Firewall Configuration
On this page
- OAuth 2.0 authentication for programmatic access to Cloud Manager is available as a Preview feature.
- The feature and the corresponding documentation might change at any time during the Preview period. To use OAuth 2.0 authentication, create a service account to use in your requests to the Cloud Manager Public API.
Accessible Ports
The Cloud Manager must be able to connect to users and MongoDB Agents over HTTP or HTTPS. MongoDB Agents must be able to connect to MongoDB client MongoDB databases.
Though Cloud Manager only requires open HTTP (or HTTPS) and MongoDB network ports to connect with users and to databases, what ports are opened on a firewall depend upon what capabilities are enabled: encryption, authentication and monitoring.
This page defines which systems need to connect to which ports on other systems.
Cloud Manager requires access on the following ports and IP addresses.
Required Outbound Access
The MongoDB Agents connect to Cloud Manager on port 443. Whether you
provision your hosts on a cloud service provider or on your own
network, configure your network infrastructure to allow outbound
connections on port 443.
If you wish to restrict outbound access on port 443 to specific
IP addresses, you must add the following addresses and
domains to your access list.
IP Addresses for GET and POST
Add the following IP addresses to your access list:
3.93.83.52 3.94.56.171 3.214.160.189 18.210.185.2 18.210.245.203 18.232.30.107 18.235.209.93 34.192.82.120 34.194.131.15 34.194.251.66 34.195.55.18 34.195.194.204 34.200.195.130 34.203.104.26 34.227.138.166 34.230.213.36 34.233.152.179 34.233.179.140 35.172.148.213 35.172.245.18 44.211.4.85 44.216.169.184 52.86.156.12 54.147.76.65 54.204.237.208
This allows the MongoDB Agents to GET and POST to the
following hosts:
api-agents.mongodb.comapi-backup.mongodb.comapi-backup.us-east-1.mongodb.comqueryable-backup.us-east-1.mongodb.comrestore-backup.us-east-1.mongodb.comreal-time-api-agents.mongodb.com
Domain for Download of MongoDB Binaries
The MongoDB Agents require outbound access to the following domains, depending on your MongoDB edition, for downloading MongoDB binaries:
MongoDB Edition | Access List Domain | IP Ranges | Service Provider |
|---|---|---|---|
Community |
| The IP ranges for CloudFront change frequently. | Amazon CloudFront |
| |||
Custom Build of MongoDB | URL accessible to the MongoDB Agents |
Domain for MongoDB Agent Downloads and Updates
If you restrict outbound access, you must grant your MongoDB Agents access to the following domain to download and update the MongoDB Agent.
Access List Domain | IP Ranges | Service Provider |
|---|---|---|
| The IP ranges for AWS change frequently. | AWS |
Required Inbound Access
IP Addresses for Alert Webhooks
You have the option to configure alerts to be delivered via webhook.
This sends an HTTP POST request to an endpoint for
programmatic processing.
If you want to successfully deliver a webhook to the specified
endpoint, the endpoint must accept incoming HTTP POST requests
from the following IP addresses:
3.92.113.229 3.208.110.31 3.211.96.35 3.212.79.116 3.214.203.147 3.215.10.168 3.215.143.88 18.214.178.145 18.235.30.157 18.235.48.235 18.235.145.62 34.193.91.42 34.193.242.51 34.196.151.229 34.200.66.236 34.235.52.68 34.236.228.98 34.237.40.31 35.153.40.82 35.169.184.216 35.171.106.60 35.174.179.65 35.174.230.146 35.175.93.3 35.175.94.38 35.175.95.59 50.19.91.100 52.71.233.234 52.73.214.87 52.87.98.128 54.145.247.111 54.163.55.77 100.26.2.217 107.20.0.247 107.20.107.166
Required Ports within Your Network
All MongoDB processes in a deployment must be accessible to all MongoDB Agents managing processes in that deployment. Therefore, all MongoDB ports must be open to every host within your network that serve a MongoDB Agent.
Example
If you are running MongoDB processes on 27000, 27017 and
27020, then those three ports must be open from all hosts
that are serving a MongoDB Agent.