ApsaraDB for MongoDB provides comprehensive security protection to eliminate your data security concerns. You can guarantee database data security by using zone-disaster recovery, RAM authorization, audit logs, network isolation, whitelists, or password authentication.

Zone-disaster recovery

ApsaraDB for MongoDB provides a zone-disaster recovery solution to further meet HA and data security requirements. In this solution, the nodes in a replica set instance or the components in a sharded cluster instance are deployed across three zones of a region. If a zone is disconnected due to force majeure factors such as power or network failures, the HA system automatically triggers a failover to ensure availability and data security of the instance.

You can select multiple zones when creating an instance. For more information, see Create a multi-zone replica set instance or Create a multi-zone sharded cluster instance. You can also migrate a replica set instance to multiple zones. For more information, see Migrate an ApsaraDB for MongoDB instance across zones in the same region.

Access control

  • Authorize a RAM user to manage ApsaraDB for MongoDB instances

    Resource Access Management (RAM) allows you to create and manage RAM users and control their permissions on resources of your Alibaba Cloud account. If multiple users in your enterprise need to use the resource at the same time, you can use RAM to assign least permissions to them and avoid the need to share the key of your Alibaba Cloud account. This reduces information security risks for your enterprise.

    For more information, see How to configure RAM user permissions on ApsaraDB for MongoDB.

  • Create and authorize a database user

    Do not connect to a database as the root user in the production environment. You can create database users and grant permissions to them as needed.

    For more information, see Manage MongoDB users though DMS.

Network isolation

  • Use VPCs

    ApsaraDB for MongoDB supports multiple network types. We recommend that you use VPCs.

    A VPC is an isolated virtual network with higher security and better performance than a classic network. You must create the VPC in advance. For more information, see Create a default VPC and VSwitch.

    If an ApsaraDB for MongoDB instance is deployed in a classic network, you can switch the network type of the instance to VPC. For more information, see Switch the network type of an ApsaraDB for MongoDB instance. If your ApsaraDB for MongoDB instance is deployed in a VPC, no further action is required.

    Note ApsaraDB for MongoDB supports password-free access over a VPC. VPCs provide a convenient and secure way to connect to databases. For more information, see Enable or disable password-free access for an ApsaraDB for MongoDB instance.
  • Set the whitelist

    By default, after an ApsaraDB for MongoDB instance is created, the IP address in its whitelist is You must manually set the IP address in the whitelist before connecting to MongoDB databases.

    For more information, see Configure a whitelist for an ApsaraDB for MongoDB instance.

    • Do not set the IP address to, which indicates that the database can be accessed from any IP address.
    • We recommend that you set the whitelist based on your business needs and regularly remove IP addresses that are no longer needed from the whitelist.

Log audit

Audit logs of ApsaraDB for MongoDB record all operations that you have performed on databases. With audit logs, you can obtain data execution information by performing fault analysis, behavior analysis, and security audit on databases.

For more information, see Configure audit logging for an ApsaraDB for MongoDB instance.

Data encryption

  • SSL encryption

    If you connect to a database over the Internet, you can enable Secure Sockets Layer (SSL) encryption to improve the security of data links. SSL encryption can encrypt network connections at the transport layer. This improves data security and ensures data integrity. For more information, see Use the mongo shell to connect to an ApsaraDB for MongoDB database in SSL encryption mode.

  • TDE
    Transparent Data Encryption (TDE) implements real-time I/O encryption and decryption for data files. TDE encrypts data before data is written to a disk and decrypts data before data is read from the disk. TDE does not increase the size of data files. You can use TDE without modifying your application that uses ApsaraDB for MongoDB. For information, see Configure TDE.
    Note Currently, you can only enable TDE for an instance and disable encryption for a collection, For field level encryption, see Explicit (Manual) Client-Side Field Level Encryption(Only supports MongoDB 4.2 version instances).