{"slug":"create-a-secure-connection-to-mongodb-atlas","title":"Create a secure connection to MongoDB Atlas","tags":["tailscale"],"agent_summary":"Last validated: Dec 4, 2025","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Create a secure connection to MongoDB Atlas\r\n\r\nLast validated: Dec 4, 2025\r\n\r\n## [Introduction](https://tailscale.com/docs/solutions/create-a-secure-connection-to-mongodb-atlas\\#introduction)\r\n\r\nMany Software as a Service (SaaS) applications require a list of allowed IP address ranges to restrict connectivity to only intended devices and users. If you connect to public Wi-Fi in places like hotels, airports, or cafés, you likely won't have application access due to the allowed IP address list not containing your IP address. For some organizations, when a new user joins the organization, an admin needs to add their IP address to the set of allowed IP addresses, which slows down onboarding of the user.\r\n\r\nTailscale [app connectors](https://tailscale.com/docs/features/app-connectors) let you route SaaS applications through dedicated devices in your Tailscale network (known as a tailnet). Instead of maintaining an allowlist of all IP addresses on your tailnet, you maintain an allowlist of only the app connector IP addresses. Your users still have access if they work from a café, and new users on your tailnet have access as soon as they join your tailnet. You can use an app connector to securely connect to SaaS applications like a [MongoDB Atlas](https://www.mongodb.com/products/platform) database, and deny access to anyone that is not in your tailnet.\r\n\r\nIn this guide, you will update your [tailnet policy file](https://tailscale.com/docs/features/tailnet-policy-file) to restrict access to a MongoDB Atlas database, configure and run an app connector to route requests to the database, and update the Atlas IP address list to allow access only through the app connector. When you finish this guide, you'll have set access restrictions to let only your tailnet users access the database.\r\n\r\n## [Prerequisites](https://tailscale.com/docs/solutions/create-a-secure-connection-to-mongodb-atlas\\#prerequisites)\r\n\r\nBefore you begin this guide you'll need the following:\r\n\r\n- A MongoDB Atlas database. For information about MongoDB Atlas, refer to MongoDB's [What is MongoDB Atlas?](https://www.mongodb.com/docs/atlas/) topic.\r\n- A user name and password for your Atlas database.\r\n- A MongoDB Atlas role of Project Owner, so that you can edit the Atlas IP access list.\r\n- Your Atlas connection string. This is in the form `<cluster-name>.<hash>.mongodb.net`. For example, `cluster0.abcdef.mongodb.net`. For information about retrieving your connection string, refer to [Find your MongoDB Atlas connection string](https://www.mongodb.com/docs/manual/reference/connection-string/#find-your-mongodb-atlas-connection-string).\r\n- A Tailscale account. [Create an account](https://login.tailscale.com/start) if you don't have one already.\r\n- A Linux device to use as an app connector for your tailnet. This solution will show you how to start this device as an app connector for Atlas. For now, ensure the device meets the app connector [requirements](https://tailscale.com/docs/features/app-connectors/how-to/setup#requirements) and is already in your tailnet.\r\n- A different device in your tailnet that has [MongoDB Shell](https://www.mongodb.com/docs/mongodb-shell/) installed. You will use this device to connect to your MongoDB Atlas database.\r\n- A Tailscale role of either [Owner, Admin, or Network admin](https://tailscale.com/docs/reference/user-roles) so that you can edit your [tailnet policy file](https://tailscale.com/docs/features/tailnet-policy-file).\r\n\r\n## [Step 1: Update your tailnet policy file](https://tailscale.com/docs/solutions/create-a-secure-connection-to-mongodb-atlas\\#step-1-update-your-tailnet-policy-file)\r\n\r\nConfigure your [tailnet policy file](https://tailscale.com/docs/features/tailnet-policy-file) to securely route tailnet traffic to your Atlas database. You need to make the following updates to your tailnet policy file:\r\n\r\n- Create a Tailscale group for your Atlas admins.\r\n- Create a tag to use for your app connector devices, which will connect your tailnet users to your Atlas database.\r\n- Configure auto approval of your app connector devices, so that when they join your tailnet, their routes to the Atlas database are automatically approved. This lets you set up an app connector device by running a single [`tailscale up`](https://tailscale.com/docs/reference/tailscale-cli/up) command on the device.\r\n- Create a grant that lets your tailnet users access the Atlas database.\r\n- Define the set of domains for your specific MongoDB Atlas project. Your Atlas app connector uses these domains to route tailnet traffic to the Atlas database.\r\n\r\nYou need to be an [Owner, Admin, or Network admin](https://tailscale.com/docs/reference/user-roles) to edit a tailnet policy file.\r\n\r\n### [Create an Atlas admins group](https://tailscale.com/docs/solutions/create-a-secure-connection-to-mongodb-atlas\\#create-an-atlas-admins-group)\r\n\r\nTailscale [groups](https://tailscale.com/docs/reference/syntax/policy-file#groups) let you create groups of users, which you can use in access rules (instead of listing users out explicitly). Create a group named `atlas-admins` so that you can add all of your Atlas admins into a single group.\r\n\r\n1. Go to the [Visual editor](https://login.tailscale.com/admin/acls/visual) tab of the admin console.\r\n\r\n2. Select **Groups**, and then select **Create tag**.