All Products
Search
Document Center

ApsaraDB for MongoDB:ApsaraDB for MongoDB: Security White Paper

Last Updated:Feb 27, 2026

ApsaraDB for MongoDB is developed based on the Apsara distributed operating system and a high-reliability storage engine and is compatible with the MongoDB protocol. ApsaraDB for MongoDB uses a multi-node architecture to ensure high availability and supports elastic scaling, disaster recovery, backup and restoration, and performance optimization.

ApsaraDB for MongoDB provides a comprehensive set of security features to protect your data. The following table summarizes the security categories and capabilities covered in this document.

Security categoryCapabilitiesMore information
Access controlDatabase account authentication, IP allowlistsConfigure a whitelist or an ECS security group for an ApsaraDB for MongoDB instance
Network isolationVirtual Private Cloud (VPC), classic network (legacy)Switch the network type of an ApsaraDB for MongoDB instance
Data encryptionTLS encryption (in transit), Transparent Data Encryption (at rest)Configure SSL encryption, Configure TDE
Backup and restorationSnapshot-based backup, physical backup, logical backup; restoration by backup point, by point in time, or by databaseConfigure automatic backup, Configure manual backup
Disaster recoveryMulti-zone instances, cross-region disaster recovery (MongoShake)Create a multi-zone replica set instance, Create a multi-zone sharded cluster instance
Version maintenanceRegular version releases, security-driven upgradesUpgrade the major version, Update the minor version
Service authorizationControlled access for Alibaba Cloud support teams-

Access control

ApsaraDB for MongoDB uses database account authentication and IP allowlists (whitelists) to control access and protect data security.

Database accounts

ApsaraDB for MongoDB requires username and password authentication to connect to an instance. The following rules apply:

  • When you create an ApsaraDB for MongoDB instance, an initial root database user is created by default. You can specify the password for the root database user during instance creation or reset the password afterward. For more information, see (Optional) Reset a password.

  • The root database user has all permissions on an ApsaraDB for MongoDB instance.

  • You can log on to the database as the root database user to add, delete, or grant permissions to other accounts.

IP allowlists

You can configure an IP allowlist (whitelist) for each ApsaraDB for MongoDB instance to control network access.

The default IP allowlist contains only 127.0.0.1, which means the instance is inaccessible from all external IP addresses. You must add authorized IP addresses before you can connect to the instance.

You can configure IP allowlists by using one of the following methods:

MethodDescription
ConsoleGo to the Security Controls page of the ApsaraDB for MongoDB console. For more information, see Modify an IP address whitelist for an instance.
APICall the ModifySecurityIps operation.

Network isolation

ApsaraDB for MongoDB supports Virtual Private Cloud (VPC) and the classic network. We recommend that you use VPC because it provides stronger network isolation and security.

VPC

VPC enables advanced network access control for ApsaraDB for MongoDB. Combining VPC with IP allowlists significantly improves instance security.

A VPC allows you to build an isolated network environment in Alibaba Cloud. You can customize route tables, IP addresses, and gateways within a VPC to resolve resource conflicts. VPC achieves complete isolation of your network traffic by using underlying network protocols.

You can connect your on-premises data center to Alibaba Cloud by using a leased line or a VPN. This allows you to use the customized CIDR block of an ApsaraDB for MongoDB instance in a VPC to resolve resource conflicts. You can then access the ApsaraDB for MongoDB instance from both your data center and Alibaba Cloud Elastic Compute Service (ECS).

ApsaraDB for MongoDB instances deployed in a VPC can be accessed only by ECS instances in the same VPC. If necessary, you can apply for a public IP address to allow access from the Internet (not recommended). For example, you can allow access from elastic IP addresses (EIPs) of ECS instances or from the Internet egress of your data center.

Important

For more information about VPCs, see What is a VPC?

Classic network (legacy)

Classic network is a legacy network type. We recommend that you deploy new instances in a VPC for improved security.

Cloud services in the classic network are not isolated from each other. Unauthorized access to cloud services is blocked only by security groups or IP allowlists.


Data encryption

ApsaraDB for MongoDB provides encryption for data in transit and data at rest.

TLS encryption (in transit)

ApsaraDB for MongoDB provides TLS (Transport Layer Security) encryption, referred to as SSL encryption in the console. You can use the server root certificate to verify whether the destination database is an ApsaraDB for MongoDB instance. This helps prevent man-in-the-middle attacks.

ApsaraDB for MongoDB allows you to enable and update TLS certificates for servers to ensure data security and validity. For more information, see Configure SSL encryption for an instance.

Important

TLS encryption cannot function correctly until the application authenticates the server. In addition, TLS encryption consumes extra CPU resources and affects the throughput and response time of ApsaraDB for MongoDB instances to a certain degree. The specific impact varies depending on the number of connection times and the data transfer frequency.

TDE (at rest)

ApsaraDB for MongoDB provides Transparent Data Encryption (TDE). TDE uses the Advanced Encryption Standard (AES) algorithm. The encryption key for TDE is encrypted and stored by Key Management Service (KMS).

