We require MongoDB Cloud to be protected with a finite, if possible short, list of IPs. We have EC2 instances as web servers, each with public IPs, in a public subnet (so no need to be private), in 2 AZ of the same region. We also have an autoscaling group.
There is a NLB, serving each of the 2 AZ with a node, therefore 2 public IPs.
Yet, when any given EC2 talks to MongoDB Cloud, the TCP packets appear with source IP = the public IP of that EC2. We don't have control over these IPs, as they are automatically assigned by the autoscaling group when they spawn off, therefore the ACL at MongoDB Cloud can't be easily updated automatically.
Also, I thought that it's important that it is the one EC2 that talks to MongoDB that receives the response... therefore, it shouldn't be the IP of the NLB that is seen by MongoDB, but directly the IP of the EC2 that made the request.
My Q is: What would be the best strategy to maintain a list of IPs at MongoDB Cloud end?
After evaluating multiple solutions proposed by various posts, I am thinking of creating a NAT instance in the public subnet, with a static IP attached to it, to appear as a static SRC IP that can be whitelisted in a third party service such as MongoDB Cloud.
The NLB could still balance inbound TCP packets, as long as the outgoing packets sent by the instance that eventually makes the MongoDB call return to their original source.