Docs Home → Atlas App Services
Application Security
On this page
- Overview
- Application Users
- Data Access Permissions
- App Services Applications with Sync
- MongoDB Atlas Data Sources
- Developer Access
- Network Security
- Transport Layer Security (TLS)
- Firewall Configuration
- Communicate from the Client to the Sync Server
- Allowed Request Origins
- IP Access List
- API Access List
- Values and Secrets
- Summary
Overview
Atlas App Services provides a variety of security features to protect your data and prevent unauthorized access to your application. This includes things like:
Built-in user management
Data access permissions
Network security features
The ability to store and substitute values and secrets
Application Users
You can secure App Services Apps with built-in user management. With the built-in user management of App Services, only authorized users can access your App. You can delete or disable users, and revoke user sessions. Users can log in with:
Existing provider credentials, such as Facebook, Google, or Apple ID
New credentials with email/password, custom JWT, or custom function authentication
Anonymous authentication, if you don't need to store user data
You can enable one or more authentication providers in the App Services backend, and then implement them in your client code. You can also link user accounts with client SDKs.
Data Access Permissions
Use App Services data access rules to grant read and write access to data. Apps that use Atlas Device Sync define data access permissions during the process of enabling Device Sync. Apps that do not use Device Sync can link an MongoDB Atlas data source, and define permissions to perform CRUD operations on that data source.
MongoDB data access rules prevent operations where users do not have appropriate permissions. Users who do not meet your data access rules cannot view or modify data.
App Services Applications with Sync
Atlas Device Sync allows you to define data access rules that determine which users can read or write which data. To learn how to configure these rules, refer to Sync Permissions Overview.
MongoDB Atlas Data Sources
When you access MongoDB Atlas through App Services, you can define roles that enable users to read and modify data. App Services uses a strict rules system that prevents all operations unless they are explicitly enabled.
When you define a role, you create a set of CRUD permissions that App Services evaluates individually for each document associated with a query. You can set roles to have document-level or field-level access, and you can give roles read or read and write access. App Services blocks requests from roles that do not have permission to search or read data.
Note
When you access MongoDB Atlas through an App with Atlas Device Sync enabled, the permissions you define for Device Sync apply, instead of the role-based permissions you define when you link an MongoDB Atlas data source.
Developer Access
Every App is associated with a specific MongoDB Atlas organization and project. App Services determines the developer access permissions for a given MongoDB Cloud user based on their assigned project roles in the project that contains an app.
The following table describes the access permissions associated with a given project role:
Project Role | Access Permissions |
---|---|
Project Owner | Full read-write access for all Apps associated with the project. |
All Other Roles | Read-only access for all Apps associated with the project. |
Note
For more information about adding users and teams to Atlas, see Atlas Users and Teams.
Network Security
App Services uses a range of network security protocols to prevent unauthorized access to your data. This includes:
Using TLS to secure network requests to and from your application
Defining IP addreses from which all outbound requests originate
Letting you define URLs and IP addresses from which inbound requests may originate
Transport Layer Security (TLS)
App Services uses TLS 1.3 to secure all network requests to and from your application, including:
Apps that connect from a Realm SDK.
Data API and GraphQL requests sent over HTTPS.
Queries and operations on a linked MongoDB Atlas data source.
The TLS certificate is pre-defined and cannot be customized or disabled.
Firewall Configuration
App Services only sends outbound requests from a set list of IP addresses. The exact list depends on the cloud provider that the app server is deployed to. You can copy the IP addresses listed in this section to an allowlist for incoming requests on your firewall.
You can download a computer-friendly list of all IP addresses used by App Services in JSON or CSV format. You can also find cloud-provider-specific JSON and CSV files in the following sections.
Note
If you run a function from the Atlas App Services UI, the request originates from the server nearest to you, not the region the app is deployed to.
