SB
SB
Securing Cloud Run MongoDB Atlas with a Static IP
Google Cloud
24 May 2025

Securing Cloud Run MongoDB Atlas with a Static IP

Learn how to connect Google Cloud Run to MongoDB Atlas using a fixed egress IP address for better security and control.

When you deploy services on Google Cloud Run, outbound traffic can originate from unpredictable egress IPs, especially problematic when trying to connect securely to services like MongoDB Atlas that rely on IP whitelisting.

In this post, I’ll show you how to connect Cloud Run to MongoDB Atlas using a fixed external IP address. This lets you:

  • ✅ Whitelist a specific IP in MongoDB Atlas
  • ✅ Avoid issues caused by Cloud Run’s dynamic IP ranges
  • ✅ Add a layer of security to your cloud-native architecture

✅ Goal

Securely connect Cloud Run to MongoDB Atlas using a static egress IP, so you can:

  • Limit Atlas access to a single IP (not 0.0.0.0/0)
  • Avoid unexpected connection failures from random IPs
  • Maintain best practices for outbound security and observability

1. 🌐 Reserve a Static IP Address

Go to: VPC Networks → IP Addresses → Reserve Static IP

  • Name: example-static-ip
  • Network Service Tier: Premium
  • IP Version: IPv4
  • Type: Regional
  • Region: Same as your Cloud Run service region

✅ Click Reserve

2. 🧩 Create a VPC Access Connector

Go to: VPC Network → Serverless VPC Access → Create Connector

  • Name: cloudrun-mongo-connector
  • Network: default
  • IP Range: 10.8.0.0/28
  • Region: Same as your Cloud Run region
  • Instance Type: e2-micro (or equivalent)

✅ Create the connector to bridge Cloud Run to your VPC

3. 🚦 Set Up Cloud NAT with Static IP

Go to: Cloud NAT → Create NAT Gateway

  • Name: cloudrun-nat-gateway
  • Region: Same as Cloud Run (asia-southeast2 in this example)
  • Network: default

✅ Click Create new router

  • Router name: cloudrun-nat-router
  • Region: Same as above

✅ Under NAT IP Addresses:

  • Choose Manual
  • Select the static IP you reserved earlier

✅ Subnets: Set to All subnet IP ranges

Click Create

4. 🚀 Deploy Cloud Run with Direct VPC Egress

Go to: Cloud Run → Your Service → Edit & Deploy New Revision

Expand: Container, Networking, Security

Under Networking:

  • ✅ Check: Connect to a VPC for outbound traffic
  • Select: Send traffic directly to a VPC network
  • Network: default
  • Subnet: default
  • ✅ Select: Route all traffic to the VPC

✅ Click Deploy

This ensures that all outbound traffic from your Cloud Run service passes through your VPC and Cloud NAT—using the static IP.

5. 🔒 Add Static IP to MongoDB Atlas

Go to: MongoDB Atlas → Network Access

  • Click: Add IP Address
  • Add: your reserved external static IP
  • Comment: Cloud Run NAT egress IP
  • ✅ Save

Atlas will now only accept connections from that specific IP.

✅ Outcome

Now your Cloud Run service connects to MongoDB Atlas through a secure and stable egress IP, perfect for production and audit-compliant deployments.

No more exposing your database to the world.
No more guessing where your traffic is coming from.

Secure. Predictable. And cloud-native.