Conceptual Article
Restricting MongoDB's Network Exposure
By Mark Drake
Manager, Developer Education
The most fundamental way you can protect the data you store in MongoDB is to limit network access to the server on which the database is running. One way to do this is to provision a virtual private network (VPN). A VPN presents its connection as if it were a local private network, allowing for secure communications between the servers within it. By running MongoDB behind a VPN, you can block access to any machine that isn’t connected to the same VPN.
On its own, though, a VPN may not be enough to prevent unauthorized users from accessing your MongoDB installation. For instance, there may be a large number of people who need access to your VPN but only a few of them need access to your Mongo database. You could have more granular control over who has access to your data by setting up a firewall on your database server.
A firewall provides network security by filtering incoming and outgoing traffic based on a set of user-defined rules. Firewall tools generally allow you to define rules with a high level of precision, giving you the flexibility to grant connections from specific IP addresses access to specific ports on your server. For example, you could write rules that would only allow an application server access to the port on your database server used by a MongoDB installation.
Another way to limit your database’s network exposure is to configure IP binding. By default, MongoDB is bound only to localhost upon installation. This means that, without further configuration, a fresh Mongo installation will only be able to accept connections that originate from localhost, or the same server on which the MongoDB instance is installed.
This default setting is secure, since it means the database is only accessible to those who already have access to the server on which it’s installed. However, this setting will cause problems if you need to access the database remotely from another machine. In such cases, you can additionally bind your instance to an IP address or hostname where the remote computer can reach the database server.
Related resources
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
Tutorial Series: MongoDB Security: Best Practices to Keep Your Data Safe
MongoDB, also known as Mongo, is a document database used in many modern web applications. As with any database management system, it’s critical that those responsible for managing a Mongo database adhere to the recommended security best practices, both to prevent data from being lost in the event of a disaster and to keep it out of the hands of malicious actors.
This series of conceptual articles provides a high-level overview of MongoDB’s built-in security features while also highlighting some general database security best practices.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Get our biweekly newsletter
Sign up for Infrastructure as a Newsletter.
Hollie's Hub for Good
Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.
Become a contributor
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