\r\n\r\n3. For **Group name**, enter `atlas-admins`.\r\n\r\n4. For **Members**, select yourself from the dropdown list. If you have others in your tailnet that you want to administer your Atlas app connector, add them to this group also.\r\n\r\n5. (Optional) For **Note**, enter any note you'd like to keep for this group.\r\n\r\n6. Select **Save group**.\r\n\r\n\r\nNow that you have the `atlas-admins` group, you can use it in a tag.\r\n\r\n### [Create a tag for your app connector devices](https://tailscale.com/docs/solutions/create-a-secure-connection-to-mongodb-atlas\\#create-a-tag-for-your-app-connector-devices)\r\n\r\nTailscale [tags](https://tailscale.com/docs/features/tags) let you authenticate and identity non-user devices. A tag consists of an identifier and the users and groups that can apply the tag. Create a `tag:atlas-app-connector` tag so that you and any other members of the `atlas-admin` group can apply the tag to the devices you want to use for your Atlas app connectors.\r\n\r\n1. Go to the [Visual editor](https://login.tailscale.com/admin/acls/visual) tab of the admin console.\r\n\r\n2. Select **Tags**, and then select **Create tag**.\r\n\r\n3. For **Tag name**, enter `atlas-app-connector`.\r\n\r\n4. For **Tag owner**, select `group:atlas-admins`.\r\n\r\n5. (Optional) For **Note**, enter any note you'd like to keep for this tag.\r\n\r\n6. Select **Save tag**.\r\n\r\n\r\nNow that you have the tag named `atlas-app-connector`, you can use it to auto approve routes to your Atlas database.\r\n\r\n### [Create an auto approver for your app connector routes](https://tailscale.com/docs/solutions/create-a-secure-connection-to-mongodb-atlas\\#create-an-auto-approver-for-your-app-connector-routes)\r\n\r\nAdd an [`autoApprovers`](https://tailscale.com/docs/reference/syntax/policy-file#autoapprovers) rule to automatically approve specific routes for devices that have the `atlas-app-connector` tag. After you configure app traffic to route through an app connector, any DNS request to the configured app domains triggers route discovery.\r\n\r\n01. Go to the [Visual editor](https://login.tailscale.com/admin/acls/visual) tab of the admin console.\r\n\r\n02. Select **Auto approvers**, and then select **Add route**.\r\n\r\n03. For **Route**, enter `0.0.0.0/0`.\r\n\r\n04. For **Route is approved for**, select `tag:atlas-app-connector`.\r\n\r\n05. (Optional) For **Note**, enter any note you'd like to keep for this auto approver route.\r\n\r\n06. Select **Add route** again.\r\n\r\n07. For **Route**, enter `::/0`.\r\n\r\n08. For **Route is approved for**, select `tag:atlas-app-connector`.\r\n\r\n09. (Optional) For **Note**, enter any note you'd like to keep for this auto approver route.\r\n\r\n10. Select **Save route auto approver**.\r\n\r\n\r\n### [Provide MongoDB Atlas access to your tailnet users](https://tailscale.com/docs/solutions/create-a-secure-connection-to-mongodb-atlas\\#provide-mongodb-atlas-access-to-your-tailnet-users)\r\n\r\nAdd a [`grants`](https://tailscale.com/docs/reference/syntax/policy-file#grants) rule to route Atlas traffic through the app connectors.\r\n\r\nYou must allow tailnet devices to access the routes an app connector advertises. One way to do this is to add an access control policy to your tailnet policy file that grants access to `autogroup:internet` (any port number) for members of the tailnet, which will also grant users access to any [exit nodes](https://tailscale.com/docs/features/exit-nodes) in the tailnet.\r\n\r\n1. Go to the [Visual editor](https://login.tailscale.com/admin/acls/visual) tab of the admin console.\r\n\r\n2. Select **General access rules**, and then select **Add rule**.\r\n\r\n3. For **Source**, select `autogroup:member`.\r\n\r\n4. For **Destination**, select `autogroup:internet`.\r\n\r\n5. For **Destination and protocol**, select `All ports and protocols`.\r\n\r\n6. (Optional) For **Note**, enter any note you'd like to keep for this grant.\r\n\r\n7. Select **Save grant**.\r\n\r\n\r\n### [Set the Atlas domains](https://tailscale.com/docs/solutions/create-a-secure-connection-to-mongodb-atlas\\#set-the-atlas-domains)\r\n\r\nAdd your Atlas project domains to your connector, by adding a [node attribute](https://tailscale.com/docs/reference/syntax/policy-file#nodeattrs) for the `tag:atlas-app-connector` tag that you created. Any device that you run for this app connector will use these domains to map client requests to your Atlas database.\r\n\r\nYour Atlas connection string contains the MongoDB Atlas domain for your Atlas project, in the form of `<cluster-name>.<hash>.mongodb.net`. For example, `cluster0.abcdef.mongodb.net`. For that example, use `*.abcdef.mongodb.net` for your domain string in the following step. If you want to restrict access to only specific a specific cluster, you can use a domain string like `cluster0.abcdef.mongodb.net`.\r\n\r\nNow that you have your Atlas domain, add it to your app connector's node attributes.\r\n\r\nAdd your Atlas domain to the app connector\r\n\r\nConfigure your app connector to handle the routing of database requests based on your Atlas domain.\r\n\r\n1. Go to the [Visual editor](https://login.tailscale.com/admin/acls/visual) tab of the admin console.\r\n\r\n2. Select **Node attributes**, and then select **Add node attribute**.\r\n\r\n3. For **Targets**, select `All users and devices`.\r\n\r\n4. (Optional) For **Note**, enter any note you'd like to keep for this node attribute.\r\n\r\n5. For **App**, enter `tailscale.com/app-connectors`.