Navigation

Configure IP Access List Entries

Atlas only allows client connections to the cluster from entries in the project's IP access list. Each entry is either a single IP address or a CIDR -notated range of addresses. For AWS clusters with one or more VPC Peering connections to the same AWS region, you can specify a Security Group associated with a peered VPC .

For Atlas clusters deployed on Google Cloud Platform (GCP) or Microsoft Azure, add the IP addresses of your GCP or Azure services to Atlas project IP access list to grant those services access to the cluster.

The IP access list applies to all clusters in the project and can have up to 200 IP access list entries, with the following exception: projects with an existing sharded cluster created before August 25, 2017 can have up to 100 IP access list entries.

Atlas supports creating temporary IP access list entries that expire within a user-configurable 7-day period.

Atlas audits the creation, deletion, and updates of both temporary and permanent IP access list entries in the project's Activity Feed.

To view the project's Activity Feed, click Activity Feed in the Project section of the left navigation pane.

Bulb IconTip
See Also:

View All Activity

Info With Circle IconCreated with Sketch.Note
Activity Feed Considerations
  • Atlas does not report updates to a IP access list entry's comment in the Activity Feed.
  • When you modify the address of a IP access list entry, the Activity Feed reports two new activities: one for the deletion of the old entry and one for the creation of the new entry.

In the Security section of the left navigation, click Network Access. The IP Access List tab displays.

IP AddressIP address or CIDR block. If this cluster is hosted on AWS , you can provide an AWS Security Group ID as well.
CommentDescription or other information about the access list entry.
Status

Status of the IP access list entry:

StatusDescription
InactiveAtlas is not using the IP access list entry. No cloud provider containers are provisioned for the project.
PendingAtlas is configuring the IP access list entry for the project.
ActiveAtlas has configured the IP access list entry for every container provisioned in the project.
Active in regions: <regions>Atlas has configured the IP access list entry for every container provisioned in the project for the regions listed, but not any other containers that exist for the project. This applies to AWS security groups only.
FailedAtlas could not configure the IP access list entry for every container provisioned for the project.
ActionsOptions to Edit or Delete.
1
  1. In the Security section of the left navigation, click Network Access. The IP Access List tab displays.
  2. Click Add IP Address.
2
Important With Circle IconCreated with Sketch.Important

Ensure that you add the IP address you will use to access MongoDB as the admin user.

Enter the desired IP address or CIDR -notated range of addresses:

EntryGrants
An IP addressAccess from that address.
A CIDR -notated range of IP addresses

Access from the designated range of addresses.

For peer VPC connections, you can specify the CIDR block (or a subset) or the associated Security Group.

The Internet provides online tools for converting a range of IP addresses to CIDR , such as http://www.ipaddressguide.com/cidr.

Important With Circle IconCreated with Sketch.Important

Adding the CIDR 0.0.0.0/0 allows access from anywhere. Ensure that strong credentials (username and password) are used for all database users when allowing access from anywhere.

Security Group ID (AWS Only)

Access via Security Group membership from a peered VPC.

Important With Circle IconCreated with Sketch.Important

Atlas does not support adding AWS security groups to IP access lists in projects with VPC peering connections in multiple regions.

3

Check the Save as temporary access list option to specify a length of time that the IP address will be added. After this time, Atlas removes the address from the IP access list. You can select one of the following time periods for the address to be added:

  • 6 hours
  • 1 day
  • 1 week

In the IP Access List view, temporary access list entries display the time remaining until the address will expire. Once the IP address expires and is deleted, any client or application attempting to connect to the cluster from the address can't access the cluster.

Info With Circle IconCreated with Sketch.Note

You cannot set AWS security groups as temporary access list entries.

4

You can use the Atlas API to add existing IP access list entries.

1

In the Security section of the left navigation, click Network Access. The IP Access List tab displays.

2

Edit the target IP access list entry

Click Edit for the entry you want to modify.

You can modify the IP address or CIDR block of the entry and the comment associated with the entry. If the entry is temporarily added, Atlas displays the remaining time until it will remove the entry and a dropdown to modify the duration of the IP access list entry or convert it to a permanent entry.

Info With Circle IconCreated with Sketch.Note

You can't change a permanent IP access list entry to be temporary.

3

You can use the Atlas API to modify existing IP access list entries.

Important With Circle IconCreated with Sketch.Important

When you remove an entry from the IP access list, existing connections from the removed address(es) may remain open for a variable amount of time. How much time passes before Atlas closes the connection depends on several factors, including:

  • how the connection was established
  • how the application or driver using the address behaves
  • which protocol (like TCP or UDP ) the connection uses
1

In the Security section of the left navigation, click Network Access. The IP Access List tab displays.

2

Click Delete for the desired entry.

3

You can use the Atlas API to delete existing users.

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.

Give Feedback