ApsaraDB for MongoDB provides built-in security features including access control, network isolation, data encryption, backup and restoration, and disaster recovery to protect your data at every layer.
The following table summarizes the security features covered in this document.
| Security category | Capabilities | More information |
|---|---|---|
| Access control | Database account authentication, IP allowlists | Configure a whitelist or an ECS security group for an ApsaraDB for MongoDB instance |
| Network isolation | Virtual Private Cloud (VPC), classic network (legacy) | Switch the network type of an ApsaraDB for MongoDB instance |
| Data encryption | TLS encryption (in transit), Transparent Data Encryption (at rest) | Configure SSL encryption, Configure TDE |
| Backup and restoration | Snapshot-based backup, physical backup, logical backup; restoration by backup point, by point in time, or by database | Configure automatic backup, Configure manual backup |
| Disaster recovery | Multi-zone instances, cross-region disaster recovery (MongoShake) | Create a multi-zone replica set instance, Create a multi-zone sharded cluster instance |
| Version maintenance | Regular version releases, security-driven upgrades | Upgrade the major version, Update the minor version |
| Service authorization | Controlled access for Alibaba Cloud support teams | - |
Access control
ApsaraDB for MongoDB controls access through database account authentication and IP allowlists.
Database accounts
Connecting to an instance requires username and password authentication.
-
A root database user is created by default when you create an instance. You can set the password during creation or reset the password afterward.
-
The root user has full permissions on the instance.
-
Use the root user to create, delete, or manage permissions for other accounts.
IP allowlists
Each instance supports IP allowlists to restrict network access.
The default allowlist contains only 127.0.0.1, blocking all external access. Add authorized IP addresses before connecting.
Configure IP allowlists by using one of the following methods:
| Method | Description |
|---|---|
| Console | Go to the Security Controls page in the console. Modify an IP address whitelist for an instance. |
| API | Call the ModifySecurityIps operation. |
Network isolation
ApsaraDB for MongoDB supports VPC and the classic network. VPC is recommended for stronger network isolation.
VPC
VPC combined with IP allowlists provides strong network access control.
A VPC is an isolated network environment with customizable route tables, IP addresses, and gateways. Network traffic is fully isolated at the protocol level.
Connect your on-premises data center to a VPC through a leased line or VPN, then access your ApsaraDB for MongoDB instance from both your data center and ECS instances.
Instances in a VPC are accessible only from ECS instances in the same VPC. You can apply for a public endpoint for Internet access, but this is not recommended.
-
Before applying for a public endpoint, configure the IP allowlist. Modify an IP address whitelist for an instance.
Classic network (legacy)
Classic network is a legacy network type. Deploy new instances in a VPC for better security.
Cloud services in the classic network share the same network. Access is restricted only by security groups or IP allowlists.
Data encryption
ApsaraDB for MongoDB provides encryption for data in transit and data at rest.
TLS encryption (in transit)
ApsaraDB for MongoDB provides TLS encryption (labeled SSL encryption in the console). Use the server root certificate to verify the database identity and prevent man-in-the-middle attacks.
You can enable and update TLS certificates in the console. Configure SSL encryption for an instance.
TLS requires the application to authenticate the server. TLS consumes additional CPU resources and may reduce throughput and increase response time. The impact depends on connection frequency and data transfer frequency.
TDE (at rest)
Transparent Data Encryption (TDE) encrypts data at rest using AES. Encryption keys are managed by Key Management Service (KMS).
With TDE enabled, data of the specified database or collection is encrypted before being written to storage devices (HDD, SSD, or PCIe) or services (OSS). All data files and backups are stored in ciphertext.
Configure TDE for an instance.
Backup and restoration
ApsaraDB for MongoDB supports automatic and manual backups to ensure data integrity and enable restoration when needed.
Backup methods
Supported backup methods:
| Backup method | Description |
|---|---|
| Snapshot-based backup | Captures disk state at a specific point in time. Restores data within minutes. |
| Physical backup | Backs up physical database files. Faster than logical backup for both backup and restoration. |
| Logical backup | Uses mongodump to export database operations. Restores data by replaying commands. |
Configure automatic backup for an instance. Configure manual backup for an instance.
Restoration methods
Supported restoration methods:
| Restoration method | Description | Use case |
|---|---|---|
| Restore by backup point | Restores data to a new instance from a backup set. | Data restoration and verification |
| Restore by point in time | Restores data to a new instance at a specific point in time. | Data restoration and verification |
| Restore databases | Restores specific databases to a point in time from an associated backup. | Quick data restoration |
Available methods vary by instance configuration. Data restoration.
Instance disaster recovery
ApsaraDB for MongoDB supports multi-zone deployments and cross-region data replication for disaster recovery.
Multi-zone instances
Each Alibaba Cloud region contains multiple zones with fault isolation and low inter-zone latency.
Single-zone deployment
A single-zone instance runs on two physical servers with full infrastructure redundancy. Asynchronous or semi-synchronous replication and automatic primary/secondary failover ensure high availability beyond individual server limits.
Multi-zone deployment
Multi-zone instances span physical servers across zones. Zone failures trigger automatic switchover with no application code changes.
Primary/secondary failover may cause up to 30 seconds of downtime:
Perform failover during off-peak hours.
Ensure your applications can automatically reconnect.
For more information, see:
Cross-region disaster recovery
ApsaraDB for MongoDB supports cross-region disaster recovery through data synchronization tools like MongoShake.
How it works
For example, MongoShake can replicate data from Instance A in China (Hangzhou) to Instance B in China (Shanghai). Instance B is independent with its own endpoints, accounts, and permissions, and can serve both recovery and read traffic.
-
Instance A serves as the primary instance.
-
Instance B serves as the secondary instance.
If Instance A fails, promote Instance B to primary by updating the database connection settings in your application.
Use MongoShake to perform one-way synchronization between ApsaraDB for MongoDB instances.
-
Deploy the same disaster recovery application on both instances to minimize cross-region network instability and latency.
-
If Instance B is promoted to primary, run the
killcommand to stop the MongoShake service and halt data replication from Instance A.
Version maintenance
ApsaraDB for MongoDB releases regular version updates with new features, performance improvements, and security fixes.
-
Upgrades are optional and take effect after a restart. Upgrade the major version of an instance. Update the minor version of an instance.
-
If your version has significant security risks, you receive a scheduled upgrade notification.
-
Upgrades typically complete within 5 minutes with brief service interruptions.
Service authorization
Without your authorization, Alibaba Cloud support and development teams can only view the following instance information:
-
Resource information (purchase and expiry dates)
-
Fee information
-
Performance metrics (CPU, memory, and storage usage)
With your authorization:
-
Alibaba Cloud support and development teams can view or modify instance configurations during a specified time period. For example, you can authorize access to the IP allowlist and audit logs.
Alibaba Cloud support and development teams never proactively modify your instance connection information, including endpoints, database accounts, and passwords.