Securely Connecting AWS Glue to MongoDB Atlas Using NAT Gateway

Overview

Organizations often need to securely access external databases from AWS for analytics and reporting workloads. One common requirement is connecting AWS Glue to MongoDB Atlas for ETL and data processing.

In many real-world environments, MongoDB Atlas is protected by IP whitelisting, which means only approved public IP addresses can connect to the database. However, AWS Glue jobs running inside private subnets do not have a fixed public IP by default.

To solve this problem, organizations use an AWS NAT Gateway with an Elastic IP address. This setup allows AWS Glue to securely connect to MongoDB Atlas using a fixed public IP address that the client can whitelist.

This blog explains the architecture, setup process, security concepts, benefits, and cost considerations for connecting AWS Glue to MongoDB Atlas using a NAT Gateway.

Introduction

AWS Glue is a fully managed ETL (Extract, Transform, Load) service used for preparing and processing data. MongoDB Atlas is a fully managed cloud database platform widely used by startups and enterprises.

When MongoDB Atlas uses IP-based access control, AWS services must connect using a trusted public IP. Since AWS Glue jobs typically run in private subnets for security, they cannot access the internet directly.

To enable secure connectivity:

• AWS Glue runs in a private subnet
• NAT Gateway provides internet access
• Elastic IP provides a fixed public IP
• MongoDB Atlas whitelists the Elastic IP

This architecture is secure, scalable, and production-ready.

Key AWS Services Used in Serverless Architecture

1. AWS Glue

AWS Glue is used for:

• ETL workloads
• Data transformation
• Data integration
• Analytics pipelines

AWS Glue jobs can run securely inside an Amazon VPC.

2. Amazon VPC

Amazon VPC provides isolated networking inside AWS. In this setup, the VPC contains:

• Public subnet
• Private subnet
• Route tables
• Internet Gateway
• NAT Gateway

3. NAT Gateway

NAT Gateway enables resources in private subnets to access the internet securely without exposing those resources publicly.

It provides:

• Outbound internet connectivity
• Fixed public IP support
• Secure communication with MongoDB Atlas

4. Elastic IP

Elastic IP is a static public IP address attached to the NAT Gateway.

This fixed IP is shared with the client for MongoDB Atlas whitelisting.

5. MongoDB Atlas

MongoDB Atlas is a managed cloud database service that supports:

• IP whitelisting
• Authentication
• Encryption
• High availability

Step-by-Step Guide:

Step 1: Create an Amazon  VPC

Create a VPC with a CIDR range such as:

10.0.0.0/16

This becomes the private network for the architecture.

Step 2: Create Public and Private Subnets

Create:

• Public subnet
• Private subnet

The NAT Gateway will reside in the public subnet, while AWS Glue runs inside the private subnet.

Step 3: Create Internet Gateway
Attach an Internet Gateway to the VPC to provide internet connectivity.
Step 4: Configure Public Route Table

Add route:

0.0.0.0/0 → Internet Gateway

Associate the public subnet with this route table.
Step 5: Allocate Elastic IP

Create an Elastic IP. This static IP will be shared with the client for whitelisting.
Step 6: Create NAT Gateway

Create the NAT Gateway inside the public subnet and attach the Elastic IP.

Step 7: Configure Private Route Table

Add route:

0.0.0.0/0 → NAT Gateway

Associate the private subnet with this route table.

Step 8: Configure Security Group

Add outbound rule:

TCP → Port 27017 → MongoDB Atlas

Inbound rules are not required because AWS Glue initiates the connection.

Step 9:  Whitelist Elastic IP

The client must add the Elastic IP under the MongoDB Atlas Network Access settings.

Step 10: Create AWS Glue Connection

Create a MongoDB connection in AWS Glue using:

• VPC
• Private subnet
• Security Group
• MongoDB connection string

Then test the connection.

Benefits of This Architecture

This architecture provides secure connectivity by allowing AWS Glue to remain in a private subnet while accessing MongoDB Atlas via a NAT Gateway. Using an Elastic IP ensures a fixed public IP address, enabling predictable, reliable IP whitelisting on MongoDB Atlas. The solution is highly scalable because AWS Glue automatically scales based on workload requirements without manual intervention. Additionally, it reduces operational overhead by eliminating the need to manually manage EC2-based ETL servers and infrastructure. The overall setup also follows AWS networking and security best practices, making it a production-ready solution for secure and scalable data integration workloads.

Conclusion

This architecture provides:

• Secure private networking
• Fixed IP-based access control
• Scalable serverless processing
• Reduced infrastructure management

For organizations using MongoDB Atlas with IP whitelisting, NAT Gateway, and AWS Glue, provide a practical, production-ready integration approach.

Drop a query if you have any questions regarding AWS Glue, and we will get back to you quickly.