LDAP Authentication: Allow Private Endpoint to the customer
Currently, LDAP Authentication from Atlas to a customer's LDAP service can go via the Internet or via VPC peering. In lieu of VPC peering, I propose using a Private Endpoint FROM Atlas TO a customer VPC that hosts the LDAP service.
NOTE: This would NOT be using the same Private Endpoint connection that Atlas currently supports today, which allows customers to reach their clusters privately (Customer -> Atlas).
This would be an additional Private Endpoint in the other direction (Atlas -> Customer).
Advantages of using Private Endpoint vs VPC peering:
* Security: The customer VPC is not exposed to Atlas, just the LDAP service
* Configuration: The customer won't need to verify that the Atlas VPC CIDR doesn't conflict with the customer CIDR
* Scalability: Each Project requires a separate VPC peering connection which makes for a difficult situation with having to configure each Project VPC CIDR to be non-overlapping. In contrast, the same LDAP Private Endpoint can be shared to multiple Project VPCs.
* Complexity: Configuring a Private Endpoint is less complex than a VPC peering connection, both for Atlas and for the customer.
* Routing/security groups: The customer does not need to configure VPC routing, nor do they need to configure security groups to protect resources in the VPC
In AWS, the customer LDAP service would need to be hosted as a Network Load Balancer. The good news is that NLB targets can be hosts in AWS or in a customer data center.