How Atlan connects to MongoDB (self-managed)
Atlan connects to your MongoDB database to extract technical metadata while maintaining network security and compliance. You can choose between Direct connectivity for databases available from the internet or Self-deployed runtime for databases that must remain behind your firewall.
Connect via direct network connection
Atlan's MongoDB workflow establishes a direct network connection to your database from the Atlan SaaS tenant. This approach works when your MongoDB database can accept connections from the internet.
- Atlan's MongoDB workflow connects directly to your database from the Atlan SaaS tenant over port 27017 (default).
- You provide connection details (hostname, port, database name, credentials) when creating a crawler workflow.
- Atlan executes read-only queries to discover your database structure and catalogs the results in Atlan Cloud.
- Your MongoDB database accepts inbound network connections from Atlan's IP addresses, controlled through your firewall rules or network security groups.
Connect via self-deployed runtime
A runtime service deployed within your network acts as a secure bridge between Atlan Cloud and your MongoDB database. This approach works when your MongoDB database must remain fully isolated behind your firewall.
- A runtime service sits within your network perimeter, deployed on Docker Compose or a Kubernetes cluster.
- The runtime maintains an outbound HTTPS connection to Atlan Cloud (port 443) and a local network connection to your MongoDB database (port 27017).
- When you create a crawler workflow, Atlan Cloud sends metadata extraction requests to the runtime through the outbound connection.
- The runtime translates requests into MongoDB queries, executes them on your MongoDB database, and returns the results to Atlan Cloud.
- Your MongoDB database never exposes ports to the internet—all connections are initiated from within your network.
How it protects your data
MongoDB databases contain critical business data and operational information. Atlan's connection architecture protects your environment through multiple security layers.
-
Metadata extraction, not data replication: Atlan extracts only structural metadata—databases, Collections, and their schemas. The actual business data in your Collections remains in your MongoDB database. For example, if you have a
customersCollection with customer records, Atlan discovers the Collection structure and schema definitions, but never queries or stores the customer records themselves. -
Read-only operations: All database queries are read-only operations. The connector can't modify data, create or drop database objects, or change any configuration. The MongoDB user permissions you grant control exactly what the connector can access.
-
Credential encryption: MongoDB connection credentials are encrypted at rest and in transit. In Direct connectivity, Atlan encrypts credentials before storage. In Self-deployed runtime, credentials never leave your network perimeter—the runtime retrieves them from your enterprise-managed secret vaults (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, or HashiCorp Vault) only when needed, and Atlan Cloud never receives or stores them.
-
Network isolation with Self-deployed runtime: Your MongoDB database gains complete network isolation from the internet. The database only accepts connections from the runtime within your local network. The runtime itself only makes outbound HTTPS connections to Atlan Cloud, which your network team can control through firewall rules.
See also
- Self-Deployed Runtime architecture: Core components and data flow
- Self-Deployed Runtime security: Security architecture, authentication, and encryption