Whitelists explained

Where a Compose database deployment has TCP access portals, the account administrator or manager can configure a whitelist of addresses that can connect to the deployment through those portals. Some hybrid access portals, such as the Mongos router portal, incorporate the TCP access portal and also offer the same whitelisting capability.

Whitelists operate by specifically identifying by IP address the systems on the internet allowed to connect to the deployment. Compose deployment whitelists are comprised of IP addresses with optional netmasks. Netmasks can be used with the IP addresses to define a range of addresses.

The controls for the whitelist are found in the Security view. A typical deployment's view is shown here:


Location of the Whitelist on the Security panel.

For some deployments, a Portal Management panel is shown at the top of the view. See Portal Management for more details on that as it varies between database types.

Below that is the Whitelist TCP/HTTP IPs panel. This is where the the whitelist is managed.

When there are no IP addresses in the whitelist, the whitelist is disabled and the deployment will accept connections from any system on the internet.

Adding an IP address or range

Selecting Add IP brings up the Add IP form:


Adding an IP address to the Whitelist.

The Description can be any user-significant text for identifying the whitelist entry - a customer name, project identifier or employee number, for example.

The IP field can take a single complete IPv4 address or IPv6 address with or without a netmask. Without a netmask, incoming connections must come from exactly that IP address.

The netmask defines the number of significant bits in the address that need to be matched. With an address such as and a netmask of 16, the first 16 bits, the 10.1 part, are significant, so any address beginning 10.1 will match. This gives a range of valid addresses from to

Unlike CIDR specifications, the IP address must be fully specified when using a netmask. That means entering, for example, rather than 192.168.1/24.

Note that although the IP entry allows for IPv6, no Compose deployments are currently available to IPv6 networking and so these addresses cannot be filtered on.

Click Add IP to add the IP address. The Jobs screen will be displayed to show the progress of reconfiguring the proxies with the new whitelist entry. Returning to the Security view you will see something like this:


Whitelist with one IP added

If you entered a single IP address, it will be displayed here with a netmask of 32 meaning that all of the address is significant and must be matched exactly.


Compose Services in the whitelist

Compose's data browser and other services need to access your deployment to allow you to view the database from the console and to manage your deployment. To enable this we automatically add whitelist entries to Compose's servers to allow them to connect.

Deleting an IP address or range

To remove an IP address or Compose Services from the Whitelist, click the Remove entry displayed next to it. The Jobs view will be displayed as the change in configuration is made to the proxies.

When all entries on the whitelist are removed, the whitelist will be disabled and all IP addresses will be accepted by the TCP access portals or Mongos router portals.

Still Need Help?

If this article didn't solve things, summon a human and get some help