Skip to content

Instantly share code, notes, and snippets.

@kennwhite

kennwhite/MongoDB_bindIp_solution.md

Last active November 6, 2024 19:55
Show Gist options
  • Save kennwhite/07d56f8c14b94e74027af53d0911e7d9 to your computer and use it in GitHub Desktop.
Save kennwhite/07d56f8c14b94e74027af53d0911e7d9 to your computer and use it in GitHub Desktop.
Download ZIP
Misconceptions about MongoDB network binding ("net.bindIp")
Raw
MongoDB_bindIp_solution.md

The net.bindIp setting in MongoDB (see: https://www.mongodb.com/docs/manual/reference/configuration-options/#mongodb-setting-net.bindIp), whether on the command line, e.g.: mongod --bind_ip x.x.x.x or in the mongod.conf file, e.g.:

# network interfaces
net:
  port: 27017
#  bindIp: 127.0.0.1  # Enter 0.0.0.0,:: to bind to all IPv4 and IPv6 addresses or, alternatively, use the net.bindIpAll setting.
  bindIp: 172.31.11.200,127.0.0.1

specifies the local server network interface to listen to, NOT internet-originated inbound IP addresses. If you change the default to listen to an external interface or a private-public bridge such as an AWS private IP, then any filtering must be done at the host level via IPTables or nftables or (better) at the security group firewall level. But once the bindIp is changed to an external network interface, all traffic allowed through the host- or network-level firewall will be able to reach the server.

The default configuration since the version 3.6 days circa 2017 (and earlier in the official MongoDB repos) have defaulted to strictly listen on loopback for this reason.

Sometimes, admins are confused and try to add "whitelisted" IPs (e.g., for web servers) to the bindIp list and are confused when the database won't start. It won't start because those IP addresses are (almost certainly) not properties of the database server.

Contrary to very highly rated Stack Overflow answers, it does NOT matter if the addresses have spaces or not or if they are quoted or not.

All of these are valid choices for an EC2 server that has 172.31.11.200 as its private IP:

# network interfaces
net:
  port: 27017
  bindIp: 172.31.11.200,127.0.0.1

  bindIp: 172.31.11.200, 127.0.0.1
  
  bindIp: "172.31.11.200,127.0.0.1"
  
  bindIp: "172.31.11.200, 127.0.0.1"

Brackets however are NOT allowed. This is an invalid configuration and will prevent the database from starting:

# network interfaces
net:
  port: 27017
  bindIp: [172.31.11.200,127.0.0.1]

Hope this saves someone time in troubleshooting the DenverCoder9 problem.

@chichilatte
Copy link

chichilatte commented Nov 6, 2024
edited
Loading

Thank you Kenn, you just made my day 💖 Been wrestling for hours to finally get enough info to google "mongo ip binding nat firewall" and discover your advice. All working now :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment