How to Enable Firewall / IP Whitelisting in Mlab MongoDB

Learn how to secure your Mlab MongoDB database by enabling IP and security group whitelisting features.

Mlab (formerly Mongolab) is one of the most popular “MongoDB as a service” cloud providers.

IP whitelisting is available in Mlab for dedicated plans only, starting at $180. Sadly enough, this option is not available to sandbox or shared cluster plans.

If your Mlab dedicated database is hosted in AWS and your application is running from the same AWS region, you can whitelist an EC2 security group (explained down below).

Whitelisting IP addresses on Mlab

By default, Mlab allows accessing from any IP address. That’s a bad practice, given that even though Mlab enforces Authentication, MongoDB leaks too much information to unauthenticated requests.

To properly protect your databases, it is necessary to only whitelist the public IP addresses of your application servers:

1. Log in to the mLab management portal.
2. Navigate to the MongoDB deployment that you wish to secure.
3. Click the “Networking” tab.
4. Click the “Add IP rule(s)” button.
5. Enter the IP address and an optional description for the rule.
6. Click the “Add” button.

Remember that you can whitelist as many IP addresses as you want.

Tip: If you usually run your app in your own computer for testing or development purposes, you may also want to whitelist your home or office IP.

You can also add different IPs at once by comma separating them or a whole range by using CIDR notation ( 22.22.22.22/32 ).

Whitelisting Amazon EC2 security groups on Mlab

If your Dedicated plan database is hosted in AWS and your application is running from the same AWS region and on EC2-Classic (i.e., not in a VPC), it is recommended to allow access by security groups. This way you can spin up new machines with your original security groups without the need to change your database’s firewall rules.

To control access to your mLab-hosted database using your EC2 security group, you’ll need to provide your AWS account ID (a 12-digit number) and security group ID (begins with “sg-“).

Follow these instructions to whitelist an AWS security group:

1. Log in to the mLab management portal.
2. Navigate to the MongoDB deployment that you wish to secure.
3. Click the “Networking” tab.
4. Click the “Add Security Group rule” button.
5. Enter your AWS account ID, security group ID and an optional description.
6. Click the “Add” button. Voilà!

Are you using Heroku? Sadly enough, given that Heroku apps run in VPCs across multiple regions, this feature will not work at all.