\r\n\r\n6. For **Capability**, enter the following (replacing `<hash>` with your connection string's hash):\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n```json\r\n{\r\n     \"connectors\": [\\\r\n       \"tag:atlas-app-connector\"\\\r\n     ],\r\n     \"domains\": [\\\r\n       \"*.<hash>.mongodb.net\"\\\r\n     ],\r\n     \"name\": \"Atlas\"\r\n}\r\n```\r\n\r\n\r\n\r\nIf you want to specify a specific cluster instead of `*` for the `domains` entry, use `\"<cluster-name>.<hash>.mongodb.net\"`instead of `\"*.<hash>.mongodb.net\"`.\r\n\r\n7. Select **Save node attribute**.\r\n\r\n\r\nNow that you configured your app connector for Atlas access, start your app connector device.\r\n\r\n## [Step 2: Start an app connector for Atlas](https://tailscale.com/docs/solutions/create-a-secure-connection-to-mongodb-atlas\\#step-2-start-an-app-connector-for-atlas)\r\n\r\nRun a device in your tailnet to securely route your user traffic to your MongoDB Atlas database.\r\n\r\nThe app connector device must be running Linux, already added to your tailnet, have a public IP address, and IP port forwarding enabled, as described in the app connector [Requirements](https://tailscale.com/docs/features/app-connectors/how-to/setup#requirements).\r\n\r\nOn your Linux device that you want to use as an app connect, run the following [`tailscale up`](https://tailscale.com/docs/reference/tailscale-cli/up) command:\r\n\r\n```shell\r\ntailscale up --advertise-connector --advertise-tags=tag:atlas-app-connector\r\n```\r\n\r\nThe `--advertise-connector` flag enables the device to route traffic for specific domains according to the configuration in the tailnet policy file. The `--advertise-tags` flag tells the Tailscale client to authenticate the device with the `tag:atlas-app-connector` tag.\r\n\r\nBy default, devices in a tailnet are occasionally required to re-authenticate to keep your network secure. To avoid DNS interruptions if the app connector device needs to re-authenticate, go to the [Machines](https://login.tailscale.com/admin/machines) page of the admin console, select the ![ellipsis icon](https://tailscale.com/files/images/icons/fa-ellipsis-h.svg) button next to the app connector device, then select **Disable key expiry**.\r\n\r\nNow that your app connector is running and serving as an Atlas app connector, you can allowlist its IP address in Atlas to let your tailnet users access the database.\r\n\r\n## [Step 3: Allowlist the app connector in Atlas](https://tailscale.com/docs/solutions/create-a-secure-connection-to-mongodb-atlas\\#step-3-allowlist-the-app-connector-in-atlas)\r\n\r\nAtlas permits client connections only from entries in the [Atlas access list](https://www.mongodb.com/docs/atlas/security/ip-access-list). Update the Atlas access list to use the egress IP addresses from your app connector.\r\n\r\nFirst, get the IP address of your app connector from the Tailscale admin console.\r\n\r\n1. Open the [Apps](https://login.tailscale.com/admin/apps) page of the admin console.\r\n\r\n2. Select **MongoDB Atlas**.\r\n\r\n3. In the **Egress IPs** section, copy the IP address.\r\n\r\n\r\n\r\nYou can enter only one IP address at a time into the Atlas access list. If you have more than one **Egress IP** address, you need to individually copy and paste them to the Atlas IP access list.\r\n\r\n\r\nNext, add the IP address to the Atlas list of allowed IP addresses.\r\n\r\n1. In the [Atlas dashboard](https://www.mongodb.com/), go to **Project** and make your Atlas project the active project, if it is not already.\r\n2. In the sidebar, under **Security**, select **Network Access**, and then select **IP Access List**.\r\n3. Select **Add IP Address**.\r\n4. For **Access List Entry**, enter the app connector egress IP address that you copied from the Tailscale admin console.\r\n5. (Optional) For **Comment**, enter any comment you'd like to keep for this IP address.\r\n6. (Optional) Set a time limit for the duration of access allowed for this IP address.\r\n7. Select **Confirm**.\r\n\r\nIf you have more IP addresses in your app connector's **Egress IPs** list, repeat this step to add them to the Atlas access list.\r\n\r\n### [Remove unneeded IP addresses from the Atlas access list](https://tailscale.com/docs/solutions/create-a-secure-connection-to-mongodb-atlas\\#remove-unneeded-ip-addresses-from-the-atlas-access-list)\r\n\r\nIf your Atlas access list contains IP addresses that are not specific to your app connector, remove them. Otherwise, someone outside of your tailnet could access the database.\r\n\r\n1. In the **Network Access** page, for any IP address that your want to delete, select **Delete**.\r\n2. Select **Delete** again to confirm you want to delete it.\r\n\r\nFor more information about MongoDB Atlas IP access lists, refer to MongoDB's [Configure IP Access List Entries](https://www.mongodb.com/docs/atlas/security/ip-access-list) topic.\r\n\r\nNow that you configured your Atlas project to accept requests from only the specified IP address range, you can make a connection from a device in your tailnet.\r\n\r\n## [Step 4: Connect to your database](https://tailscale.com/docs/solutions/create-a-secure-connection-to-mongodb-atlas\\#step-4-connect-to-your-database)\r\n\r\nUse the device in your tailnet with `mongosh` installed to connect to your database. Use a device separate from the app connector device.\r\n\r\n1. If the device is a Linux device, run the following [`tailscale set`](https://tailscale.com/docs/reference/tailscale-cli#set) command so the client accepts the routes provided by the app connector:\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n```shell\r\ntailscale set --accept-routes\r\n```\r\n\r\n\r\n\r\nTailscale clients on other operating systems accept the routes by default.