Security Features and Setup

Network and Firewall Requirements

Make sure your application can reach your MongoDB Atlas environment. To add the inbound network access from your application environment to Atlas, do one of the following:

Add the public IP addresses to your IP access list
Use VPC / VNet peering to add private IP addresses.

Tip

Preconfigured Security Features

The following security features are part of the Atlas product:

TLS/SSL

Atlas uses TLS/SSL to encrypt the connections to your databases.

To configure SSL or TLS OCSP certificate revocation checking, see OCSP Certificate Revocation Check.

Virtual Private Cloud

Important

If this is the first M10+ dedicated paid cluster for the selected region or regions and you plan on creating one or more VPC peering connections, please review the documentation on VPC peering connections before continuing.

Encrypted Storage

By default, Atlas encrypts all data stored on M10 or higher Atlas clusters. If your existing cluster doesn't have encryption enabled, you can enable encryption by editing your Cluster Tier. Atlas also supports Encryption at Rest using your Key Management.

Required Security Features

You must configure the following security features:

IP Access List

Atlas only allows client connections to the database deployment from entries in the project's IP access list. To connect, you must add an entry to the IP access list. To set up the IP access list for the project, see Configure IP Access List Entries.

For Atlas clusters deployed on Google Cloud Platform (GCP) or Microsoft Azure, add the IP addresses of your Google Cloud or Azure services to Atlas project IP access list to grant those services access to the cluster.

User Authentication/Authorization

Atlas requires clients to authenticate to access the database deployments. You must create database users to access the database. To set up database users to your database deployments, see Configure Database Users.

To access database deployments in a project, users must belong to that project. Users can belong to multiple projects.

Tip

Optional Security Features

You may configure the following security features:

Custom Roles

Atlas supports creating custom roles in cases where the built-in Atlas database user privileges cannot describe your desired set of privileges.

VPC Peering

Atlas supports VPC peering with other AWS, Azure, or Google Cloud VPCs. To use VPC Peering, see Set up a Network Peering Connection.

Private Endpoints

Atlas supports private endpoints on:

AWS using the AWS PrivateLink feature
Azure using the Azure Private Link feature
Google Cloud using the Google Cloud Private Service Connect feature

To use private endpoints, see Set up a Private Endpoint for Dedicated Cluster.

Two Factor Authentication

Atlas supports Two Factor Authentication (2FA) to help users control access to their Atlas accounts. To use 2FA, see Legacy Two Factor Authentication.

User Authentication/Authorization with LDAP

Atlas supports performing user authentication and authorization with LDAP. To use LDAP, see Set up User Authentication and Authorization with LDAP.

Unified AWS Access

Some Atlas features, including Data Lakes and Encryption at Rest using Customer Key Management, use AWS IAM roles for authentication.

To set up an AWS IAM role for Atlas to use, see Set Up Unified AWS Access.

Encryption at Rest using your Key Management

Atlas supports using AWS KMS, Azure Key Vault, and Google Cloud to encrypt storage engines and cloud provider backups. To use encryption at rest, see Encryption at Rest using Customer Key Management.

Client-Side Field Level Encryption

Atlas supports client-side field level encryption, including automatic encryption of fields.

Note

All Atlas users are entitled to use MongoDB's automatic client-side field level encryption features.

Prerequisites

Minimum Driver and mongosh Version

The following support client-side field level encryption:

Official MongoDB drivers compatible with MongoDB Server 4.2 and later, or
mongosh v0.8.0 and later.

For more information on official MongoDB drivers, see MongoDB Drivers.

Minimum Server Version

Drivers and mongosh can only use client-side field level encryption if connected to a Atlas database deployment running MongoDB 4.2 or later.

Note

MongoDB Compass, the Data Explorer, and the MongoDB Shell (mongosh) do not support decrypting client-side field level-encrypted fields.

Tip

Database Auditing

Atlas supports auditing all system event actions. To use database auditing, see Set up Database Auditing.

Restrict MongoDB Support Access to Atlas Backend Infrastructure

Organization owners can restrict MongoDB Production Support Employees from accessing Atlas backend infrastructure for any Atlas database deployment in their organization. Organization owners may grant a 24 hour bypass to the access restriction at the Atlas database deployment level.

Important

Blocking infrastructure access from MongoDB Support may increase support issue response and resolution time and negatively impact your database deployment's availability.

To enable this option, see Block MongoDB Support Access to Atlas Infrastructure.

Access Tracking

Atlas surfaces authentication logs directly in the UI so that you can easily review successful and unsuccesful authentication attempts made against your database deployments. To view your database access history, see View Database Access History.

Allow Access to or from the Atlas Control Plane

If you use any of the following Atlas features, you might have to add Atlas IP addresses to your network's IP access list:

Required Outbound Access

If your network allows outbound HTTP requests only to specific IP addresses, you must allow access to the following IP addresses so that your API requests can reach the Atlas control plane:

3.214.160.189
13.248.140.125
13.248.203.97
13.248.214.115
18.210.185.2
18.210.245.203
18.232.30.107
18.235.209.93
34.192.82.120
34.194.131.15
34.194.251.66
34.195.194.204
34.227.138.166
34.230.213.36
34.233.152.179
34.233.179.140
35.172.148.213
35.172.245.18
54.147.76.65
54.204.237.208
75.2.1.110
76.223.14.2
76.223.77.37
76.223.84.31
99.83.223.45

Required Inbound Access

If your network allows inbound HTTP requests only from specific IP addresses, you must allow access from the following IP addresses so that Atlas can communicate with your webhooks and KMS:

3.211.96.35
18.214.178.145
18.235.145.62
18.235.30.157
18.235.48.235
34.193.242.51
34.196.151.229
34.200.66.236
34.235.52.68
35.153.40.82
35.169.184.216
35.171.106.60
35.174.179.65
35.174.230.146
35.175.93.3
35.175.94.38
35.175.95.59
50.19.91.100
52.71.233.234
52.73.214.87
52.87.98.128
54.145.247.111
54.163.55.77
107.20.0.247
107.20.107.166

Allow Access to Data Lake

If your network allows outbound requests to specific IP addresses only, you must allow access to the following IP addresses on TCP port 27017 so that your requests can reach Data Lake:

18.204.47.197
34.237.78.67
54.91.120.155
34.217.220.13
54.203.115.97
54.69.142.129
108.129.35.102
18.200.7.156
99.81.123.21
3.8.218.156
3.9.125.156
3.9.90.17
18.196.201.253
3.122.67.212
35.158.226.227
13.54.14.65
52.64.205.136
3.6.3.105
65.1.222.250

OCSP Certificate Revocation Check

If your network allows outbound requests to specific IP addresses only, to allow SSL or TLS OCSP certificate revocation checking, you must allow access to Atlas' CA (Certificate Authority) OCSP Responder servers that can be found in the OCSP URL of the SSL or TLS certificate.

To disable OCSP certificate revocation checking, refer to the documentation for the MongoDB driver version that your application uses.

← Troubleshoot Connection Issues Quickstart: Configure Access to Your Cluster →

Security Features and Setup.css-1nnt501{-webkit-align-self:center;-ms-flex-item-align:center;align-self:center;visibility:hidden;padding:0 10px;}.css-1qgrahw{margin-top:-225px;position:absolute;}