// Tutorial //

How To Configure Remote Access for MongoDB on Ubuntu 20.04

Published on July 31, 2020 · Updated on July 31, 2020
Default avatar
By Mark Drake
Manager, Developer Education
English
How To Configure Remote Access for MongoDB on Ubuntu 20.04
Not using Ubuntu 20.04?Choose a different version or distribution.
Ubuntu 20.04

An earlier version of this tutorial was written by Melissa Anderson.

Introduction

MongoDB is a document-oriented database used in many modern web applications. By default, it only allows connections that originate on the same server where it’s installed. If you want to manage MongoDB remotely or connect it to a separate application server, there are a few changes you’d need to make to the default configuration.

In this tutorial, you will configure a MongoDB installation to securely allow access from a trusted remote computer. To do this, you’ll update your firewall rules to provide the remote machine access to the port on which MongoDB is listening for connections and then update its configuration file to change its IP binding setting. Then, as a final step, you’ll test that your remote machine is able to make the connection to your database successfully.

Prerequisites

To complete this tutorial, you’ll need:

  • A server running Ubuntu 20.04. This server should have a non-root administrative user and a firewall configured with UFW. Set this up by following our initial server setup guide for Ubuntu 20.04.
  • MongoDB installed on your server. This tutorial assumes that you have MongoDB 4.4 or newer installed. You can install this version by following our tutorial on How To Install MongoDB on Ubuntu 20.04.
  • A second computer from which you’ll access your MongoDB instance. For simplicity, this tutorial assumes that this machine is another Ubuntu 20.04 server, with a non-root administrative user and a UFW firewall configured following our initial server setup guide for Ubuntu 20.04. However, Steps 1 and 2, which describe the actual procedure for enabling remote connectivity on the database server, will work regardless of what operating system the remote machine is running.

Note: Lastly, while it isn’t required to complete this tutorial, we strongly recommend that you secure your MongoDB installation by creating an administrative user account for the database and enabling authentication. To do this, follow our tutorial on How To Secure MongoDB on Ubuntu 20.04.

Additionally, you can consult the official MongoDB recommendations on security hardening as well as their security checklist.

Step 1 — Adjusting the Firewall

Assuming you followed the prerequisite initial server setup tutorial and enabled a UFW firewall on your server, your MongoDB installation will be inaccessible from the internet. If you intend to use MongoDB only locally with applications running on the same server, this is the recommended and secure setting. However, if you would like to be able to connect to your MongoDB server from a remote location, you have to allow incoming connections to the port where the database is listening by adding a new UFW rule.

Start by checking which port your MongoDB installation is listening on with the lsof command. This command typically returns a list with every open file in a system, but when combined with the -i option, it lists only network-related files or data streams.

The following command will redirect the output produced by lsof -i to a grep command that searches for a string named mongo:

  1. sudo lsof -i | grep mongo

This example output shows that MongoDB is listening for connections on its default port, 27017:

Output
mongod 82221 mongodb 11u IPv4 913411 0t0 TCP localhost:27017 (LISTEN)

In most cases, MongoDB should only be accessed from certain trusted locations, such as another server hosting an application or a local machine from used to manage a remote MongoDB instance. One way to configure this is to run the following command on your MongoDB server, which opens up access on MongoDB’s default port while explicitly only allowing the IP address of the other trusted machine.

Run the following command, making sure to change trusted_machine_ip to the IP address of the trusted remote computer you’ll use to access your MongoDB instance.

Note: If you aren’t sure of the trusted machine’s IP address, you can run the following curl command. This will access the website icanhazip.com, which will return the IP address of the machine from which you run the command:

curl -4 icanhazip.com

Also, if the previous command’s output showed your installation of MongoDB is listening on a non default port, use that port number in place of 27017 in this command:

  1. sudo ufw allow from trusted_machine_ip to any port 27017

In the future, if you ever want to access MongoDB from another machine, run this command again with the new machine’s IP address in place of trusted_machine_ip.

You can verify the change in firewall settings with ufw:

  1. sudo ufw status

The output will show that traffic to port 27017 from the remote server is now allowed:

Output
Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere 27017 ALLOW trusted_machine_ip OpenSSH (v6) ALLOW Anywhere (v6)

You can find more advanced firewall settings for restricting access to services in UFW Essentials: Common Firewall Rules and Commands.

Next, you’ll bind MongoDB to the server’s public IP address so you can access it from your remote machine.

Step 2 — Configuring a Public bindIP

At this point, even though the port is open, MongoDB is currently bound to 127.0.0.1, the local loopback network interface. This means that MongoDB is only able to accept connections that originate on the server where it’s installed.

To allow remote connections, you must edit the MongoDB configuration file — /etc/mongod.conf — to additionally bind MongoDB to an IP address which can be reached by your trusted remote computer. This way, your MongoDB installation will be able to listen to connections made to your MongoDB server from remote machines.

Open the MongoDB configuration file in your preferred text editor. The following example uses nano:

  1. sudo nano /etc/mongod.conf

Find the network interfaces section, then the bindIp value:

/etc/mongod.conf
. . .
# network interfaces
net:
  port: 27017
  bindIp: 127.0.0.1

. . .

Append a comma to this line followed by your MongoDB server’s public IP address:

/etc/mongod.conf
. . .
# network interfaces
net:
  port: 27017
  bindIp: 127.0.0.1,mongodb_server_ip

. . .

Please note that this should be the IP address of the server on which you’ve installed MongoDB, not the IP address of your trusted remote machine.

Save and close the file. If you used nano, do so by pressing CTRL + X, Y, then ENTER.

