About chris

Author Archive | chris

About chris

Find more about me on:

Here are my most recent posts

Recent MongoDB ransom attacks

Many of you have likely heard that an estimated 27,000 MongoDB databases have had their data removed and held at ransom by hackers. We have received many questions about the news and wanted to discuss and share MongoDB security best practices to prevent future incidents.

All database deployments hosted at mLab are safe from such attacks.

How could 27,000 databases be held at ransom?

First, it is important to understand the nature of these “breaches”. In a sense these were not breaches at all. All of the databases that were attacked:

  1. Were running without authentication enabled, and
  2. Had their MongoDB ports open to the public internet

This means these databases were configured to accept connections from any client, and to not require that clients authenticate to the database via valid credentials (e.g. username and password).

With this in mind, one can see how such an attack was implemented. Two years ago, one security researcher discovered that 30,000+ MongoDB databases were exposed on the internet running without authentication enabled or firewalls configured.

It is also important to note that there are no known vulnerabilities in MongoDB that would allow for such an attack against databases with authentication enabled.

Are mLab-hosted databases vulnerable to this attack?

No. All mLab databases are configured to require database authentication by clients. Furthermore, on our Dedicated plans, you may firewall your database to only accept connections from IP addresses that you whitelist; this allows you to enforce that only your application infrastructure can connect to your database.

You can read more about how mLab handles security at http://docs.mlab.com/security/. In particular, note that our Dedicated plans allow deployments to be firewalled from the public internet, have SSL enabled, and be housed in private networks (i.e., VPC peering) to limit communication between the application and database.

If you have any questions, please email support@mlab.com for help.

What if I host my own MongoDB?

If you host your own MongoDB deployments, you should make sure that you enable authentication and firewall your database to restrict access from unauthorized IP addresses.

MongoDB has also published a security checklist, which you can follow and implement to protect your MongoDB installation.

Comments are closed

Configuring a MongoDB replica set for analytics

MongoDB replica sets make it easy for developers to ensure high availability for their database deployments.

A common replica set configuration is composed of three member nodes: two data-bearing nodes and one arbiter node. With two electable, data-bearing nodes, users are protected from scenarios that cause downtime for single-node deployments, such as maintenance events and hardware failures.

However, it may be tempting to read from the redundant, secondary server to scale reads and/or run queries for the purpose of analytics. We strongly advise against secondary reads when there are only two electable, data-bearing nodes in the replica set.

The main reason for this recommendation is that relying on secondary reads can compromise the high availability replica sets are meant to provide. While occasional use of the secondary for non-critical ad-hoc queries is fine, if your app requires both the primary and the secondary to shoulder the database load of your application, your system is no longer in a position to handle this load if one of the nodes in the cluster goes down or becomes unavailable.

This is discussed in more depth in the following resources:

Run analytics queries against hidden, analytics nodes instead

If you would like to run more than the occasional, ad-hoc or analytics query, we highly recommend that you properly configure your replica set to handle analytics queries.  In particular, we recommend adding a node designated for analytics as a hidden, non-electable member of the replica set.

Hidden members have properties that make them great for analytics. A hidden replica set member:

Maintains a copy of the primary’s data set – Querying on a hidden member will be nearly identical to querying the primary node (minus some replication delay).

Cannot become primary and is invisible to your application – It’s important to isolate analytics traffic from production application traffic. If the analytics node became the replica set primary, it may be unable to handle the combined analytics and production application traffic.

Can be useful for disaster recovery as well if a slaveDelay is configured – See advanced configuration considerations below.

If you’re interested in adding an analytics node to your mLab deployment:

  1. Email us at support@mlab.com to request that the node be added.
  2. mLab will add the node seamlessly into your replica set as a hidden member and provide you with its address.
  3. You will then be able to start to create single-node connections using that address for your analytics queries.

Advanced configuration considerations

Enabling slaveDelay on the analytics node for replica set disaster recovery

MongoDB’s slaveDelay option allows you to configure a replication delay on a hidden replica set member. Configuring a delay is helpful for recovering from disaster scenarios such as accidentally dropping a collection or database.

For example, imagine that you configure a one-hour delay on an analytics node. If a developer accidentally drops/deletes data from the primary node, the changes will be applied to the analytics node an hour later (as opposed to immediately). This allows you to query the analytics node to retrieve the deleted data.

Reading from secondaries in a Sharded Cluster

If you are running a Sharded deployment and would like to read from the secondary members of your shards, there are important considerations you should be aware of.  We will be publishing a blog post on this advanced topic in the future.

Comments are closed

MongoDB tips & tricks: Collection-level access control

As your database or project grows, you may be tasked with configuring access controls to allow different stakeholders access to the database. Rather than create a new user with full database privileges, it may be more appropriate to create a user that only has access to the data or collections they need. This allows users to query against the collections you define and limits their access to the rest of the database.

Here’s a step-by-step example that demonstrates how to set up collection-level access control. This example will create a user named “finance” on the “acme” database. The “finance” user will only have “find” (read) access to the “billing” collection.

Step 1. Connect to the “acme” database using an existing user

> mongo ds123456.mlab.com:12345/acme -u dba -p password

Note that the “dba” user will need the userAdmin role to create and modify roles and users on the “acme” database. By default, mLab database users created through the UI are granted the dbOwner role, which combines the privileges granted by the readWrite, dbAdmin, and userAdmin roles.

Step 2. Create a new user-defined role for the “billing” collection

> db.createRole({ role: "readBillingOnly", privileges: [ { resource: { db: "acme", collection: "billing" }, actions: [ "find" ] } ], roles: [] })]

You can also add more privilege actions to the “actions” array, such as “insert” or “update”.

Step 3. Create a new user named “finance” with the role you just created

> db.createUser({ user: "finance", pwd: "password", roles: [ { role: "readBillingOnly", db: "acme" } ] })

Alternatively, if the user already exists, you can use the grantRolesToUser() method:

> db.grantRolesToUser("finance", [ { role: "readBillingOnly", db: "acme" } ])


And that’s it! You now have a user named “finance” that has read-only access on the “billing” collection in the “acme” database.

Comments are closed

Introducing mLab Private Environments

Today we are excited to announce the private beta of mLab Private Environments. mLab Private Environments are virtual private networks you can provision to house your various database deployments hosted with mLab. These private networks isolate your database from public networks while allowing your application infrastructure secure access to your database deployments.

With Private Environments, you can continue to use the mLab platform for dynamic database provisioning and scaling while leveraging security features that are traditionally only found in private networks.

mLab Private Environments overview

When you provision a Private Environment with mLab (currently only available on AWS) we provision a dedicated AWS VPC for that environment. You can place any number of mLab MongoDB deployments inside of that Private Environment.

You can then peer the VPC underlying your Private Environment to the AWS VPC that houses your application infrastructure. This peering operation will create a single, extended, private network consisting of both your application infrastructure and your database deployments.


From there, you can very conveniently and scalably design network ACLs and routing rules to only allow access to your database deployment from the parts of your application infrastructure that need it.

You can provision and maintain any number of Private Environments.

Benefits of using Private Environments

The move to the public cloud has been a huge win in terms of simplicity, but also a big step backwards from a networking perspective. In order to move to the public cloud, organizations had to abandon the more sophisticated networking techniques they used to employ when working in traditional data centers.

Recently, however, public cloud providers have been reintroducing some of the networking functionality that has been missing. For example, AWS VPC (Virtual Private Clouds) allow you to create virtual private networks with subnets, route tables, and network ACLs, just like you would have in a traditional datacenter, only virtualized.

Upon this infrastructure (AWS VPC) we have implemented a new deployment solution that allows you to:

  • Isolate your database from public networks while allowing secure access to your application infrastructure.
  • Create sophisticated network topologies to ensure least privilege access to your database deployments using CIDR ranges and Security Groups.
  • Easily auto-scale your application tier without having to modify database firewall rules.

How are Private Environments used?

With Private Environments, you can use all of the traditional network security best practices and techniques for designing your application. You can place your front-end load balancers in a public subnet, and place your application servers, microservices, and databases in private subnets protected from the internet, but accessible to each other.

Furthermore, if your application tier has an auto-scaling component that accesses the database, Private Environments are extremely convenient. Before Private Environments, it was impossible to add application servers to your app tier without adding new allow rules to your database firewall. This made autoscaling VMs that required access to your database deployment extremely difficult, requiring either a NAT layer or opening your database to more sources than necessary.

With Private Environments, you simply allow the proper CIDR block for the subnet holding your application VMs, or the AWS Security Group you wish to give access to (Security Groups coming soon). You can then add and remove app infrastructure without needing to touch the definition of your database deployment’s firewall.


Private Environments is currently in private beta and only available with our Dedicated plans. If you would like to join the waitlist, please email our team at support@mlab.com.

Comments are closed

MongoLab is now mLab

We have some exciting news to share! Below is the email we sent to our users earlier today:


I’m very excited to share some important news with you.

Today we are changing our name from MongoLab to mLab in order to better align with our long-term vision.

When we started this business five years ago, our MongoLab database service was the first step of a larger mission. Our ultimate goal was to simplify server-side development.

We envisioned a cloud-based laboratory where developers could build and deploy the entire server side of their application with a completely software-defined interface. Our premise was that a cloud-based server-side application stack built around JSON, microservices, document databases (like MongoDB), and software-defined networking could radically simplify server-side development.

We decided to start at the bottom of the stack and work our way upwards. This meant building a Database-as-a-Service platform upon which we could layer the rest of the stack. Around the same time we discovered MongoDB and recognized it as the operational data store of the future.

And so we set out on Phase 1 and created MongoLab: the game-changing cloud database service developers worldwide have grown to love.

I’m proud to say that mLab has become THE place to run MongoDB in the cloud and now manages over 250,000 deployments on AWS, Azure, and Google. If you are using MongoDB in the cloud, there really is no better experience.

