Note
The MongoDB Atlas Shared Responsibility Model defines the complementary duties of MongoDB and its customers in maintaining a secure and resilient data environment. Under this framework, MongoDB manages the security and operational integrity of the underlying platform, while customers are responsible for the configuration, management, and data policies of their specific deployments. For a detailed breakdown of ownership across security and operational excellence, see Shared Responsibility Model.
The Atlas Network Protection Layer (ANPL) is an additional defense-in-depth security layer that inspects unauthenticated traffic to your cluster and blocks malicious requests before they reach the database.
ANPL analyzes connection patterns and request characteristics to identify and prevent potentially harmful traffic, providing an extra layer of protection beyond standard network security controls.
Important
ANPL is currently available for a limited set of dedicated Atlas 8.3 clusters in projects with public internet access (0.0.0.0/0 in the IP access list). Availability is currently based on specific selection criteria, and cannot be requested otherwise.
Overview
ANPL operates transparently in the connection path between clients and your database. When enabled, it:
Monitors unauthenticated connection attempts.
Analyzes traffic patterns for suspicious behavior.
Blocks identified malicious requests before database authentication.
Allows legitimate traffic to proceed normally.
ANPL being enabled on your cluster does not require any action from you. However, know that an additional layer has been added to your connection path.
If you notice any unexpected behavior or have concerns about connection performance, contact MongoDB Support.
How to Know if ANPL is Enabled
You can determine if ANPL is enabled on your cluster through:
Cluster Overview Indicator
An indicator appears on the cluster details page in the Atlas UI when ANPL is enabled.
To view the cluster overview:
In Atlas, go to the Clusters page for your project.
If it's not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
In the sidebar, click Clusters under the Database heading.
The Clusters page displays.
Project Activity Feed Event
When ANPL is enabled or disabled on a cluster, an event is logged in the project Activity Feed. The event is named Atlas Network Protection Layer became active on a cluster when ANPL is enabled, or Atlas Network Protection Layer became inactive on a cluster when ANPL is disabled.
Disable ANPL
ANPL does not have a self-serve toggle in the Atlas UI for the initial release. You can disable ANPL through:
Remove Public Internet Access
Remove 0.0.0.0/0 from your project's IP access list. This disables ANPL automatically.
Important
Removing 0.0.0.0/0 from the IP access list might trigger a rolling restart of eligible clusters. The restart warning appears in the Atlas UI when you modify the IP access list.
ANPL is enabled or disabled within approximately 15 minutes after the IP access list change.
To learn how to manage your IP access list, see Configure IP Access List Entries.
Contact Support
If you need to disable ANPL without modifying your IP access list configuration, contact MongoDB Support to file a support ticket.
Impact and Considerations
Network Security Best Practices
While ANPL provides additional protection for clusters with public internet access, MongoDB recommends using more restrictive network controls:
Replace
0.0.0.0/0with specific IP addresses or CIDR ranges that match your application infrastructure.Use private networking solutions such as:
To learn more, see Recommendations for Atlas Network Security in the Atlas Architecture Center.
Performance
ANPL might add latency to connection establishment. The impact varies based on network conditions and traffic patterns.
If you experience connection issues or performance degradation after ANPL is enabled, contact MongoDB Support.
Restart Behavior
When ANPL is initially enabled on eligible clusters during the rollout period, the change occurs during your configured maintenance window.
If you later modify the IP access list by adding or removing 0.0.0.0/0, changes take effect within approximately 15 minutes and might trigger a rolling restart.