Security Features and Setup¶
On this page
- Network and Firewall Requirements
- Preconfigured Security Features
- Virtual Private Cloud
- Required Security Features
- IP Access List
- User Authentication/Authorization
- Optional Security Features
- Custom Roles
- VPC Peering
- Private Endpoints
- Two Factor Authentication
- User Authentication/Authorization with LDAP
- Unified AWS Access
- Encryption at Rest using your Key Management
- Client-Side Field Level Encryption
- Database Auditing
- Restrict MongoDB Support Access to Atlas Backend Infrastructure
- Access Tracking
- Allow Access to or from the Atlas Control Plane
- Allow Access to Data Lake
- OCSP Certificate Revocation Check
Network and Firewall Requirements¶
Make sure your application can reach your MongoDB Atlas environment. To add the inbound network access from your application environment to Atlas, do one of the following:
- Add the public IP addresses to your IP access list
- Use VPC / VNet peering to add private IP addresses.
If your firewall blocks outbound network connections, you must also open outbound access from your application environment to Atlas. You must configure your firewall to allow your applications to make outbound connections to ports 27015 to 27017 to TCP traffic on Atlas hosts. This grants your applications access to databases stored on Atlas.
By default, MongoDB Atlas clusters do not need to be able to initiate connections to your application environments. If you wish to enable Atlas clusters with LDAP authentication and authorization, you must allow network access from Atlas clusters directly to your secure LDAP. You can allow access to your LDAP by using public or private IPs as long as a public DNS hostname points to an IP that the Atlas clusters can access.
If you are not using VPC / VNet peering and plan to connect to Atlas using public IP addresses, see the following pages for additional information:
Preconfigured Security Features¶
The following security features are part of the Atlas product:
Atlas uses TLS/SSL to encrypt the connections to your databases.
To configure SSL or TLS OCSP certificate revocation checking, see OCSP Certificate Revocation Check.
Virtual Private Cloud¶
If this is the first
M10+ dedicated paid cluster for the
selected region or regions and you plan on creating one or more
VPC peering connections, please review the documentation
on VPC peering connections before continuing.
Required Security Features¶
You must configure the following security features:
IP Access List¶
Atlas only allows client connections to the database deployment from entries in the project's IP access list. To connect, you must add an entry to the IP access list. To set up the IP access list for the project, see Configure IP Access List Entries.
For Atlas clusters deployed on Google Cloud Platform (GCP) or Microsoft Azure, add the IP addresses of your GCP or Azure services to Atlas project IP access list to grant those services access to the cluster.
Atlas requires clients to authenticate to access the database deployments. You must create database users to access the database. To set up database users to your database deployments, see Configure Database Users.
To access database deployments in a project, users must belong to that project. Users can belong to multiple projects.
Optional Security Features¶
You may configure the following security features:
Atlas supports VPC peering with other AWS, Azure, or GCP VPCs. To use VPC Peering, see Set up a Network Peering Connection.
Atlas supports private endpoints on:
To use private endpoints, see Set up a Private Endpoint.
Two Factor Authentication¶
Atlas supports Two Factor Authentication (2FA) to help users control access to their Atlas accounts. To use 2FA, see Legacy Two Factor Authentication.
User Authentication/Authorization with LDAP¶
Atlas supports performing user authentication and authorization with LDAP. To use LDAP, see Set up User Authentication and Authorization with LDAP.
Unified AWS Access¶
To set up an AWS IAM role for Atlas to use, see Set Up Unified AWS Access.
Encryption at Rest using your Key Management¶
Atlas supports using AWS KMS, Azure Key Vault, and GCP to encrypt storage engines and cloud provider backups. To use encryption at rest, see Encryption at Rest using Customer Key Management.
Client-Side Field Level Encryption¶
All Atlas users are entitled to use MongoDB's automatic client-side field level encryption features.
- Minimum Driver and
The following support client-side field level encryption:
- Official MongoDB drivers compatible with MongoDB Server 4.2 and later, or
mongoshv0.8.0 and later.
For more information on official MongoDB drivers, see MongoDB Drivers.
- Minimum Server Version
- Drivers and
mongoshcan only use client-side field level encryption if connected to a Atlas database deployment running MongoDB 4.2 or later.
Atlas supports auditing all system event actions. To use database auditing, see Set up Database Auditing.
Restrict MongoDB Support Access to Atlas Backend Infrastructure¶
Organization owners can restrict MongoDB Production Support Employees from accessing Atlas backend infrastructure for any Atlas database deployment in their organization. Organization owners may grant a 24 hour bypass to the access restriction at the Atlas database deployment level.
Restricting infrastructure access for MongoDB Production Support Employees may increase support issue response and resolution time and negatively impact your database deployment's availability.
To enable this option, see Restrict MongoDB Support Access to Atlas Backend Infrastructure.
Atlas surfaces authentication logs directly in the UI so that you can easily review successful and unsuccesful authentication attempts made against your database deployments. To view your database access history, see View Database Access History.
Allow Access to or from the Atlas Control Plane¶
If you use any of the following Atlas features, you might have to add Atlas IP addresses to your network's IP access list:
Required Outbound Access¶
If your network allows outbound HTTP requests only to specific IP addresses, you must allow access to the following IP addresses so that your API requests can reach the Atlas control plane:
18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168
Required Inbound Access¶
If your network allows inbound HTTP requests only from specific IP addresses, you must allow access from the following IP addresses so that Atlas can communicate with your webhooks and KMS:
22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199
Allow Access to Data Lake¶
If your network allows outbound requests to specific IP addresses only, you must allow access to the following IP addresses on TCP port 27017 so that your requests can reach Data Lake:
188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52
OCSP Certificate Revocation Check¶
If your network allows outbound requests to specific IP addresses only, to allow SSL or TLS OCSP certificate revocation checking, you must allow access to Atlas' CA (Certificate Authority) OCSP Responder servers that can be found in the OCSP URL of the SSL or TLS certificate.
To disable OCSP certificate revocation checking, refer to the documentation for the MongoDB driver version that your application uses.