After you enable TDE for an ApsaraDB for MongoDB instance, the data of the specified database or collection is encrypted before being written to any device such as an HDD, SSD, or PCIe card, or to any service such as Object Storage Service (OSS). As a result, data files and backups of the instance are all stored in ciphertext.

For more information, see Configure TDE for an instance.


Backup and restoration

ApsaraDB for MongoDB provides automatic and manual backup capabilities to ensure data integrity and reliability. Regular backups allow you to restore data in the event of unexpected issues.

Backup methods

ApsaraDB for MongoDB supports the following backup methods:

Backup methodDescription
Snapshot-based backupRetains the state of disk data at a specific point in time. This method allows data to be restored within minutes.
Physical backupBacks up the physical database files of an ApsaraDB for MongoDB instance. This method provides faster backup and restoration compared with logical backup.
Logical backupUses the mongodump tool to store operation records of databases in a logical backup file. This method restores data by replaying commands during restoration.

For more information, see Configure automatic backup for an instance and Configure manual backup for an instance.

Restoration methods

ApsaraDB for MongoDB provides the following restoration methods:

Restoration methodDescriptionUse case
Restore by backup pointRestores data to a new ApsaraDB for MongoDB instance by backup set.Data restoration and verification
Restore by point in timeRestores data to a new ApsaraDB for MongoDB instance at a specific point in time.Data restoration and verification
Restore databasesRestores one or more databases of an ApsaraDB for MongoDB instance to a specific point in time by using an associated backup.Quick data restoration

The backup and restoration methods that are supported vary based on the configuration of your ApsaraDB for MongoDB instance. For a complete reference, see Data restoration.


Instance disaster recovery

ApsaraDB for MongoDB provides multiple disaster recovery solutions, including multi-zone deployments within a region and cross-region data replication.

Multi-zone instances

Alibaba Cloud provides cloud computing services across multiple regions worldwide. Each region contains multiple zones. Faults are isolated between different zones within the same region, while network latency remains low between zones.

Single-zone deployment

An ApsaraDB for MongoDB single-zone instance runs on two physical servers within the same zone. All racks, air conditioners, circuits, and networks in the zone are fully redundant to ensure high availability. ApsaraDB for MongoDB uses asynchronous or semi-synchronous replication and an efficient primary/secondary failover mechanism to provide service availability that exceeds the limits of individual physical servers.

Multi-zone deployment

Multi-zone instances are deployed on physical servers across different zones. When one zone fails, services can be switched over to another zone in a short period of time. The entire switchover process requires no changes to your application code.

Each time you trigger a primary/secondary failover for an instance, the instance may be disconnected for up to 30 seconds. We recommend that you:
  • Perform failover operations during off-peak hours.

  • Ensure that your applications can automatically re-establish connections.

For more information, see:

Cross-region disaster recovery

ApsaraDB for MongoDB supports cross-region data disaster recovery using data synchronization tools such as MongoShake.

How it works

For example, you can replicate data from ApsaraDB for MongoDB Instance A in the China (Hangzhou) region to ApsaraDB for MongoDB Instance B in the China (Shanghai) region by using MongoShake. Instance B is a self-contained instance with its own endpoints, account, and permissions. Instance B can be used to recover data and serve read traffic in its region.

  • Instance A serves as the primary instance.

  • Instance B serves as the secondary instance.

If Instance A fails due to an unexpected event such as a natural disaster, Instance B can be promoted to the primary instance. Cross-region disaster recovery is achieved by modifying the database connection configurations in your application to forward requests to Instance B.

For more information, see Use MongoShake to perform one-way synchronization between ApsaraDB for MongoDB instances.

Important
  • We recommend that you deploy the same geo-disaster recovery (cross-region disaster recovery) application on Instance A and Instance B to minimize the network instability and latency associated with cross-region access.

  • If Instance B is promoted to the primary instance, you must run the kill command to disable the MongoShake service. This stops data replication from Instance A to Instance B and prevents possible problems.


Version maintenance

ApsaraDB for MongoDB releases new database versions on a regular basis. Version upgrades help you benefit from the latest features, performance improvements, and security fixes.

  • Database upgrades are optional and are triggered only after you restart your ApsaraDB for MongoDB instances. For more information, see Upgrade the major version of an instance and Update the minor version of an instance.

  • When the ApsaraDB for MongoDB team determines that your current version has significant security risks, you will receive a scheduled upgrade notification.

  • The upgrade process is typically completed within 5 minutes. During the upgrade, several brief service interruptions may occur.


Service authorization

Alibaba Cloud enforces strict access boundaries for its support and development teams. Without your authorization, the Alibaba Cloud after-sales team and the ApsaraDB for MongoDB development team can view only the following information about your instances:

  • Resource information (such as purchase and expiry dates)

  • Fee information

  • Performance metrics (CPU, memory, and storage usage)

With your authorization:

  • The Alibaba Cloud after-sales team and the ApsaraDB for MongoDB development team can view or modify configurations of your ApsaraDB for MongoDB instances during a specified time period. For example, you can authorize them to view the IP allowlist and audit logs of an instance.

Important

The Alibaba Cloud after-sales team and the ApsaraDB for MongoDB development team never proactively modify the connection information of your ApsaraDB for MongoDB instances. This includes the instance endpoint, database account, and password.