What comes to my mind as one of the possible solutions, is to create your 3 Droplets, in the same data center, with Private Networking enabled and Cloud Firewalls configured.
When you're creating Droplets in the same data center, with Private Networking enabled, you're not exposing your services directly to the Internet, and the bandwidth is not counted towards your total usage.
However, currently, DigitalOcean only offers Shared Private Networking, meaning that other Droplets, in the same data center with Private Networking, can reach your exposed services, even if they're not on same account as your 3 Droplets.
DigitalOcean is planning to lock down Private Networking only to Droplets in your account, and the change is planned to go live this month, but there're still no more details about this. Private Networking FAQ contains more details about this.
In meanwhile, the easiest solution to improve the security of your set up and fix the problem is to set up a Cloud Firewalls to only allow your servers to access the Redis and Mongo.
For example, you can tag your droplets using the
app-production tag, and then in Cloud Firewall allow only Droplets tagged
app-production to access those two Droplets.
Using Cloud Firewall, you can also allow only port 443 for your Node server to be accessed over the Internet.
There could be other solutions as well, but this one comes to my mind as the easiest one to set up and maintain.