\r\n\r\n2. Run the following (replace the placeholders with the values for your Atlas database):\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n```shell\r\nmongosh \"mongodb+srv://<cluster-name>.<hash>.mongodb.net/\" \\\r\n     --apiVersion 1 \\\r\n     --username <database-user-name>\r\n```\r\n\r\n\r\n\r\nIf the `mongosh` command succeeds, the `mongosh` prompt opens. To confirm you can connect to your database, run:\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n```shell\r\n    show dbs;\r\n```\r\n\r\n\r\n\r\nThe command should provide a list the databases in your Atlas project, similar to:\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n```shell\r\nmyDatabase     72.00 KiB\r\nadmin         356.00 KiB\r\nlocal         997.79 MiB\r\n```\r\n\r\n\r\nWhen you finish using the `mongosh` prompt, enter `exit` to close the `mongosh` prompt.\r\n\r\nNow that you've tested a connection from a separate device, try the same `mongosh` steps but first ensure that the separate device is running in a different LAN. If both the app connector and the separate device are using the same LAN, their IP addresses are in the same IP address that you allowlisted. If the separate device runs on a different local area network, it uses an IP address different than the app connector IP address. If the device is on a different LAN and still successfully connects to your Atlas database, that means you have successfully allowed access from the Atlas side.\r\n\r\nNow you're ready to confirm that the connection requires Tailscale.\r\n\r\n### [Confirm your connection requires Tailscale](https://tailscale.com/docs/solutions/create-a-secure-connection-to-mongodb-atlas\\#confirm-your-connection-requires-tailscale)\r\n\r\n1. On a device separate from your app connector, and on a different local area network than used by the app connector, disable the Tailscale client. You can disable the Tailscale client through the Tailscale client UI, or through the [`tailscale down`](https://tailscale.com/docs/reference/tailscale-cli#down) command.\r\n\r\n2. Run the following command (replace the placeholders with the values for your Atlas database):\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n```shell\r\nmongosh \"mongodb+srv://<cluster-name>.<hash>.mongodb.net/\" \\\r\n     --apiVersion 1 \\\r\n     --username <database-user-name>\r\n```\r\n\r\n\r\n\r\nThis command should fail to connect to your database, because the device will not be able to use the app connector due to Tailscale not running. If the device is not running Tailscale and it does successfully connect to your database, and you confirmed that the device has a different IP address than the app connector, that means your Atlas allowed IP addresses is too permissive. Check whether there are any IP addresses that should not have access and remove them.\r\n\r\n\r\n\r\nIf you can connect to your Atlas database on a device that is not running Tailscale and the device IP address is different from the app connector IP address, check your Atlas and tailnet policy file settings, and correct as needed. Otherwise, your database access is not secure.\r\n\r\n\r\nAfter you confirm that the connection required Tailscale, remember to enable Tailscale on the client. You can enable the Tailscale client through the Tailscale client UI, or through the [`tailscale up`](https://tailscale.com/docs/reference/tailscale-cli/up) command.\r\n\r\n## [Conclusion](https://tailscale.com/docs/solutions/create-a-secure-connection-to-mongodb-atlas\\#conclusion)\r\n\r\nIn this guide you configured an app connector so that your tailnet clients can access a MongoDB Atlas database and anyone outside of your tailnet cannot access the database. You also ensured that a device needs Tailscale enabled to allow access.\r\n\r\nTo ensure that your tailnet users have high availability to your database, consider [adding another app connector](https://tailscale.com/docs/solutions/create-a-secure-connection-to-mongodb-atlas#start-app-connector) device so that a single point of app connector failure won't lock out Atlas access. If you add another app connector, remember to [add its egress IP address](https://tailscale.com/docs/solutions/create-a-secure-connection-to-mongodb-atlas#allowlist-app-connector) to the Atlas access list.\r\n\r\nFor more information about app connectors, refer to [App connectors](https://tailscale.com/docs/features/app-connectors).\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Create a secure connection to MongoDB Atlas</h1>\n<p>Last validated: Dec 4, 2025</p>\n<h2><a href=\"https://tailscale.com/docs/solutions/create-a-secure-connection-to-mongodb-atlas#introduction\">Introduction</a></h2>\n<p>Many Software as a Service (SaaS) applications require a list of allowed IP address ranges to restrict connectivity to only intended devices and users. If you connect to public Wi-Fi in places like hotels, airports, or cafés, you likely won't have application access due to the allowed IP address list not containing your IP address. For some organizations, when a new user joins the organization, an admin needs to add their IP address to the set of allowed IP addresses, which slows down onboarding of the user.</p>\n<p>Tailscale <a href=\"https://tailscale.com/docs/features/app-connectors\">app connectors</a> let you route SaaS applications through dedicated devices in your Tailscale network (known as a tailnet). Instead of maintaining an allowlist of all IP addresses on your tailnet, you maintain an allowlist of only the app connector IP addresses. Your users still have access if they work from a café, and new users on your tailnet have access as soon as they join your tailnet. You can use an app connector to securely connect to SaaS applications like a <a href=\"https://www.mongodb.com/products/platform\">MongoDB Atlas</a> database, and deny access to anyone that is not in your tailnet.