Encryption at Rest / Encryption at Rest in Atlas
Code Summary: Adding Atlas Control Plane IPs and Atlas Node IPs to Allow Communications Between KMS and Atlas
To enable Encryption at Rest for your Atlas project with a cloud provider Key Management Service (KMS), it’s critical to configure your cloud provider’s IP access rules. You need to add the Atlas Control Plane IPs and Atlas Cluster Node IPs to your cloud provider's IP access list to ensure secure communication between Atlas and your KMS.
Below are the steps you need to follow.
Code
Add Atlas Control Plane IPs
Atlas Control Plane IPs allow Atlas backend services to communicate with your cloud provider’s KMS. You must gather and whitelist these IP addresses in your cloud provider's IP access list.
Gather the Control Plane IPs for Atlas
Use the following curl command to interact with the MongoDB Atlas API and retrieve a list of inbound and outbound Atlas control plane IP addresses in CIDR format, categorized by cloud provider and region.
We authenticate with the MongoDB Atlas API using the provided API keys (<PUBLIC-KEY> and <PRIVATE-KEY>).
Then we send a GET request to the /api/atlas/v2/unauth/controlPlaneIPAddresses endpoint.
curl --user "${PUBLIC_KEY}:${PRIVATE_KEY}" \
--digest --include \
--header "Accept: application/vnd.atlas.2025-03-12+json" \
--request GET "https://cloud.mongodb.com/api/atlas/v2/unauth/controlPlaneIPAddresses?pretty=true"
We should receive a list of inbound and outbound Atlas control plane IP addresses in CIDR categorized by cloud provider and region, like in the example below. Add the returned outbound IP addresses to your cloud provider’s IP access list. This will allow Atlas backend services to interact with your KMS.
{
"inbound": {
"aws": { ... },
"azure": { ... },
"gcp": { ... }
},
"outbound": {
"aws": {
"additionalProperty1": [
"string"
],
"additionalProperty2": [
"string"
]
},
"azure": {
"additionalProperty1": [
"string"
],
"additionalProperty2": [
"string"
]
},
"gcp": {
"additionalProperty1": [
"string"
],
"additionalProperty2": [
"string"
]
}
}
}
Add Atlas Node IPs for a cluster
Atlas Cluster Node IPs allow individual Atlas nodes to communicate with your cloud provider’s KMS. These IPs must also be added to your cloud provider’s KMS IP access list to enable encryption.
Gather the Node IPs for Your Atlas Cluster
The following is a curl command used to interact with the MongoDB Atlas API to retrieve a list of the IP addresses for all nodes in a project.
We authenticate with the MongoDB Atlas API using the provided API keys (<PUBLIC-KEY> and <PRIVATE-KEY>).
Then we send a GET request to the /api/atlas/v2/groups/{groupId}/ipAddresses endpoint, replacing the groupId with the correct projectId for your project.
curl --user "${PUBLIC_KEY}:${PRIVATE_KEY}" \
--digest --include \
--header "Accept: application/vnd.atlas.2025-03-12+json" \
--request GET "https://cloud.mongodb.com/api/atlas/v2/groups/{groupId}/ipAddresses?pretty=true"
We should receive a list of IP addresses from the new cluster nodes, similar to the following example. Add the inbound and outbound node IP addresses to your cloud provider's KMS IP access list. This ensures secure communication between Atlas nodes and your KMS.
{
"groupId": "32b6e34b3d91647abb20e7b8",
"services": {
"clusters": [
{
"clusterName": "string",
"futureInbound": [
"string"
],
"futureOutbound": [
"string"
],
"inbound": [
"string"
],
"outbound": [
"string"
]
}
]
}
}
Monitor notifications for changes
MongoDB Atlas periodically adds or changes control plane and node IP addresses. To ensure uninterrupted communication between Atlas and your KMS, monitor notifications from Atlas for changes, such as the addition of new IP addresses.
When an IP update notification is received, you must update your cloud provider's KMS access list to reflect the changes. Failure to do so may disrupt Encryption at Rest functionality.
Please refer to the following links for more information: