Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Pre-configuring a connection to a MongoDB cluster

Written by
Improved by
Updated at April 9, 2025

You can connect to Managed Service for MongoDB cluster hosts:

  • Over the internet if you configured public access for the appropriate host when creating your cluster. You can only connect to these hosts over an SSL connection.

  • From Yandex Cloud virtual machines located in the same cloud network. If there is no public access to a host, connections from this type of virtual machine don't need to be over SSL.

To connect to cluster hosts, use port:

  • 27018: For a non-sharded cluster.
  • 27017: For a sharded cluster.

Write requests will be automatically routed to the primary cluster replica.

Note

To connect to the cluster from the internet, make sure to set up public access on the primary replica.

If public access is only configured for certain hosts, automatic primary replica change may make the cluster unavailable over the internet.

Configuring security groups

To connect to a cluster, security groups must include rules allowing traffic from certain ports, IP addresses, or from other security groups.

Rule settings depend on the connection method you select:

Configure all the cluster security groups to allow incoming traffic from any IP address on port 27018 for an unsharded cluster or on port 27017 for a sharded one. To do this, create the following rule for incoming traffic:

  • Port range:
    • 27018 for a non-sharded cluster
    • 27017 for a sharded cluster
  • Protocol: TCP
  • Source: CIDR
  • CIDR blocks: 0.0.0.0/0

  1. Configure all the cluster security groups to allow incoming traffic from the security group where your VM is located on port 27018 for an unsharded cluster and on port 27017 for a sharded one. To do this, create the following rule for incoming traffic in these groups:

    • Port range:
      • 27018 for a non-sharded cluster
      • 27017 for a sharded cluster
    • Protocol: TCP
    • Source: Security group
    • Security group: Security group assigned to the VM. If it is the same as the configured group, specify Current (Self).

  2. Configure the security group where the VM is located to enable connections to the VM and traffic between the VM and the cluster hosts.

    For example, you can set the following rules for a VM:

    • For incoming traffic:

      • Port range: 22
      • Protocol: TCP
      • Source: CIDR
      • CIDR blocks: 0.0.0.0/0

      This rule allows you to connect to a VM over SSH.

    • For outgoing traffic:

      • Port range: 0-65535
      • Protocol: Any (Any)
      • Source: CIDR
      • CIDR blocks: 0.0.0.0/0

      This rule allows all outgoing traffic, thus enabling you not only to connect to the cluster but also to install the certificates and utilities your VM needs for the connection.

Note

You can specify more detailed rules for your security groups, e.g., to allow traffic only in specific subnets.

You must configure security groups correctly for all subnets in which the cluster hosts will reside. If security group settings are incomplete or incorrect, you may lose access to the cluster if the primary replica fails over automatically.

To learn more, see Security groups.

Getting an SSL certificate

To connect to public MongoDB hosts, get an SSL certificate:

mkdir -p ~/.mongodb && \
wget "https://storage.yandexcloud.net/cloud-certs/CA.pem" \
     --output-document ~/.mongodb/root.crt && \
chmod 0644 ~/.mongodb/root.crt

The certificate will be saved to the ~/.mongodb/root.crt file.

mkdir $HOME\.mongodb; curl.exe -o $HOME\.mongodb\root.crt https://storage.yandexcloud.net/cloud-certs/CA.pem

The certificate will be saved to the $HOME\.mongodb\root.crt file.

Corporate policies and antivirus software can block the download of certificates. For more information, see FAQ.

To use graphical IDEs, save a certificate to a local folder and specify the path to it in the connection settings.

Getting FQDNs of MongoDB hosts

To connect to a host, you need its fully qualified domain name (FQDN). Example of a MongoDB host FQDN:

rc1a-goh2a9tr********.mdb.yandexcloud.net

You can get the FQDN by doing one of the following:

  • Look up the FQDN in the management console:

    1. Go to the cluster page.
    2. Go to Hosts.
    3. Copy the Host FQDN column value.

  • In the management console, copy the command for connecting to the cluster. This command contains the host FQDN. To get the command, go to the cluster page and click Connect.

  • Request a list of cluster hosts using the CLI or API.

Connection limits

The maximum available number of simultaneous connections to a single Managed Service for MongoDB cluster host depends on the amount of RAM on the host:

Amount of RAM Maximum number of connections
2 GB 2048
4 GB 4096
8 GB 8192
16 GB or higher 16 384

A host's RAM amount depends on its class. All available options are listed under Host classes.

Installing MongoDB Shell

To connect to a Managed Service for MongoDB cluster from Linux (Bash) or Windows (PowerShell), install MongoDB Shell:

  1. If you do not have Homebrew yet, install it:

    /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

  2. Add brew to PATH:

    echo >> /home/<username>/.bashrc && \
echo 'eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"' >> /home/<user>/.bashrc && \
eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"

  3. Install the dependencies:

    sudo apt-get install build-essential

  4. Install the mongodb-atlas-cli package:

    brew install mongodb-atlas-cli

Use one of the following methods:

  • Download the MongoDB Shell installer in *.msi format from the official GitHub repository and install it.

  • Install MongoDB Shell using Chocolatey by running this command:

    choco install mongodb-shell

What's next

  • Connect to a cluster using command line tools, graphical IDE, or Docker container.
  • Integrate the cluster connection into your aplication code.
Previous
Deleting a cluster
Next
Connecting from applications