</p>\n<p>In this guide, you will update your <a href=\"https://tailscale.com/docs/features/tailnet-policy-file\">tailnet policy file</a> to restrict access to a MongoDB Atlas database, configure and run an app connector to route requests to the database, and update the Atlas IP address list to allow access only through the app connector. When you finish this guide, you'll have set access restrictions to let only your tailnet users access the database.</p>\n<h2><a href=\"https://tailscale.com/docs/solutions/create-a-secure-connection-to-mongodb-atlas#prerequisites\">Prerequisites</a></h2>\n<p>Before you begin this guide you'll need the following:</p>\n<ul>\n<li>A MongoDB Atlas database. For information about MongoDB Atlas, refer to MongoDB's <a href=\"https://www.mongodb.com/docs/atlas/\">What is MongoDB Atlas?</a> topic.</li>\n<li>A user name and password for your Atlas database.</li>\n<li>A MongoDB Atlas role of Project Owner, so that you can edit the Atlas IP access list.</li>\n<li>Your Atlas connection string. This is in the form <code>&#x3C;cluster-name>.&#x3C;hash>.mongodb.net</code>. For example, <code>cluster0.abcdef.mongodb.net</code>. For information about retrieving your connection string, refer to <a href=\"https://www.mongodb.com/docs/manual/reference/connection-string/#find-your-mongodb-atlas-connection-string\">Find your MongoDB Atlas connection string</a>.</li>\n<li>A Tailscale account. <a href=\"https://login.tailscale.com/start\">Create an account</a> if you don't have one already.</li>\n<li>A Linux device to use as an app connector for your tailnet. This solution will show you how to start this device as an app connector for Atlas. For now, ensure the device meets the app connector <a href=\"https://tailscale.com/docs/features/app-connectors/how-to/setup#requirements\">requirements</a> and is already in your tailnet.</li>\n<li>A different device in your tailnet that has <a href=\"https://www.mongodb.com/docs/mongodb-shell/\">MongoDB Shell</a> installed. You will use this device to connect to your MongoDB Atlas database.</li>\n<li>A Tailscale role of either <a href=\"https://tailscale.com/docs/reference/user-roles\">Owner, Admin, or Network admin</a> so that you can edit your <a href=\"https://tailscale.com/docs/features/tailnet-policy-file\">tailnet policy file</a>.</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/solutions/create-a-secure-connection-to-mongodb-atlas#step-1-update-your-tailnet-policy-file\">Step 1: Update your tailnet policy file</a></h2>\n<p>Configure your <a href=\"https://tailscale.com/docs/features/tailnet-policy-file\">tailnet policy file</a> to securely route tailnet traffic to your Atlas database. You need to make the following updates to your tailnet policy file:</p>\n<ul>\n<li>Create a Tailscale group for your Atlas admins.</li>\n<li>Create a tag to use for your app connector devices, which will connect your tailnet users to your Atlas database.</li>\n<li>Configure auto approval of your app connector devices, so that when they join your tailnet, their routes to the Atlas database are automatically approved. This lets you set up an app connector device by running a single <a href=\"https://tailscale.com/docs/reference/tailscale-cli/up\"><code>tailscale up</code></a> command on the device.</li>\n<li>Create a grant that lets your tailnet users access the Atlas database.</li>\n<li>Define the set of domains for your specific MongoDB Atlas project. Your Atlas app connector uses these domains to route tailnet traffic to the Atlas database.</li>\n</ul>\n<p>You need to be an <a href=\"https://tailscale.com/docs/reference/user-roles\">Owner, Admin, or Network admin</a> to edit a tailnet policy file.</p>\n<h3><a href=\"https://tailscale.com/docs/solutions/create-a-secure-connection-to-mongodb-atlas#create-an-atlas-admins-group\">Create an Atlas admins group</a></h3>\n<p>Tailscale <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#groups\">groups</a> let you create groups of users, which you can use in access rules (instead of listing users out explicitly). Create a group named <code>atlas-admins</code> so that you can add all of your Atlas admins into a single group.</p>\n<ol>\n<li>\n<p>Go to the <a href=\"https://login.tailscale.com/admin/acls/visual\">Visual editor</a> tab of the admin console.</p>\n</li>\n<li>\n<p>Select <strong>Groups</strong>, and then select <strong>Create tag</strong>.</p>\n</li>\n<li>\n<p>For <strong>Group name</strong>, enter <code>atlas-admins</code>.</p>\n</li>\n<li>\n<p>For <strong>Members</strong>, select yourself from the dropdown list. If you have others in your tailnet that you want to administer your Atlas app connector, add them to this group also.</p>\n</li>\n<li>\n<p>(Optional) For <strong>Note</strong>, enter any note you'd like to keep for this group.</p>\n</li>\n<li>\n<p>Select <strong>Save group</strong>.</p>\n</li>\n</ol>\n<p>Now that you have the <code>atlas-admins</code> group, you can use it in a tag.</p>\n<h3><a href=\"https://tailscale.com/docs/solutions/create-a-secure-connection-to-mongodb-atlas#create-a-tag-for-your-app-connector-devices\">Create a tag for your app connector devices</a></h3>\n<p>Tailscale <a href=\"https://tailscale.com/docs/features/tags\">tags</a> let you authenticate and identity non-user devices. A tag consists of an identifier and the users and groups that can apply the tag. Create a <code>tag:atlas-app-connector</code> tag so that you and any other members of the <code>atlas-admin</code> group can apply the tag to the devices you want to use for your Atlas app connectors.