Docs Home → Atlas App Services
Configure Network Security
On this page
App Services uses a range of network security protocols to prevent unauthorized access to your data. You can:
Configure TLS to secure network requests to and from your application.
Define IP addresses from which all outbound requests originate.
Define and manage URLs and IP addresses from which inbound requests may originate.
Transport Layer Security (TLS)
App Services uses TLS 1.3 to secure all network requests to and from your application, including:
Apps that connect from a Realm SDK.
Data API and GraphQL requests sent over HTTPS.
Queries and operations on a linked MongoDB Atlas data source.
The TLS certificate is pre-defined and cannot be customized or disabled.
App Services only sends outbound requests from a set list of IP addresses. The exact list depends on the cloud provider that the app server is deployed to. You can copy the IP addresses listed in this section to an allowlist for incoming requests on your firewall.
You can download a computer-friendly list of all IP addresses used by App Services in JSON or CSV format. You can also find cloud-provider-specific JSON and CSV files in the following sections.
If you run a function from the Atlas App Services UI, the request originates from the server nearest to you, not the region the app is deployed to.
Download AWS IP Addresses: JSON, CSV
Outbound requests from an app deployed to AWS will originate from one of the following IP addresses:
22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11
Download Azure IP Addresses: JSON, CSV
Outbound requests from an app deployed to Azure will originate from one of the following IP addresses:
18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124
Download GCP IP Addresses: JSON, CSV
Outbound requests from an app deployed to GCP will originate from one of the following IP addresses:
126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168
The above IP lists only apply to outgoing requests from Atlas Functions, including triggers and HTTPS endpoints that make outgoing requests.
For requests that originate from the Sync server, we recommend allowlisting the entire subnet of the App's Deployment Region and cloud provider. You can find the Deployment Region in the App Services UI under App Settings > General > Deployment Region.
You can use DNS filtering to specifically allow connections from client applications, including Device Sync clients, to the server.
*.realm.mongodb.com via HTTPS or port 443.
Allowed Request Origins
You can define this configuration option in the
realm_config.json file. This field accepts an array of
URLs that incoming requests may originate from. If you define any allowed
request origins, then App Services blocks any incoming request from
an origin that is not listed.
IP Access List
App Services allows client requests from the enabled entries in the app's IP access list. Allowed requests will still use App Services's authentication and authorization rules. When you add IP access list entries, App Services blocks any request originating from an IP that is not on the access list.
By default, any newly-created App allows access from any client IP by adding an access list entry for 0.0.0.0/0. If you delete this entry, no client can access your App from any IP address.
Find Your IP Address
View IP Access List Entries
Create an IP Access List Entry
Edit an IP Access List Entry
Delete an IP Access List Entry
API Access List
When you create an Atlas API key for project or organization access from the Realm CLI or the App Services Admin API, you can specify IP addresses that can use this API key. If you specify an IP address, App Services blocks any request originating from an IP address that is not on the access list.
All internal communication between App Services and Atlas is encrypted with x509 certificates.