How to Secure MongoDB Managed Database Clusters

MongoDB is a source-available cross-platform document-oriented database program for high-volume storage. Classified as a NoSQL database program, MongoDB uses JSON-like documents with optional schemas.

Data in MongoDB database clusters is encrypted at rest with LUKS (Linux Unified Key Setup). However, there are additional steps you can take to ensure that your data is safe.

Restrict Incoming Connections

You can greatly decrease the likelihood of a security breach by restricting which DigitalOcean resources or external IP addresses are allowed to access the nodes in a cluster. This prevents brute force password and denial-of-service attacks from any server not explicitly permitted to connect.

Typically, only the application servers are allowed to connect to the database cluster. Users access the public-facing site, and the public-facing server authenticates and manages database connections in turn.

To restrict access to a database cluster, click the name of the cluster in the control panel to go to its Overview page, then click the Settings tab.

Screenshot of cluster settings page

In the section titled Trusted Sources, click Edit to open the Add trusted sources text box.

The open Trusted Sources section of the settings page

You can enter Droplets, Kubernetes clusters, tags, or specific IP addresses. Entering a tag provides access to the database for any Droplets or Kubernetes nodes containing that tag. At this time, DigitalOcean Cloud Firewalls are not supported.