</p>\n<ol>\n<li>\n<p>Go to the <a href=\"https://login.tailscale.com/admin/acls/visual\">Visual editor</a> tab of the admin console.</p>\n</li>\n<li>\n<p>Select <strong>Tags</strong>, and then select <strong>Create tag</strong>.</p>\n</li>\n<li>\n<p>For <strong>Tag name</strong>, enter <code>atlas-app-connector</code>.</p>\n</li>\n<li>\n<p>For <strong>Tag owner</strong>, select <code>group:atlas-admins</code>.</p>\n</li>\n<li>\n<p>(Optional) For <strong>Note</strong>, enter any note you'd like to keep for this tag.</p>\n</li>\n<li>\n<p>Select <strong>Save tag</strong>.</p>\n</li>\n</ol>\n<p>Now that you have the tag named <code>atlas-app-connector</code>, you can use it to auto approve routes to your Atlas database.</p>\n<h3><a href=\"https://tailscale.com/docs/solutions/create-a-secure-connection-to-mongodb-atlas#create-an-auto-approver-for-your-app-connector-routes\">Create an auto approver for your app connector routes</a></h3>\n<p>Add an <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#autoapprovers\"><code>autoApprovers</code></a> rule to automatically approve specific routes for devices that have the <code>atlas-app-connector</code> tag. After you configure app traffic to route through an app connector, any DNS request to the configured app domains triggers route discovery.</p>\n<ol>\n<li>\n<p>Go to the <a href=\"https://login.tailscale.com/admin/acls/visual\">Visual editor</a> tab of the admin console.</p>\n</li>\n<li>\n<p>Select <strong>Auto approvers</strong>, and then select <strong>Add route</strong>.</p>\n</li>\n<li>\n<p>For <strong>Route</strong>, enter <code>0.0.0.0/0</code>.</p>\n</li>\n<li>\n<p>For <strong>Route is approved for</strong>, select <code>tag:atlas-app-connector</code>.</p>\n</li>\n<li>\n<p>(Optional) For <strong>Note</strong>, enter any note you'd like to keep for this auto approver route.</p>\n</li>\n<li>\n<p>Select <strong>Add route</strong> again.</p>\n</li>\n<li>\n<p>For <strong>Route</strong>, enter <code>::/0</code>.</p>\n</li>\n<li>\n<p>For <strong>Route is approved for</strong>, select <code>tag:atlas-app-connector</code>.</p>\n</li>\n<li>\n<p>(Optional) For <strong>Note</strong>, enter any note you'd like to keep for this auto approver route.</p>\n</li>\n<li>\n<p>Select <strong>Save route auto approver</strong>.</p>\n</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/solutions/create-a-secure-connection-to-mongodb-atlas#provide-mongodb-atlas-access-to-your-tailnet-users\">Provide MongoDB Atlas access to your tailnet users</a></h3>\n<p>Add a <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#grants\"><code>grants</code></a> rule to route Atlas traffic through the app connectors.</p>\n<p>You must allow tailnet devices to access the routes an app connector advertises. One way to do this is to add an access control policy to your tailnet policy file that grants access to <code>autogroup:internet</code> (any port number) for members of the tailnet, which will also grant users access to any <a href=\"https://tailscale.com/docs/features/exit-nodes\">exit nodes</a> in the tailnet.</p>\n<ol>\n<li>\n<p>Go to the <a href=\"https://login.tailscale.com/admin/acls/visual\">Visual editor</a> tab of the admin console.</p>\n</li>\n<li>\n<p>Select <strong>General access rules</strong>, and then select <strong>Add rule</strong>.</p>\n</li>\n<li>\n<p>For <strong>Source</strong>, select <code>autogroup:member</code>.</p>\n</li>\n<li>\n<p>For <strong>Destination</strong>, select <code>autogroup:internet</code>.</p>\n</li>\n<li>\n<p>For <strong>Destination and protocol</strong>, select <code>All ports and protocols</code>.</p>\n</li>\n<li>\n<p>(Optional) For <strong>Note</strong>, enter any note you'd like to keep for this grant.</p>\n</li>\n<li>\n<p>Select <strong>Save grant</strong>.</p>\n</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/solutions/create-a-secure-connection-to-mongodb-atlas#set-the-atlas-domains\">Set the Atlas domains</a></h3>\n<p>Add your Atlas project domains to your connector, by adding a <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#nodeattrs\">node attribute</a> for the <code>tag:atlas-app-connector</code> tag that you created. Any device that you run for this app connector will use these domains to map client requests to your Atlas database.</p>\n<p>Your Atlas connection string contains the MongoDB Atlas domain for your Atlas project, in the form of <code>&#x3C;cluster-name>.&#x3C;hash>.mongodb.net</code>. For example, <code>cluster0.abcdef.mongodb.net</code>. For that example, use <code>*.abcdef.mongodb.net</code> for your domain string in the following step. If you want to restrict access to only specific a specific cluster, you can use a domain string like <code>cluster0.abcdef.mongodb.net</code>.</p>\n<p>Now that you have your Atlas domain, add it to your app connector's node attributes.</p>\n<p>Add your Atlas domain to the app connector</p>\n<p>Configure your app connector to handle the routing of database requests based on your Atlas domain.</p>\n<ol>\n<li>\n<p>Go to the <a href=\"https://login.tailscale.com/admin/acls/visual\">Visual editor</a> tab of the admin console.</p>\n</li>\n<li>\n<p>Select <strong>Node attributes</strong>, and then select <strong>Add node attribute</strong>.</p>\n</li>\n<li>\n<p>For <strong>Targets</strong>, select <code>All users and devices</code>.