# How to Secure MongoDB Managed Database Clusters MongoDB is a source-available cross-platform document-oriented database program for high-volume storage. Classified as a NoSQL database program, MongoDB uses JSON-like documents with optional schemas. To ensure that your data is safe, consider taking the following precautions. ## Restrict Incoming Connections You can greatly decrease the likelihood of a security breach by restricting which DigitalOcean resources or external IP addresses are allowed to access the nodes in a cluster. This prevents brute force password and denial-of-service attacks from any server not explicitly permitted to connect. Typically, only application servers are allowed to connect to the database cluster. Users access the public-facing site, and the public-facing server authenticates and manages database connections in turn. To implement these restrictions, add trusted sources, which define the resources or IP addresses allowed to connect to the database cluster. ## Add a Trusted Source Using the CLI ## How to Add a Trusted Source Using the DigitalOcean CLI 1. [Install `doctl`](https://docs.digitalocean.com/reference/doctl/how-to/install/index.html.md), the official DigitalOcean CLI. 2. [Create a personal access token](https://docs.digitalocean.com/reference/api/create-personal-access-token/index.html.md) and save it for use with `doctl`. 3. Use the token to grant `doctl` access to your DigitalOcean account. ```shell doctl auth init ``` 4. Finally, run `doctl databases firewalls append`. Basic usage looks like this, but you can [read the usage docs](https://docs.digitalocean.com/reference/doctl/reference/databases/firewalls/append/index.html.md) for more details: ```shell doctl databases firewalls append --rule : [flags] ``` The following example appends a firewall rule to a database cluster with the ID `ca9f591d-f38h-5555-a0ef-1c02d1d1e35` that allows any resources with the `example-tag` to access the database: ```shell doctl databases firewalls append ca9f591d-f38h-5555-a0ef-1c02d1d1e35 --rule tag:example-tag ``` ## Add a Trusted Source Using the API ## How to Add or Remove a Trusted Source Using the DigitalOcean API 1. [Create a personal access token](https://docs.digitalocean.com/reference/api/create-personal-access-token/index.html.md) and save it for use with the API. 2. Send a PUT request to [`https://api.digitalocean.com/v2/databases/{database_cluster_uuid}/firewall`](https://docs.digitalocean.com/reference/api/digitalocean//index.html.md#operation/databases_update_firewall_rules). ### cURL Using cURL: ```shell curl -X PUT \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \ -d '{"rules": [{"type": "ip_addr","value": "192.168.1.1"},{"type": "droplet","value": "163973392"},{"type": "k8s","value": "ff2a6c52-5a44-4b63-b99c-0e98e7a63d61"},{"type": "tag","value": "backend"}]}' \ "https://api.digitalocean.com/v2/databases/9cc10173-e9ea-4176-9dbc-a4cee4c4ff30/firewall" ``` ### Go Using [Godo](https://github.com/digitalocean/godo), the official DigitalOcean API client for Go: ```go import ( "context" "os" "github.com/digitalocean/godo" ) func main() { token := os.Getenv("DIGITALOCEAN_TOKEN") client := godo.NewFromToken(token) ctx := context.TODO() req := godo.DatabaseUpdateFirewallRulesRequest{ Rules: []*godo.DatabaseFirewallRule{ { Type: "ip_addr", Value: "192.168.1.1", Description: "a development IP address", }, { Type: "droplet", Value: "163973392", }, { Type: "k8s", Value: "ff2a6c52-5a44-4b63-b99c-0e98e7a63d61", }, }, } _, err := client.Databases.UpdateFirewallRules(ctx, dbID, &req) } ``` ### Python Using [PyDo](https://github.com/digitalocean/pydo), the official DigitalOcean API client for Python: ```python import os from pydo import Client client = Client(token=os.environ.get("DIGITALOCEAN_TOKEN")) req = { "rules": [ { "type": "ip_addr", "value": "192.168.1.1", "description": "a development IP address", }, { "type": "k8s", "value": "ff2a6c52-5a44-4b63-b99c-0e98e7a63d61" }, { "type": "droplet", "value": "163973392" }, { "type": "tag", "value": "backend" } ] } update_resp = client.databases.update_firewall_rules(database_cluster_uuid="a7a8bas", body=req) ``` ## Add a Trusted Source Using the Control Panel To add trusted sources to restrict database access, go to the [**Databases** page](https://cloud.digitalocean.com/databases) and select the cluster you want to add trusted sources to. Click the **Network Access** tab, then click **Add Trusted Sources**. ![The Network Access page for an example cluster.](https://docs.digitalocean.com/screenshots/databases/cluster-network-access-page.06d2518937e34e2d8467690aada7622700aee404ca04d3e320921846b8efa475.png) In the **Add Trusted Sources** dialog, choose one of the following options: - **Enter specific IP addresses or CIDR notations**: Enter specific IP addresses or a CIDR range. Or click **My current IP address** to use the **Quick Add** option, which adds your machine’s current IP address. ![The Add Trusted Sources dialog with the option Enter specific IP addresses or CIDR notations selected, and an example CIDR range shown.](https://docs.digitalocean.com/screenshots/databases/add-trusted-sources-ips-cidr.1cadefc47997cf52f706696bce6d1896d72b199be88731adf86792abce98cc36.png) - **Quick select Droplets, Kubernetes clusters, Apps, and tags**: Use the search to find a resource or click the dropdown menu and select a resource from the list. ![The Add Trusted Sources dialog with the option Quick select Droplets, Kubernetes clusters, Apps, and tags selected, and the Search or select a resource dropdown menu expanded.](https://docs.digitalocean.com/screenshots/databases/add-trusted-sources-quick-select.e3832bfc4b4ae8086ce188320c3819e6bdaa55b41ce8a85fd6e5c6308fcd07d1.png) When finished, click **Add Trusted Sources**. **Warning**: You currently cannot add IPv6 rules to a database cluster’s trusted sources.