Enhanced Network Security with AWS PrivateLink and MongoDB Atlas

Marissa Jasso

#enterprise security#MongoDB Atlas

Your data security is our highest priority. That’s why we built MongoDB Atlas to be secure by default, offering essential controls, advanced capabilities, and sophisticated integrations to satisfy even the strictest of data security and compliance standards. Our latest integration brings you an additional option for enhanced security with AWS’s rapidly popularized service: AWS PrivateLink.

AWS PrivateLink is the preferred way for many enterprise companies to guarantee private connectivity between all their AWS applications, services, and accounts. You can now add Atlas to the list of PrivateLink-enabled services as one of the first approved AWS PrivateLink Ready partners. This means that Atlas has been validated by the AWS as having demonstrated success in integrating with AWS PrivateLink.

Amazon Web Services Logo

Network Security in MongoDB Atlas

All dedicated clusters on MongoDB Atlas are deployed in their own VPC. You then have the option of connecting to your cluster via VPC peering or public IP whitelisting. VPC peering allows you to set up a peering connection between your Atlas VPC with your application VPC, which can be secured and managed with Access Control Lists (ACLs) and security groups.

Public IP whitelisting allows you to grant access to Atlas via specific public IP addresses. Combined with Atlas’s required end-to-end TLS and SCRAM authentication, it offers a secure connection mechanism for users without extending your network trust boundary. However, some companies have security requirements that do not allow in-bound access to databases from static public IPs.

MongoDB Atlas and AWS PrivateLink

By connecting MongoDB Atlas to your AWS applications with AWS PrivateLink, you can take advantage of unidirectional connection strings that prevent Atlas from initiating connections back to your application VPC. This preserves your network trust boundary by ensuring that all connections use private IPs within your VPCs and no traffic leaves the Amazon network.

MongoDB Atlas and AWS PrivateLink network diagram
AWS PrivateLink offers a one-way network peering service between an AWS VPC and a MongoDB Atlas VPC

Since AWS PrivateLink provides a one-way connection, it also eliminates the need for additional security controls (firewall rules, auditing, network access control lists, etc.) to block network access from your Atlas VPC to your application VPC. This simplifies your network architecture by allowing you to use the same set of security and network access controls across your organization.

With AWS PrivateLink, developers can also transitively connect to Atlas clusters from their local workstation via VPN through Direct Connect and PrivateLink-enabled VPCs without using public IP whitelisting.

Meeting Enterprise Security Requirements

As we iterate off the highest industry standards while independently innovating, Atlas is constantly evolving into the most secure version of itself it can be. With unique capabilities like client-side field-level encryption, the ability to bring your own KMS provider, and Global Clusters, Atlas is built to handle the strictest security and compliance requirements. Whether you need to comply with PCI, HIPAA, GDPR, or other regulations, Atlas can help protect your sensitive data and enhance the privacy of your workloads.

To learn more about configuring AWS PrivateLink with MongoDB Atlas, visit our Docs.