</p>\n</li>\n<li>\n<p>(Optional) For <strong>Note</strong>, enter any note you'd like to keep for this node attribute.</p>\n</li>\n<li>\n<p>For <strong>App</strong>, enter <code>tailscale.com/app-connectors</code>.</p>\n</li>\n<li>\n<p>For <strong>Capability</strong>, enter the following (replacing <code>&#x3C;hash></code> with your connection string's hash):</p>\n</li>\n</ol>\n<pre><code class=\"language-json\">{\r\n     \"connectors\": [\\\r\n       \"tag:atlas-app-connector\"\\\r\n     ],\r\n     \"domains\": [\\\r\n       \"*.&#x3C;hash>.mongodb.net\"\\\r\n     ],\r\n     \"name\": \"Atlas\"\r\n}\n</code></pre>\n<p>If you want to specify a specific cluster instead of <code>*</code> for the <code>domains</code> entry, use <code>\"&#x3C;cluster-name>.&#x3C;hash>.mongodb.net\"</code>instead of <code>\"*.&#x3C;hash>.mongodb.net\"</code>.</p>\n<ol start=\"7\">\n<li>Select <strong>Save node attribute</strong>.</li>\n</ol>\n<p>Now that you configured your app connector for Atlas access, start your app connector device.</p>\n<h2><a href=\"https://tailscale.com/docs/solutions/create-a-secure-connection-to-mongodb-atlas#step-2-start-an-app-connector-for-atlas\">Step 2: Start an app connector for Atlas</a></h2>\n<p>Run a device in your tailnet to securely route your user traffic to your MongoDB Atlas database.</p>\n<p>The app connector device must be running Linux, already added to your tailnet, have a public IP address, and IP port forwarding enabled, as described in the app connector <a href=\"https://tailscale.com/docs/features/app-connectors/how-to/setup#requirements\">Requirements</a>.</p>\n<p>On your Linux device that you want to use as an app connect, run the following <a href=\"https://tailscale.com/docs/reference/tailscale-cli/up\"><code>tailscale up</code></a> command:</p>\n<pre><code class=\"language-shell\">tailscale up --advertise-connector --advertise-tags=tag:atlas-app-connector\n</code></pre>\n<p>The <code>--advertise-connector</code> flag enables the device to route traffic for specific domains according to the configuration in the tailnet policy file. The <code>--advertise-tags</code> flag tells the Tailscale client to authenticate the device with the <code>tag:atlas-app-connector</code> tag.</p>\n<p>By default, devices in a tailnet are occasionally required to re-authenticate to keep your network secure. To avoid DNS interruptions if the app connector device needs to re-authenticate, go to the <a href=\"https://login.tailscale.com/admin/machines\">Machines</a> page of the admin console, select the <img src=\"https://tailscale.com/files/images/icons/fa-ellipsis-h.svg\" alt=\"ellipsis icon\"> button next to the app connector device, then select <strong>Disable key expiry</strong>.</p>\n<p>Now that your app connector is running and serving as an Atlas app connector, you can allowlist its IP address in Atlas to let your tailnet users access the database.</p>\n<h2><a href=\"https://tailscale.com/docs/solutions/create-a-secure-connection-to-mongodb-atlas#step-3-allowlist-the-app-connector-in-atlas\">Step 3: Allowlist the app connector in Atlas</a></h2>\n<p>Atlas permits client connections only from entries in the <a href=\"https://www.mongodb.com/docs/atlas/security/ip-access-list\">Atlas access list</a>. Update the Atlas access list to use the egress IP addresses from your app connector.</p>\n<p>First, get the IP address of your app connector from the Tailscale admin console.</p>\n<ol>\n<li>\n<p>Open the <a href=\"https://login.tailscale.com/admin/apps\">Apps</a> page of the admin console.</p>\n</li>\n<li>\n<p>Select <strong>MongoDB Atlas</strong>.</p>\n</li>\n<li>\n<p>In the <strong>Egress IPs</strong> section, copy the IP address.</p>\n</li>\n</ol>\n<p>You can enter only one IP address at a time into the Atlas access list. If you have more than one <strong>Egress IP</strong> address, you need to individually copy and paste them to the Atlas IP access list.</p>\n<p>Next, add the IP address to the Atlas list of allowed IP addresses.</p>\n<ol>\n<li>In the <a href=\"https://www.mongodb.com/\">Atlas dashboard</a>, go to <strong>Project</strong> and make your Atlas project the active project, if it is not already.</li>\n<li>In the sidebar, under <strong>Security</strong>, select <strong>Network Access</strong>, and then select <strong>IP Access List</strong>.</li>\n<li>Select <strong>Add IP Address</strong>.</li>\n<li>For <strong>Access List Entry</strong>, enter the app connector egress IP address that you copied from the Tailscale admin console.</li>\n<li>(Optional) For <strong>Comment</strong>, enter any comment you'd like to keep for this IP address.</li>\n<li>(Optional) Set a time limit for the duration of access allowed for this IP address.</li>\n<li>Select <strong>Confirm</strong>.</li>\n</ol>\n<p>If you have more IP addresses in your app connector's <strong>Egress IPs</strong> list, repeat this step to add them to the Atlas access list.</p>\n<h3><a href=\"https://tailscale.com/docs/solutions/create-a-secure-connection-to-mongodb-atlas#remove-unneeded-ip-addresses-from-the-atlas-access-list\">Remove unneeded IP addresses from the Atlas access list</a></h3>\n<p>If your Atlas access list contains IP addresses that are not specific to your app connector, remove them. Otherwise, someone outside of your tailnet could access the database.</p>\n<ol>\n<li>In the <strong>Network Access</strong> page, for any IP address that your want to delete, select <strong>Delete</strong>.</li>\n<li>Select <strong>Delete</strong> again to confirm you want to delete it.</li>\n</ol>\n<p>For more information about MongoDB Atlas IP access lists, refer to MongoDB's <a href=\"https://www.mongodb.com/docs/atlas/security/ip-access-list\">Configure IP Access List Entries</a> topic.