Connect Atlas to Heroku hosted app

Hello everyone,

First of all, I hope that everyone is staying safe and healthy!

I have a couple of quick questions that relate to several (mock) applications that I have deployed to Heroku for use in my portfolio (I’m also asking on behalf of a potential client that I plan on approaching for a one off job soon…):

I have successfully used mLab as an add on in the past and I have also just migrated one of my Heroku hosted applications over to Atlas (realizing that mLab will no longer be available as a service) with no problem via this migration guide: Guide to Migrating a Sandbox Heroku Add-on to Atlas. I plan to migrate my remaining test applications that need to connect to Atlas via this guide as well, so no problem there, especially being that these are just mock applications.

My first question is this: what is the best way to connect to Atlas from Heroku going forward? There is no (as far as I can see from searching online) real clear or easy way to retrieve an IP address from Heroku so that it can be whitelisted for a direct connection to Atlas.

Will there be another service available for sandbox applications to connect to Atlas in the future? I’m also wondering how to connect a production ready Heroku application to Atlas (or maybe via another paid service if need be…) , as again, getting an IP from Heroku to whitelist seams to be quick tricky. Maybe I’ve missed something…not sure…

Thanks in advance to anyone who can help!!

Cheers and be well :slight_smile:

Juliette

Hi @Juliette_Tworsey,
Thanks for your questions.

I believe that in order to facilitate your Heroku Ips you need to use a private space for your application:

https://devcenter.heroku.com/articles/private-spaces

This will result in a set of defined outdoing ips or a range that you can define in Atlas whitelist

Please note that Atlas adds a set of security features along side ip whitelist:

  • User/password
  • ssl
  • auditing/encryption/Ldap

Let me know if you have any further questions.

Best regards
Pavel

1 Like

Hi @Pavel_Duchovny,

Thank you for responding and thank you for the link.

I see that Private Spaces are currently available only in Heroku Enterprise, which is likely out of reach for the client that I am thinking about approaching. I noticed that there is another add on Dyno available, but it is also kind of pricy.

mLab is still available for the time being. I’m wondering if going this route (with a shared/paid cluster for a production level application), along with a migration to Atlas might work for now. Would this be a stable approach to take?

Thanks again:-)

Juliette

Hi @Juliette_Tworsey,

You can always whitelist 0.0.0.0/0 ip to allow all traffic although its not recommended.

I am not familiar with the way mLab solves this problem, can you elaborate?

Thanks
Pavel

Hi @Pavel_Duchovny,

I am not familiar with the way mLab solves this problem

I’m not all together familiar with how mLab solves this problem either. I’m still trying to accrue enough information to figure this out. I do know that in the migration guide (for migrating a sandbox add-on) it says to whitelist all IP addresses with 0.0.0.0 (not something that I would do for a non-sandbox project &/or cluster).

I found this via another Guide to Migrating to Atlas:

Note that mLab’s Sandbox and Shared plan deployments are always accessible by all IP addresses. To match the firewall settings of your mLab Sandbox or Shared plan deployment you can whitelist all IP addresses (0.0.0.0/0) on your Atlas cluster.

…so it appears that even with a cheap(ish) shared plan there is no way around the whitelisting all IPs issue.

…but, then there is this:

However, we recommend whitelisting only the addresses that require access. To match the firewall settings of your mLab Dedicated plan deployment on Atlas you can review your current mLab firewall settings on the “Networking” tab in mLab’s UI.

…and:

If you’re connecting to MongoDB Atlas from a Heroku app, it’s most likely that you need to whitelist 0.0.0.0/0 (the range of all IP addresses) unless your app is in Heroku Private Spaces. Heroku IP addresses are, in general, highly dynamic. As such most mLab and Atlas-hosted deployments used by Heroku apps allow all IP addresses.

…and from this link:

Heroku Common Runtime Dynos use a subset of the IP range of the underlying AWS EC2 instances.

The underlying AWS region for your app can be found as the provider.region field in the output of this CLI command:

heroku regions --json

…and also from the same link directly above:

The IPs in use by Heroku at any given time are highly dynamic, meaning that the published ranges may cover other IP addresses not currently in use by Heroku. This means that it is often not desirable to open up your firewall to the whole of the AWS region for security reasons.

…and lastly:

For apps in the Common Runtime a better approach would be to use an add-on to provide a static outbound IP address https://elements.heroku.com/addons/categories/network or to rely on secure communication via TLS.

I’m going to have to read up a bit more and look into the network service add-ons listed that Heroku provides to see if I can find a solution. I did try using Fixie Socks for one of my own sandbox applications, but that didn’t seem to resolve the issue:-)

Cheers:-)

Juliette

Hi @Juliette_Tworsey,

Thanks for the detailed response. Please remember that Atlas provide by default a user and password + role base autherzation with SSL.

Moreover, you can add x509 user Authentication to strengthen your authentication.

https://docs.atlas.mongodb.com/security-self-managed-x509/#prerequisites

Therefore, without whitelist you can still secure your cluster on an appropriate level.

Best
Pavel

2 Likes

Hi @Pavel_Duchovny,

Thank you for taking the time to respond again and thank you for the tips!

This might be a good time for me to re-take (or at least practice in my local VirtualBox VMs) M310: MongoDB Security &/or M103: Basic Cluster Administration . Actually, I need to refresh my memory with all that I learned via both courses.

Fast forward 5 minutes… I have just spotted a new course that begins today (lucky me!):

A300: Atlas Security

I have just signed up.

I also plan on adding x509 user Authentication via the instructions in the link that you have provided.

Thanks again!!