pri.crum0.gcp.mongodb.net
Server:     8.8.8.8
Address:    8.8.8.8#53

Non-authoritative answer:
Name:   <cluster_name>-shard-00-00-pri.crum0.gcp.mongodb.net
Address: 192.168.248.2

>> nslookup <cluster_name>-pri.crum0.gcp.mongodb.net
Server:     8.8.8.8
Address:    8.8.8.8#53

Non-authoritative answer:
*** Can't find <cluster_name>-pri.crum0.gcp.mongodb.net: No answer

这篇关于无法使用来自GCP群集的VPC对等连接到Mongo Atlas的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！