</p>\n<p>Now that you configured your Atlas project to accept requests from only the specified IP address range, you can make a connection from a device in your tailnet.</p>\n<h2><a href=\"https://tailscale.com/docs/solutions/create-a-secure-connection-to-mongodb-atlas#step-4-connect-to-your-database\">Step 4: Connect to your database</a></h2>\n<p>Use the device in your tailnet with <code>mongosh</code> installed to connect to your database. Use a device separate from the app connector device.</p>\n<ol>\n<li>If the device is a Linux device, run the following <a href=\"https://tailscale.com/docs/reference/tailscale-cli#set\"><code>tailscale set</code></a> command so the client accepts the routes provided by the app connector:</li>\n</ol>\n<pre><code class=\"language-shell\">tailscale set --accept-routes\n</code></pre>\n<p>Tailscale clients on other operating systems accept the routes by default.</p>\n<ol start=\"2\">\n<li>Run the following (replace the placeholders with the values for your Atlas database):</li>\n</ol>\n<pre><code class=\"language-shell\">mongosh \"mongodb+srv://&#x3C;cluster-name>.&#x3C;hash>.mongodb.net/\" \\\r\n     --apiVersion 1 \\\r\n     --username &#x3C;database-user-name>\n</code></pre>\n<p>If the <code>mongosh</code> command succeeds, the <code>mongosh</code> prompt opens. To confirm you can connect to your database, run:</p>\n<pre><code class=\"language-shell\">    show dbs;\n</code></pre>\n<p>The command should provide a list the databases in your Atlas project, similar to:</p>\n<pre><code class=\"language-shell\">myDatabase     72.00 KiB\r\nadmin         356.00 KiB\r\nlocal         997.79 MiB\n</code></pre>\n<p>When you finish using the <code>mongosh</code> prompt, enter <code>exit</code> to close the <code>mongosh</code> prompt.</p>\n<p>Now that you've tested a connection from a separate device, try the same <code>mongosh</code> steps but first ensure that the separate device is running in a different LAN. If both the app connector and the separate device are using the same LAN, their IP addresses are in the same IP address that you allowlisted. If the separate device runs on a different local area network, it uses an IP address different than the app connector IP address. If the device is on a different LAN and still successfully connects to your Atlas database, that means you have successfully allowed access from the Atlas side.</p>\n<p>Now you're ready to confirm that the connection requires Tailscale.</p>\n<h3><a href=\"https://tailscale.com/docs/solutions/create-a-secure-connection-to-mongodb-atlas#confirm-your-connection-requires-tailscale\">Confirm your connection requires Tailscale</a></h3>\n<ol>\n<li>\n<p>On a device separate from your app connector, and on a different local area network than used by the app connector, disable the Tailscale client. You can disable the Tailscale client through the Tailscale client UI, or through the <a href=\"https://tailscale.com/docs/reference/tailscale-cli#down\"><code>tailscale down</code></a> command.</p>\n</li>\n<li>\n<p>Run the following command (replace the placeholders with the values for your Atlas database):</p>\n</li>\n</ol>\n<pre><code class=\"language-shell\">mongosh \"mongodb+srv://&#x3C;cluster-name>.&#x3C;hash>.mongodb.net/\" \\\r\n     --apiVersion 1 \\\r\n     --username &#x3C;database-user-name>\n</code></pre>\n<p>This command should fail to connect to your database, because the device will not be able to use the app connector due to Tailscale not running. If the device is not running Tailscale and it does successfully connect to your database, and you confirmed that the device has a different IP address than the app connector, that means your Atlas allowed IP addresses is too permissive. Check whether there are any IP addresses that should not have access and remove them.</p>\n<p>If you can connect to your Atlas database on a device that is not running Tailscale and the device IP address is different from the app connector IP address, check your Atlas and tailnet policy file settings, and correct as needed. Otherwise, your database access is not secure.</p>\n<p>After you confirm that the connection required Tailscale, remember to enable Tailscale on the client. You can enable the Tailscale client through the Tailscale client UI, or through the <a href=\"https://tailscale.com/docs/reference/tailscale-cli/up\"><code>tailscale up</code></a> command.</p>\n<h2><a href=\"https://tailscale.com/docs/solutions/create-a-secure-connection-to-mongodb-atlas#conclusion\">Conclusion</a></h2>\n<p>In this guide you configured an app connector so that your tailnet clients can access a MongoDB Atlas database and anyone outside of your tailnet cannot access the database. You also ensured that a device needs Tailscale enabled to allow access.</p>\n<p>To ensure that your tailnet users have high availability to your database, consider <a href=\"https://tailscale.com/docs/solutions/create-a-secure-connection-to-mongodb-atlas#start-app-connector\">adding another app connector</a> device so that a single point of app connector failure won't lock out Atlas access. If you add another app connector, remember to <a href=\"https://tailscale.com/docs/solutions/create-a-secure-connection-to-mongodb-atlas#allowlist-app-connector\">add its egress IP address</a> to the Atlas access list.</p>\n<p>For more information about app connectors, refer to <a href=\"https://tailscale.com/docs/features/app-connectors\">App connectors</a>.</p>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}