MongoDB/Network Access
From charlesreid1
Network Access
As mentioned in the Access Control section of the MongoDB page, one of the ways to provide coarse-grained access control to a MongoDB database is to limit network access to the port and server of the MongoDB host machine.
- We start by covering binding to particular network interfaces
- We cover considerations with Docker and the Mongo Docker pod at https://git.charlesreid1.com/pod-mongo
- We move on to network architectures that will place MongoDB in a protected zone:
- Classic firewall
- Access Mongo through SSH tunnel
- Mongo via VPN
- Place Mongo host on a private subnet, accessible via node(s) on a public subnet
Binding to a Network Interface
To set the network interface that MongoDB binds to, set the bind_ip option in the MongoDB config file.
Local requests only:
This address is the special localhost IP address, and tells MongoDB to only listen for local requests:
bindIp: 127.0.0.1
All requests:
This configuration is the opposite and tells MongoDB to listen for requests from any network interface:
bindIp: 0.0.0.0
on a public web server, this will bind to the public-facing interface.
Particular network:
If the MongoDB host is connected to two different networks, NetA and NetB, it will have two different IP addresses.
Suppose the host has the IP 10.0.0.3 on NetA and 192.168.1.6 on NetB.
To tell MongoDB to only listen for requests coming from NetA:
bindIp: 10.0.0.3
To tell MongoDB to only listen for requests coming from NetB:
bindIp: 192.168.1.6
To tell MongoDB to listen for requests from either network:
bindIp: [10.0.0.3,192.168.1.6]
or,
bindIp: 0.0.0.0