Security Features and Setup¶
On this page
Network and Firewall Requirements¶
If you use a whitelist on your firewall for network ports, open ports 27015 to 27017 to TCP and UDP traffic on Atlas hosts. This grants your applications access to databases stored on Atlas.
To configure your application-side networks to accept Atlas traffic, we recommend using the
Atlas API Get All Clusters endpoint to retrieve mongoURI from the
response elements. You can also use the Get All MongoDB
Processes endpoint to retrieve cluster
hostnames (mongo-shard-00-00.mongodb.net, mongo-shard-00-01.mongodb.net etc).
You can parse these hostname values and feed the IP addresses programatically into your application-tier orchestration automation to push firewall updates.
Preconfigured Security Features¶
The following security features are part of the Atlas product:
TLS/SSL¶
Atlas uses TLS/SSL to encrypt the connections to your databases.
Virtual Private Cloud¶
Important
If this is the first M10+ dedicated paid cluster for the selected
region or regions and you plan on creating one or more VPC
peering connections, please review the documentation on VPC peering
connections before continuing.
Required Security Features¶
You must configure the following security features:
Whitelist¶
Atlas only allows client connections to the cluster from entries in the project’s whitelist. To connect, you must add an entry to the whitelist. To set up the whitelist for the project, see Configure Whitelist Entries.
For Atlas clusters deployed on Google Cloud Platform (GCP) or Microsoft Azure, add the IP addresses of your GCP or Azure services to Atlas project IP whitelist to grant those services access to the cluster.
User Authentication/Authorization¶
Atlas requires clients to authenticate to access the clusters, i.e. the MongoDB databases. You must create MongoDB users to access the database. To set up MongoDB users to your clusters, see Configure MongoDB Users.
To access clusters in a project, users must belong to that project. Users can belong to multiple projects. See Atlas Access.
Optional Security Features¶
You may configure the following security features:
Custom MongoDB Roles¶
Atlas supports creating custom MongoDB roles in cases where the built-in Atlas database user privileges cannot describe your desired set of privileges.
VPC Peering (AWS and GCP)¶
Atlas supports VPC peering with other AWS or GCP VPCs. To use VPC Peering, see Set up a Network Peering Connection.
Two Factor Authentication¶
Atlas supports Two Factor Authentication (2FA) to help users control access to their Atlas accounts. To use 2FA, see Two Factor Authentication.
User Authentication/Authorization with LDAP¶
Atlas supports performing user authentication and authorization with LDAP. To use LDAP, see Set up User Authentication and Authorization with LDAP.
Encryption at Rest using your Key Management¶
Atlas supports using AWS KMS, Azure Key Vault, and Google Cloud Platform to encrypt storage engines and cloud provider backups. To use encryption at rest, see Encryption at Rest Using Your Key Management.
Database Auditing¶
Atlas supports auditing all system event actions. To use database auditing, see Set up Database Auditing.
Restrict MongoDB Support Access to Atlas Backend Infrastructure¶
Organization owners can restrict MongoDB Production Support Employees from accessing Atlas backend infrastructure for any Atlas cluster in their organization. Organization owners may grant a 24 hour bypass to the access restriction at the Atlas cluster level.
Important
Restricting infrastructure access for MongoDB Production Support Employees may increase support issue response and resolution time and negatively impact cluster availability.
To enable this option, see Restrict MongoDB Support Access to Atlas Backend Infrastructure.