Skip to main content

How Atlan connects to Amazon DocumentDB

Connect docs via MCP

Atlan connects to your Amazon DocumentDB cluster to extract technical metadata while maintaining network security and compliance. Because DocumentDB clusters have no public endpoint and are reachable only from within your VPC, Atlan connects exclusively through Self-Deployed Runtime deployed in the same VPC as your cluster.

Direct connectivity isn't supported

Unlike most Atlan connectors, Amazon DocumentDB can't be crawled directly from Atlan Cloud. Self-Deployed Runtime is the only supported connection method. For why direct internet connectivity and experimental proxy patterns aren't supported, see Why is Amazon DocumentDB supported only through self-deployed runtime? in the FAQ.

SDR requires additional enablement and licensing. Contact your Atlan representative for details.

Connect via self-deployed runtime

A runtime service deployed within your network acts as a secure bridge between Atlan Cloud and your Amazon DocumentDB cluster. You deploy the runtime inside the same VPC as your cluster, where it can reach the cluster endpoint over the private network while your cluster remains fully isolated from the internet.

  • The runtime maintains an outbound HTTPS connection to Atlan Cloud (port 443) and a local network connection to your DocumentDB cluster (port 27017).
  • The runtime translates requests into DocumentDB queries, executes them on your cluster, and returns the results to Atlan Cloud.

For details on how Self-Deployed Runtime works, see SDR connectivity.

Security

Atlan extracts structural metadata—databases, collections, and field schemas inferred from a sample of documents. For example, if you have a customers collection, Atlan discovers the collection and its inferred field schema, but never catalogs the customer records themselves.

  • Read-only operations: All cluster queries are read-only operations. The connector can't modify data, create or drop database objects, or change any configuration. The DocumentDB user permissions you grant control exactly what the connector can access.

  • Credential encryption: DocumentDB connection credentials never leave your network perimeter. The runtime retrieves them from your enterprise-managed secret vaults (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, or HashiCorp Vault) only when needed, and Atlan Cloud never receives or stores them.

  • Network isolation: Your DocumentDB cluster gains complete network isolation from the internet. The cluster only accepts connections from the runtime within your VPC. The runtime itself only makes outbound HTTPS connections to Atlan Cloud, which your network team can control through security group rules.

See also