Security Features and Setup¶

On this page

Network and Firewall Requirements¶

Make sure your application can reach your MongoDB Atlas environment. To add the inbound network access from your application environment to Atlas, do one of the following:

Add the public IP addresses to your IP access list
Use VPC / VNet peering to add private IP addresses.

Preconfigured Security Features¶

The following security features are part of the Atlas product:

TLS/SSL¶

Atlas uses TLS/SSL to encrypt the connections to your databases.

Virtual Private Cloud¶

Important

If this is the first M10+ dedicated paid cluster for the selected region or regions and you plan on creating one or more VPC peering connections, please review the documentation on VPC peering connections before continuing.

Required Security Features¶

You must configure the following security features:

IP Access List¶

Atlas only allows client connections to the cluster from entries in the project’s IP access list. To connect, you must add an entry to the IP access list. To set up the IP access list for the project, see Configure IP Access List Entries.

For Atlas clusters deployed on Google Cloud Platform (GCP) or Microsoft Azure, add the IP addresses of your GCP or Azure services to Atlas project IP access list to grant those services access to the cluster.

User Authentication/Authorization¶

Atlas requires clients to authenticate to access the clusters, that is, the MongoDB databases. You must create database users to access the database. To set up database users to your clusters, see Configure Database Users.

To access clusters in a project, users must belong to that project. Users can belong to multiple projects.

Optional Security Features¶

You may configure the following security features:

Custom Roles¶

Atlas supports creating custom roles in cases where the built-in Atlas database user privileges cannot describe your desired set of privileges.

VPC Peering¶

Atlas supports VPC peering with other AWS, Azure, or GCP VPCs. To use VPC Peering, see Set up a Network Peering Connection.

Private Endpoints¶

Atlas supports private endpoints on:

AWS using the AWS PrivateLink feature, and
Azure using the Azure Private Link feature.

To use private endpoints, see Set up a Private Endpoint.

Two Factor Authentication¶

Atlas supports Two Factor Authentication (2FA) to help users control access to their Atlas accounts. To use 2FA, see Legacy Two Factor Authentication.

User Authentication/Authorization with LDAP¶

Atlas supports performing user authentication and authorization with LDAP. To use LDAP, see Set up User Authentication and Authorization with LDAP.

Unified AWS Access¶

Some Atlas features, including Data Lakes and Encryption at Rest using Customer Key Management, use AWS IAM roles for authentication.

To set up an AWS IAM role for Atlas to use, see Set Up Unified AWS Access.

Encryption at Rest using your Key Management¶

Atlas supports using AWS KMS, Azure Key Vault, and GCP to encrypt storage engines and cloud provider backups. To use encryption at rest, see Encryption at Rest using Customer Key Management.

Client-Side Field Level Encryption¶

Atlas supports client-side field level encryption, including automatic encryption of fields.

Note

All Atlas users are entitled to use MongoDB’s automatic client-side field level encryption features.

Prerequisites¶

Minimum Driver and mongo Version

The following support client-side field level encryption:

Official MongoDB drivers compatible with MongoDB Server 4.2 and later, or
mongo shell 4.2 and later.

For more information on official MongoDB drivers, see MongoDB Drivers.

Minimum Server Version

Drivers and the mongo shell can only use client-side field level encryption if connected to a Atlas cluster running MongoDB 4.2 or later.

Note

MongoDB Compass, the Data Explorer, and the MongoDB Shell (mongosh) do not support decrypting client-side field level-encrypted fields.

Database Auditing¶

Atlas supports auditing all system event actions. To use database auditing, see Set up Database Auditing.

Restrict MongoDB Support Access to Atlas Backend Infrastructure¶

Organization owners can restrict MongoDB Production Support Employees from accessing Atlas backend infrastructure for any Atlas cluster in their organization. Organization owners may grant a 24 hour bypass to the access restriction at the Atlas cluster level.

Important

Restricting infrastructure access for MongoDB Production Support Employees may increase support issue response and resolution time and negatively impact cluster availability.

To enable this option, see Restrict MongoDB Support Access to Atlas Backend Infrastructure.

Access Tracking¶

Atlas surfaces authentication logs directly in the UI so that you can easily review successful and unsuccesful authentication attempts made against your clusters. To view your database access history, see View Database Access History.

Allow Access to or from the Atlas Control Pane¶

If you use any of the following Atlas features, you might have to add Atlas IP addresses to your network’s IP access list:

Required Outbound Access¶

If your network allows outbound HTTP requests only to specific IP addresses, you must allow access to the following IP addresses so that your API requests can reach the Atlas control plane:

copy

214.160.189
248.140.125
248.203.97
248.214.115
210.185.2
210.245.203
194.251.66
230.213.36
210.185.2
192.82.120
210.245.203
235.209.93
227.138.166
204.237.208
232.30.107
233.179.140
233.152.179
172.148.213
172.245.18
192.82.120
233.152.179
233.179.140
172.148.213
172.245.18
2.1.110
223.14.2
223.77.37
223.84.31
83.223.45

Required Inbound Access¶

If your network allows inbound HTTP requests only from specific IP addresses, you must allow access from the following IP addresses so that Atlas can communicate with your webhooks and KMS:

copy

214.178.145
235.145.62
235.30.157
235.48.235
193.242.51
196.151.229
200.66.236
235.52.68
153.40.82
169.184.216
171.106.60
174.179.65
174.230.146
175.93.3
175.94.38
175.95.59
71.233.234
87.98.128
20.0.247
20.107.166

← Atlas Replica Set Tags View Database Access History →