MongoLab was a great name for us when our only product was MongoDB-as-a-Service. But now we feel it is time to change our name to one that can accommodate the larger vision that we have around cloud infrastructure and cloud data services.

Over the coming quarters we will focus on our broader premise that server-side development is largely about securely moving and transforming JSON objects between the client and the database, and that it should be much easier than it is today.

To be clear, we are still fully committed to MongoDB and our cloud MongoDB service, as this is the backbone of our future vision. MongoDB Inc., the stewards of MongoDB, will continue to concentrate on enterprise customers who host the database themselves. Our job at mLab will be to focus on the rest of the world and to continue to provide the best fully managed MongoDB-as-a-Service for developers who want to build great apps without worrying about database operations.

Thank you for helping make us such a success. We truly appreciate that you have chosen our service and look forward to helping you build great software.

Will Shulman
CEO of mLab

Please help us spread the word!


{ "comments": 17 }

Welcoming the Parse community

Last week, Parse announced that it was winding down its service, and it will be fully retired on January 28, 2017.  

Parse provided a great mobile backend platform for developers who don’t want to wrangle with the complexities of server-side infrastructure. By encapsulating both the database and the app server into a single cloud service, mobile app developers were able to leverage Parse to rapidly build rich mobile applications with much less effort than would be required if they had to build the server component themselves.

The good news is that even though the Parse service is shutting down, it has open sourced its underlying software so that Parse customers can still experience the power of their platform. The missing component is now the hosting, and the Parse team has done a good job of giving its customers alternatives on how to host each of the components of the Parse platform, along with tools to help customers migrate their apps.

To run a Parse app in the cloud using the open-source software there are two components that need hosting:

  1. The Parse Server, written in Node.js
  2. The database that underlies Parse, which is MongoDB

We have been working with the Parse team for some months to help ensure that Parse customers have a great option for where they host the database component of their app following the closure of the Parse service, and we welcome Parse customers to the MongoLab MongoDB-as-a-Service platform.

Using MongoLab to host the database component of your Parse app will free you from having to run and manage MongoDB yourself. We handle all of the automation around database provisioning and scaling, ensure timely backups of your database are taken each day, and provide a suite of great tools to help you manage your data. Our multi-node MongoDB clusters also offer High Availability and failover so that your app stays running even in the face of infrastructure failure, and is available whether you host your Parse app on Amazon, Azure, or Google.

In the past week, we have seen a good number of Parse customers migrating to our service. We feel we are starting have a good handle on the process and the types of speed bumps customers may face while migrating. Over the next few weeks we will be releasing a FAQ that encapsulates these learnings in order to help customers navigate the process smoothly.

In the meantime, if you have any questions or need migration help we invite you to email us at support@mongolab.com. We look forward to helping you build the future.

Help save Robomongo with your donation

We recently learned that the team behind Robomongo, a free and open source MongoDB admin GUI, are in need of funds to keep the project going. The project, which has over 3,622 stargazers on GitHub, is a valuable free tool for the MongoDB community. We know that many of you, our customers, use and love Robomongo, so let’s try and help them!

The Robomongo team is currently fundraising on Indiegogo. To help support them, we’re announcing that MongoLab will match all donations starting now for a total of up to $15,000. Donate now and help save Robomongo!

New Telemetry features – metric descriptions and alert incidents

If you are running MongoDB in production, you should have a robust uptime and historical monitoring solution for every database deployment. Uptime monitoring ensures that your application runs smoothly by tracking database stability and alerts you to take action if necessary. Historical monitoring helps you analyze and compare database and operating system metrics over time so that you can make informed decisions when tuning and scaling your database.

Telemetry, our real-time and historical monitoring tool, provides a customizable dashboard and alerting system that allows you to track key MongoDB metrics, analyze specific points in time, and configure custom alert thresholds. We’ve now made Telemetry even easier to work with by adding metric descriptions for each graph along with a list of alert incidents.

Metric descriptions in UI

Telemetry CPU graph

You may have noticed the new “?” icon located on every Telemetry chart. If you click on the icon, you can view the descriptions for each metric. For example, the CPU metric descriptions are the following:

Telemetry metrics help text

We hope these descriptions help you better understand each metric and serve as a quick reference when you are reading the charts or configuring alerts.

Telemetry alert incidents

Telemetry also allows you to create custom alerts. For example, you may want to configure an alert whenever the CPU User metric exceeds 75%. You can visit our Telemetry documentation for more information on how to configure Telemetry alerts and set up different notification channels.

If you have multiple alerts configured and your database is under duress, it is likely that there are multiple alerts are triggered at once. To help you keep track of alert incidents we have now added a new tab in Telemetry called “Alert Incidents”. You can toggle between “open” and “closed” status, where “open” events are active issues and the “closed” events are past events.

Questions or feedback?

For questions about Telemetry metrics or feedback on what you would like to see in Telemetry, please contact MongoLab support. We look forward to hearing from you!