AWS
Download AWS IP Addresses: JSON, CSV
Outbound requests from an app deployed to AWS will originate from one of the following IP addresses:
13.236.189.10 18.202.2.23 18.210.66.32 18.211.240.224 18.213.24.164 52.63.26.53 54.203.157.107 54.69.74.169 54.76.145.131 18.192.255.128 18.157.138.240 18.158.38.156 52.220.57.174 18.140.123.126 13.251.182.174 65.0.112.137 3.6.231.140 13.234.189.107 13.232.212.70 65.0.113.75 3.7.215.88 3.6.255.136 65.0.188.79 13.233.17.88 18.136.226.22 122.248.203.228 54.251.109.67 54.255.78.248 54.179.247.236 13.251.170.158 3.105.146.190 52.65.242.206 54.79.24.107 13.238.106.70 52.28.11.211 3.121.9.73 52.29.205.189 3.122.49.121 3.121.58.147 3.121.97.130 108.128.63.52 108.128.66.245 108.128.51.69 108.128.45.118 52.213.157.241 108.128.66.107 3.9.6.254 3.9.74.211 3.9.61.59 35.176.121.115 3.9.85.190 3.9.47.47 13.36.132.152 15.188.240.49 13.37.29.138 15.188.152.56 13.39.52.19 15.188.159.135 177.71.159.160 52.67.231.12 18.230.146.14 52.67.94.32 18.230.109.192 18.229.199.232 3.212.79.116 3.92.113.229 34.193.91.42 34.237.40.31 3.215.10.168 34.236.228.98 3.214.203.147 3.208.110.31 100.26.2.217 3.215.143.88 18.119.73.75 3.136.153.91 3.128.101.143 35.166.246.78 35.161.40.209 54.149.249.153 35.161.32.231 52.34.65.236 35.163.245.143
Azure
Download Azure IP Addresses: JSON, CSV
Outbound requests from an app deployed to Azure will originate from one of the following IP addresses:
20.105.25.17 20.212.99.191 20.24.112.135 20.53.104.226 20.84.232.59 20.96.47.95 40.112.209.0 52.149.111.83
GCP
Download GCP IP Addresses: JSON, CSV
Outbound requests from an app deployed to GCP will originate from one of the following IP addresses:
34.150.239.218 34.69.118.121 34.78.133.163 34.82.246.143 34.93.58.231
Note
The above IP lists only apply to outgoing requests from Atlas Functions, including triggers and HTTPS endpoints that make outgoing requests.
For requests that originate from the Sync server, we recommend allowlisting the entire subnet of the App's Deployment Region and cloud provider. You can find the Deployment Region in the App Services UI under App Settings > General > Deployment Region.
Communicate from the Client to the Sync Server
When you use Device Sync, you can use DNS filtering to allow connections
from the Sync client to the Sync server. Using DNS filtering, you can access
*.realm.mongodb.com
via HTTPS or port 443.
Allowed Request Origins
You can define this configuration option in the
app-level realm_config.json
file. This field accepts an array of
URLs that incoming requests may originate from. If you define any allowed
request origins, then App Services blocks any incoming request from
an origin that is not listed.
IP Access List
App Services allows client requests from the enabled entries in the app's IP access list. Allowed requests will still use App Services's authentication and authorization rules. When you add IP access list entries, App Services blocks any request originating from an IP that is not on the access list.
Important
By default, any newly-created App allows access from any client IP by adding an access list entry for 0.0.0.0/0. If you delete this entry, no client can access your App from any IP address.
API Access List
When you create an API key, you can specify IP addresses that can use this API key to access your project or organization. If you specify an IP address, App Services blocks any request originating from an IP address that is not on the access list.
Note
Backend Encryption
All internal communication between App Services and Atlas is encrypted with x509 certificates.
Values and Secrets
App Services enables you to define values and secrets that you can access or link to from your application. This enables you to remove deployment-specific configuration data and sensitive information from your app's business logic. Instead, you refer to it by name and App Services substitutes the value when executing your request.
Summary
Built-in user management handles authentication and ensures only logged-in users can access your App.
Data access permissions enable you to specify read and write permissions for Atlas Device Sync, linked MongoDB Atlas data sources, and developers building your apps.
Network security features enable you to guard against unauthorized access from unknown IP addresses or URLs.
Store values and secrets and refer to them by name to remove sensitive information from your business logic.