For AI agents: a documentation index is available at https://www.mongodb.com/docs/llms.txt — markdown versions of all pages are available by appending .md to any URL path.
Docs Menu

Atlas Network Protection Layer

Note

The MongoDB Atlas Shared Responsibility Model defines the complementary duties of MongoDB and its customers in maintaining a secure and resilient data environment. Under this framework, MongoDB manages the security and operational integrity of the underlying platform, while customers are responsible for the configuration, management, and data policies of their specific deployments. For a detailed breakdown of ownership across security and operational excellence, see Shared Responsibility Model.

The Atlas Network Protection Layer (ANPL) is an additional defense-in-depth security layer that inspects unauthenticated traffic to your cluster and blocks malicious requests before they reach the database.

ANPL analyzes connection patterns and request characteristics to identify and prevent potentially harmful traffic, providing an extra layer of protection beyond standard network security controls.

Important

ANPL is currently available for a limited set of dedicated Atlas 8.3 clusters in projects with public internet access (0.0.0.0/0 in the IP access list). Availability is currently based on specific selection criteria, and cannot be requested otherwise.

ANPL operates transparently in the connection path between clients and your database. When enabled, it:

  • Monitors unauthenticated connection attempts.

  • Analyzes traffic patterns for suspicious behavior.

  • Blocks identified malicious requests before database authentication.

  • Allows legitimate traffic to proceed normally.

ANPL being enabled on your cluster does not require any action from you. However, know that an additional layer has been added to your connection path.

If you notice any unexpected behavior or have concerns about connection performance, contact MongoDB Support.

You can determine if ANPL is enabled on your cluster through:

An indicator appears on the cluster details page in the Atlas UI when ANPL is enabled.

To view the cluster overview:

1
  1. If it's not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.

  2. If it's not already displayed, select your desired project from the Projects menu in the navigation bar.

  3. In the sidebar, click Clusters under the Database heading.

The Clusters page displays.

2

The cluster details page displays. If ANPL is enabled, an indicator appears on this page.

When ANPL is enabled or disabled on a cluster, an event is logged in the project Activity Feed. The event is named Atlas Network Protection Layer became active on a cluster when ANPL is enabled, or Atlas Network Protection Layer became inactive on a cluster when ANPL is disabled.

ANPL does not have a self-serve toggle in the Atlas UI for the initial release. You can disable ANPL through:

Remove 0.0.0.0/0 from your project's IP access list. This disables ANPL automatically.

Important

Removing 0.0.0.0/0 from the IP access list might trigger a rolling restart of eligible clusters. The restart warning appears in the Atlas UI when you modify the IP access list.

ANPL is enabled or disabled within approximately 15 minutes after the IP access list change.

To learn how to manage your IP access list, see Configure IP Access List Entries.

If you need to disable ANPL without modifying your IP access list configuration, contact MongoDB Support to file a support ticket.

While ANPL provides additional protection for clusters with public internet access, MongoDB recommends using more restrictive network controls:

  • Replace 0.0.0.0/0 with specific IP addresses or CIDR ranges that match your application infrastructure.

  • Use private networking solutions such as:

To learn more, see Recommendations for Atlas Network Security in the Atlas Architecture Center.

ANPL might add latency to connection establishment. The impact varies based on network conditions and traffic patterns.

If you experience connection issues or performance degradation after ANPL is enabled, contact MongoDB Support.

When ANPL is initially enabled on eligible clusters during the rollout period, the change occurs during your configured maintenance window.

If you later modify the IP access list by adding or removing 0.0.0.0/0, changes take effect within approximately 15 minutes and might trigger a rolling restart.