First of all, I hope that everyone is staying safe and healthy!
I have a couple of quick questions that relate to several (mock) applications that I have deployed to Heroku for use in my portfolio (I’m also asking on behalf of a potential client that I plan on approaching for a one off job soon…):
I have successfully used mLab as an add on in the past and I have also just migrated one of my Heroku hosted applications over to Atlas (realizing that mLab will no longer be available as a service) with no problem via this migration guide: Guide to Migrating a Sandbox Heroku Add-on to Atlas. I plan to migrate my remaining test applications that need to connect to Atlas via this guide as well, so no problem there, especially being that these are just mock applications.
My first question is this: what is the best way to connect to Atlas from Heroku going forward? There is no (as far as I can see from searching online) real clear or easy way to retrieve an IP address from Heroku so that it can be whitelisted for a direct connection to Atlas.
Will there be another service available for sandbox applications to connect to Atlas in the future? I’m also wondering how to connect a production ready Heroku application to Atlas (or maybe via another paid service if need be…) , as again, getting an IP from Heroku to whitelist seams to be quick tricky. Maybe I’ve missed something…not sure…
Thank you for responding and thank you for the link.
I see that Private Spaces are currently available only in Heroku Enterprise, which is likely out of reach for the client that I am thinking about approaching. I noticed that there is another add on Dyno available, but it is also kind of pricy.
mLab is still available for the time being. I’m wondering if going this route (with a shared/paid cluster for a production level application), along with a migration to Atlas might work for now. Would this be a stable approach to take?
I am not familiar with the way mLab solves this problem
I’m not all together familiar with how mLab solves this problem either. I’m still trying to accrue enough information to figure this out. I do know that in the migration guide (for migrating a sandbox add-on) it says to whitelist all IP addresses with 0.0.0.0 (not something that I would do for a non-sandbox project &/or cluster).
Note that mLab’s Sandbox and Shared plan deployments are always accessible by all IP addresses. To match the firewall settings of your mLab Sandbox or Shared plan deployment you can whitelist all IP addresses (0.0.0.0/0) on your Atlas cluster.
…so it appears that even with a cheap(ish) shared plan there is no way around the whitelisting all IPs issue.
…but, then there is this:
However, we recommend whitelisting only the addresses that require access. To match the firewall settings of your mLab Dedicated plan deployment on Atlas you can review your current mLab firewall settings on the “Networking” tab in mLab’s UI.
…and:
If you’re connecting to MongoDB Atlas from a Heroku app, it’s most likely that you need to whitelist 0.0.0.0/0 (the range of all IP addresses) unless your app is in Heroku Private Spaces. Heroku IP addresses are, in general, highly dynamic. As such most mLab and Atlas-hosted deployments used by Heroku apps allow all IP addresses.
Heroku Common Runtime Dynos use a subset of the IP range of the underlying AWS EC2 instances.
The underlying AWS region for your app can be found as the provider.region field in the output of this CLI command:
heroku regions --json
…and also from the same link directly above:
The IPs in use by Heroku at any given time are highly dynamic, meaning that the published ranges may cover other IP addresses not currently in use by Heroku. This means that it is often not desirable to open up your firewall to the whole of the AWS region for security reasons.
…and lastly:
For apps in the Common Runtime a better approach would be to use an add-on to provide a static outbound IP address Add-ons - Heroku Elements or to rely on secure communication via TLS.
I’m going to have to read up a bit more and look into the network service add-ons listed that Heroku provides to see if I can find a solution. I did try using Fixie Socks for one of my own sandbox applications, but that didn’t seem to resolve the issue:-)
Thank you for taking the time to respond again and thank you for the tips!
This might be a good time for me to re-take (or at least practice in my local VirtualBox VMs) M310: MongoDB Security &/or M103: Basic Cluster Administration . Actually, I need to refresh my memory with all that I learned via both courses.
Fast forward 5 minutes… I have just spotted a new course that begins today (lucky me!):
Any findings worth sharing? I’m running into the same issue. Feel a little uneasy about whitelisting ALL IP addresses. I’ve tried to use the Fixie addon, which routes outgoing Heroku traffic through a Proxy with a static IP. Unfortunately, this didn’t work and I’m stuck.
Hey @Pavel_Duchovny Thanks for giving a part of you time here! im a new developer, from colombia sorry for my english X: okk.
according to this recommendation, so do you have any docs to implements only my own ip for access to my ip?, now im using whitelist 0.0.0.0/0 in my personal project but i dont want this.
I have another question,I Want only to access to my Backend fron my frontend, this is posibble? … my frontend app is hosted in netlify. its like i only need that my frontend have access to my data. do you have any url blogpost to read about this ??
I am trying to connect my Heroku app to MongoDB Atlas via pymongo and I have so far adopted the “whitelist all” solution. Now I want to move my app to production and I feel uncomfortable with this solution. I have tried with proxy servers solutions as provided by Fixie and Fixie Socks (which are available as Heroku add-ons), but I haven’t really made progress. Has anybody made progress?
