Skip to main content

How Atlan connects to MongoDB Atlas

Atlan connects to your MongoDB Atlas cluster to extract technical metadata while maintaining network security and compliance. You can choose between Direct connectivity for clusters that accept connections from the internet or Self-deployed runtime for clusters that must remain behind your firewall.

Connect via direct network connection

Atlan's MongoDB Atlas workflow establishes a direct network connection to your cluster from the Atlan SaaS tenant. This approach works when your MongoDB Atlas cluster can accept connections from the internet.

  • Atlan's MongoDB Atlas workflow connects directly to your cluster from the Atlan SaaS tenant over port 27017 (default).
  • Your MongoDB Atlas cluster accepts inbound network connections from Atlan's IP addresses, controlled through your firewall rules or Atlas network access list.

For details on how direct connectivity works, see Direct connectivity.

Connect via self-deployed runtime

A runtime service deployed within your network acts as a secure bridge between Atlan Cloud and your MongoDB Atlas cluster. This approach works when your MongoDB Atlas cluster must be reached only from a private network or when you use VPC peering or PrivateLink.

  • The runtime maintains an outbound HTTPS connection to Atlan Cloud (port 443) and connects to your MongoDB Atlas cluster (port 27017).

For details on how Self-Deployed Runtime works, see SDR connectivity.

Security

Atlan extracts only structural metadata—databases, collections, and columns. For example, if you have a customers collection with customer records, Atlan discovers the collection structure and schema definitions, but never queries or stores the customer records themselves.

  • Read-only operations: All database operations are read-only. The connector can't modify data, create or drop database objects, or change any configuration. The MongoDB user permissions you grant control exactly what the connector can access.

  • Credential encryption: MongoDB Atlas connection credentials are encrypted at rest and in transit. In Direct connectivity, Atlan encrypts credentials before storage. In Self-deployed runtime, credentials never leave your network perimeter—the runtime retrieves them from your enterprise-managed secret vaults (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, or HashiCorp Vault) only when needed, and Atlan Cloud never receives or stores them.

  • Network isolation with Self-deployed runtime: Your MongoDB Atlas cluster can be reached only from the runtime within your network (for example via VPC peering or PrivateLink). The runtime itself only makes outbound HTTPS connections to Atlan Cloud, which your network team can control through firewall rules.

See also