Firewall Configuration

On this page

Accessible Ports

Cloud Manager will no longer support Automation, Backup, and Monitoring for MongoDB 3.6 and 4.0 after August 30th, 2024. Please upgrade your MongoDB deployment or migrate to Atlas.

OAuth 2.0 authentication for programmatic access to Cloud Manager is available as a Preview feature.: The feature and the corresponding documentation might change at any time during the Preview period. To use OAuth 2.0 authentication, create a service account to use in your requests to the Cloud Manager Public API.

Accessible Ports

The Cloud Manager must be able to connect to users and MongoDB Agents over HTTP or HTTPS. MongoDB Agents must be able to connect to MongoDB client MongoDB databases.

Though Cloud Manager only requires open HTTP (or HTTPS) and MongoDB network ports to connect with users and to databases, what ports are opened on a firewall depend upon what capabilities are enabled: encryption, authentication and monitoring.

This page defines which systems need to connect to which ports on other systems.

Cloud Manager requires access on the following ports and IP addresses.

Fetch Required IP Addresses

Send a GET request to the controlPlaneIPAddresses endpoint for the Atlas Admin API to fetch the current control plane IP addresses that Cloud Manager requires. The API endpoint returns a list of inbound and outbound control plane IP addresses in CIDR notation categorized by cloud provider and region, similar to the following:

{
  "controlPlane": {
    "inbound": {
      "aws": { // cloud provider
        "us-east-1": [ // region
          "3.92.113.229/32",
          "3.208.110.31/32",
          "107.22.44.69/32"
          ...,
        ],
        ...
       }
     },
     "outbound": {
       "aws": { // cloud provider
         "us-east-1": [ // region
           "3.92.113.229/32",
           "3.208.110.31/32",
           "107.22.44.69/32"
           ...,
         ],
         ...
        }
      }
  },
  "data_federation": {
    "inbound": {},
    "outbound" {}
  },
  "app_services": {
    "inbound": {},
    "outbound" {}
  },
  ...
}

Important

The Atlas Admin API uses the terms inbound and outbound in relation to the control plane, not your network. As a result:

Your network's inbound rules must match the outbound CIDRs listed in the Atlas Admin API.
Your network's outbound rules must match the inbound CIDRs listed in the Atlas Admin API.

The following diagram shows the relationship between inbound and outbound for the control plane and your network:

A diagram showing that inbound traffic for the control plane reflects outbound traffic from your network, and outbound traffic for the control plane reflects inbound traffic to your network.

click to enlarge

Required Access: `controlPlane.inbound` IP Addresses

controlPlane.inbound lists the addresses traffic coming into the control plane. If your network allows outbound HTTP requests only to specific IP addresses, you must allow access to the IP addresses listed in controlPlane.inbound so that MongoDB can communicate with your webhooks.

Use the Atlas Admin API to fetch the current IP addresses that Cloud Manager requires.

You have the option to configure alerts to be delivered via webhook. This sends an HTTP POST request to an endpoint for programmatic processing. If you want to successfully deliver a webhook to the specified endpoint, you must allow access to the IP addresses listed in controlPlane.inbound.

Required Access: `controlPlane.outbound` IP Addresses

controlPlane.outbound lists the addresses traffic coming from the control plane. Your network's inbound HTTP IP address list must allow access from the IP addresses listed in controlPlane.outbound.

Use the Atlas Admin API to fetch the current IP addresses that Cloud Manager requires.

This allows the MongoDB Agents to GET and POST to the following hosts:

api-agents.mongodb.com
api-backup.mongodb.com
api-backup.us-east-1.mongodb.com
queryable-backup.us-east-1.mongodb.com
restore-backup.us-east-1.mongodb.com
real-time-api-agents.mongodb.com

The MongoDB Agents connect to Cloud Manager on port 443. Whether you provision your hosts on a cloud service provider or on your own network, configure your network infrastructure to allow outbound connections on port 443.

Domain for Download of MongoDB Binaries

The MongoDB Agents require outbound access to the following domains, depending on your MongoDB edition, for downloading MongoDB binaries:

MongoDB Edition	Access List Domain	IP Ranges	Service Provider
Community	`fastdl.mongodb.org`	IP ranges for CloudFront. The IP ranges for CloudFront change frequently.	Amazon CloudFront
Enterprise	`downloads.mongodb.com`
Custom Build of MongoDB	URL accessible to the MongoDB Agents

Domain for MongoDB Agent Downloads and Updates

If you restrict outbound access, you must grant your MongoDB Agents access to the following domain to download and update the MongoDB Agent.

Access List Domain	IP Ranges	Service Provider
`s3.amazonaws.com`	IP ranges for AWS. The IP ranges for AWS change frequently.	AWS

Required Ports within Your Network

All MongoDB processes in a deployment must be accessible to all MongoDB Agents managing processes in that deployment. Therefore, all MongoDB ports must be open to every host within your network that serve a MongoDB Agent.

Example

If you are running MongoDB processes on 27000, 27017 and 27020, then those three ports must be open from all hosts that are serving a MongoDB Agent.

Back

Overview

Secure Connections