Then, restart MongoDB to put this change into effect:

  1. sudo systemctl restart mongod

Following that, your MongoDB installation will be able to accept remote connections from whatever machines you’ve allowed to access port 27017. As a final step, you can test whether the trusted machine you allowed through the firewall in Step 1 can reach the MongoDB instance running on your server.

Step 3 — Testing Remote Connectivity

Now that you configured your MongoDB installation to listen for connections that originate on its publicly-routable IP address and granted your remote machine access through your server’s firewall to Mongo’s default port, you can test that the remote machine is able to connect.

Note: As mentioned in the Prerequisites section, this tutorial assumes that your remote machine is another server running Ubuntu 20.04. The procedure for enabling remote connections outlined in Steps 1 and 2 should work regardless of what operating system your remote machine runs, but the testing methods described in this Step do not work universally across operating systems.

One way to test that your trusted computer is able to connect to the MongoDB instance is to use the nc command. nc, short for netcat, is a utility used to establish network connections with TCP or UDP. It’s useful for testing in cases like this because it allows you to specify both an IP address and a port number.

First, log into your trusted server using SSH:

  1. ssh sammy@trusted_machine_ip

Then run the following nc command, which includes the -z option. This limits nc to only scan for a listening daemon on the target server without sending it any data. Recall from the prerequisite installation tutorial that MongoDB is running as a service daemon, making this option useful for testing connectivity. It also includes the v option which increases the command’s verbosity, causing netcat to return some output which it otherwise wouldn’t.

Run the following nc command from your trusted remote server, making sure to replace mongodb_server_ip with the IP address of the server on which you installed MongoDB:

  1. nc -zv mongodb_server_ip 27017

If the trusted server can access the MongoDB daemon, its output will indicate that the connection was successful:

Output
Connection to mongodb_server_ip 27017 port [tcp/*] succeeded!

Assuming you have a compatible version of the mongo shell installed on your remote server, you can at this point connect directly to the MongoDB instance installed on the host server.

One way to connect is with a connection string URI, like this:

  1. mongo "mongodb://mongo_server_ip:27017"

Note: If you followed the recommended How To Secure MongoDB on Ubuntu 20.04 tutorial, you will have closed off access to your database to unauthenticated users. In this case, you’d need to use a URI that specifies a valid username, like this:

  1. mongo "mongodb://username@mongo_server_ip:27017"

The shell will automatically prompt you to enter the user’s password.

With that, you’ve confirmed that your MongoDB server can accept connections from the trusted server.

Conclusion

You can now access your MongoDB installation from a remote server. At this point, you can manage your MongoDB database remotely from the trusted server. Alternatively, you could configure an application to run on the trusted server and use the database remotely.

If you haven’t configured an administrative user and enabled authentication, anyone who has access to your remote server can also access your MongoDB installation. If you haven’t already done so, we strongly recommend that you follow our guide on How To Secure MongoDB on Ubuntu 20.04 to add an administrative user and lock things down further.

If you’ve enjoyed this tutorial and our broader community, consider checking out our DigitalOcean products which can also help you achieve your development goals.

Learn more here


About the authors
Default avatar
Manager, Developer Education

Technical Writer @ DigitalOcean

Still looking for an answer?

Was this helpful?
6 Comments

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

I am hosting my mongo server in a defined vpc at AWS.

Correct me if I am wrong, the tutorial documentation mentions to bindIp of your mongo’s “publicly routable” IP. If I try to bind to a public ipV4 address, where my mongo server is hosted, it won’t let me do remote connections through a trusted application server IP.

I tried various methods:

  1. Changing ports at security group to allow at 27017
  2. Changed my ufw config to allow from Anywhere
  3. Changed my /etc/mongod.conf file to bind to public ipv4 address of mongo server.

This didn’t work, at least on the server which resides inside a configured cloud vpc network.

What worked was, I have to provide my private ip of the mongo server. I do not understand why, as private IPs are not routable over the internet right?

Hello,

By doing, all the configurations that are available on your tuto, it turns out that a few hours later, I suffered a ransomware attack on my MongoDB database.

by checking, the ip which committed the act, I could note that it is an ip of digitalocean (to me that I am mistaken)

https://ipinfo.io/45.55.52.249

I just wanted to inform you and if possible review the quality of the tutorial!

@mdrake So when I try to configure remote access to mongodb it doesn’t work. what is wrong?

 nc -zv 157.245.5.153 27017
nc: connect to 157.245.5.153 port 27017 (tcp) failed: Connection refused

nmap -sS -p 27017,4000,80,22,443 159.89.242.14
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-23 12:44 Eastern Daylight Time
Nmap scan report for 159.89.242.14
Host is up (0.0088s latency).

PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    filtered http
443/tcp   filtered https
4000/tcp  filtered remoteanything
27017/tcp filtered mongod

Nmap done: 1 IP address (1 host up) scanned in 2.13 seconds;

@mdrake Would this allow Mongodb servers to go through the WAFs? When I set up the web access firewall the mongodb servers wasn’t going through the web access firewall. WHen I did allow Mongodb in bound Traffic and outbound!

Hello there, I already create Mongodb server from this documentation. My problem is how to connect my node js server(production) with this Mongodb server.I have problem [MongooseServerSelectionError: connection timed out] in my node js server.

Could you follow these same steps when wanting to connect from a Docker container on the same host as a MongoDB? I’ve tried using the docker bridge ip as my “trusted server ip” but for some reason I can’t get it to work. It only works when I open up traffic to port 27017 from anywhere. If anyone has an idea how to get this to work I would appreciate it. I’m using the MongoDB Go driver.