I have my appServers tagged as apps and my database server(s) tagged as db Using purely digital ocean’s firewalls, create 2 rules: tag:db rules Incoming SSH from anywhere connections only from tag:apps on port 27017. Outgoing Anything goes tag:apps rules Incoming SSH from anywhere 80/443 from anywhere Outgoing Anything goes This seems to make a lot of sense and I feel like I : Don’t need to Setup ufw on any servers, because that’s already taken care of Don’t need to Restrict incoming connections by ip with mongodb config. I can just bind to 0.0.0.0 and accept from “anywhere” since DO-firewall already does that filtering. Don’t need to enable auth in mongodb, (would only need to do this if sql injection was a legitimate fear) Could anyone help me understand why I should security-wise?

Don’t need to Setup ufw on any servers, because that’s already taken care of
Don’t need to Restrict incoming connections by ip with mongodb config. I can just bind to 0.0.0.0 and accept from “anywhere” since DO-firewall already does that filtering.
Don’t need to enable auth in mongodb, (would only need to do this if sql injection was a legitimate fear)

Could anyone help me understand why I should security-wise?

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Kamal Nasser

September 8, 2017

That looks good to me! As long as you have your DO Firewalls configured properly (sounds like you do!), you won’t need to set up UFW or IPTables on your Droplet.

I agree with the first two points but not so much the third. I recommend setting up auth in MongoDB either way. This will keep your data safe in case something goes wrong and yours databases become publicly accessible for some reason. Better be safe than sorry!

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

View all products

Get started for free

Get started

*This promotional offer applies to new accounts only.