Atlas only allows client connections to the cluster from entries in the project's IP access list. Each entry is either a single IP address or a CIDR-notated range of addresses. For AWS clusters with one or more VPC Peering connections to the same AWS region, you can specify a Security Group associated with a peered VPC.
Note
The MongoDB Atlas Shared Responsibility Model defines the complementary duties of MongoDB and its customers in maintaining a secure and resilient data environment. Under this framework, MongoDB manages the security and operational integrity of the underlying platform, while customers are responsible for the configuration, management, and data policies of their specific deployments. For a detailed breakdown of ownership across security and operational excellence, see Shared Responsibility Model.
For Atlas clusters deployed on Google Cloud Platform (GCP) or Microsoft Azure, add the IP addresses of your Google Cloud or Azure services to Atlas project IP access list to grant those services access to the cluster.
The IP access list applies to all clusters in the project and can have up to 200 IP access list entries, with the following exception: projects with an existing sharded cluster created before August 25, 2017 can have up to 100 IP access list entries.
Atlas supports creating temporary IP access list entries that expire within a user-configurable 7-day period.
Note
To restrict access to MongoDB Atlas UI for specific IP addresses, configure the UI IP Access List for your Atlas organization. Although a standard IP Access List can't block access to the Atlas UI, the UI IP Access List lets you restrict access to your Atlas organization's management interface to only the trusted IP addresses or CIDR ranges you specify. You can also restrict sign-in to Atlas UI through your IdP authentication policies by using Atlas federated authentication.
When you create, delete, or change temporary and non-temporary IP access list entries, Atlas notifies you of these events in the project's Activity Feed. For example, if you modify the address of an IP access list entry, the Activity Feed reports the deletion of the old entry and the creation of the new entry.
View Activity Feed
To view the project's Activity Feed:
In Atlas, go to the Project Settings page.
If it's not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
In the sidebar, click the icon next to Project Overview.
The Project Settings page displays.
In Atlas, go to the Project Activity Feed page.
If it's not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
In the sidebar, click Activity Feed under the Security header.
The Project Activity Feed page displays.
See also View All Activity.
Note
Activity Feed Considerations
Atlas does not report updates to an IP access list entry's comment in the Activity Feed.
When you modify the address of an IP access list entry, the Activity Feed reports two new activities: one for the deletion of the old entry and one for the creation of the new entry.
Required Access
To manage IP Access List entries, you must have Project Owner or Project Network Access Manager access to the project.
Users with Organization Owner access must add themselves to the project as a Project Owner.
Select your interface to view the appropriate procedures.
View IP Access List Entries
Add IP Access List Entries
Modify IP Access List Entries
Delete IP Access List Entries
Important
When you remove an entry from the IP access list, existing connections from the removed addresses may remain open for a variable amount of time. How much time passes before Atlas closes the connection depends on several factors, including:
how the connection was established
how the application or driver using the address behaves
which protocol (like TCP or UDP) the connection uses