MongoDB with Async Python Transcripts
Chapter: Deployment
Lecture: Limit Network Access with VPCs and Firewall

Login or purchase this course to watch this video and the rest of the course contents.
0:00 In order to get MongoDB set up, we're going to need to run a bunch of commands. So I'm going to put those into a certain part of our project here.
0:10 We'll also need a couple of configuration files. So while there won't really be much code here, we're going to go ahead and make another chapter.
0:20 Chapter 11 deployment, let's say. I'll go ahead and mark that as a source as root, unmark that as a source as root,
0:29 and I'm going to paste a couple files. We have our MongoDB config, which we'll talk about in a minute,
0:38 and those steps that I told you, this is the first step for the server, this we don't really need. We're going to have those steps, that's installing,
0:50 optionally installing ZSH and OMIZshell, And then we're going to start working on protecting the server.
0:59 So the next thing that we want to do is we want to make sure that there's no way to talk to the server at all.
1:06 We're going to use something called the uncomplicated firewall because it's uncomplicated.
1:15 So let's go back to our server and we're going to run uncomplicated firewall, deny any connections.
1:23 You got to be really careful here. We do want this thing to be able to talk outbound. So we're going
1:32 to allow going and the most important, not the most, one of the very most important things is
1:39 if we're going to block all incoming connections, we still need to be able to
1:43 admin the server over SSH. So we're going to say allow SSH. Okay, so we can, we should still be
1:51 able to access it. Now, none of this is actually yet applied, because we have not enabled it.
1:57 So we have w enable, it says you may be breaking the system, especially if you did not have this,
2:05 you may never ever come back, we'll be fine. And let's just double check by disconnecting. Reconnecting. Alright, everything is good.
2:17 We can get into here, but only from SSH, nothing else. Now, the final thing we need to configure in our uncomplicated firewall
2:28 is what inbound requests we're going to allow into the server. We have two options. We could whitelist the allowed incoming connections
2:41 and say we're only going to let connections come to. You can see down here I have these two servers. This is me just testing before,
2:48 but these are the ones we're going to be working with. We have this web app, which is that IP address,
2:53 and we have our MongoDB server, which is this one. So one option is to say we only allow connections from this IP address.
3:03 It could be the public one or ideally, whenever we create a set of resources or servers over on DigitalOcean we have a virtual private network, a VPC.
3:15 So those are already protected IP addresses, right? They only make sense to things within that network.
3:22 So we could work with a public IP address, but ideally let's just work with our virtual private network here, in which case this would be the one.
3:31 We technically, if we had a more complicated setup, we could say allow anything to connect
3:36 to the server, but only allow the server to exist publicly on the virtual network. So there's some options here that we could choose.
3:47 Going back here, that's what this thing says. Only use from any to any port here if MongoDB is only listening on a virtual IP address.
4:01 Alternatively, we could put this here like this for this specific example. And let's say, what port do we want to listen on?
4:08 That's probably a decent port. So we also want to listen on not the default port. The default is 27017.
4:22 One of the things people do when they're scanning for vulnerable MongoDB servers is go to every
4:27 IP address they can find or guess and try to connect to that, you know, that IP address, that port.
4:34 So by using a different port, it's not like a super secure type of thing, but it just
4:38 is one more step that doesn't advertise and scream to the world, ""Here's my MongoDB server, come try to talk to it.
4:45 So we're going to use that here, in which case that's the MongoDB server port there.
4:52 I'm going to put any, but I want to triply underline this only works, this is only good
4:57 enough if this is going to be inside the virtual network. If MongoDB is only available in the
5:03 virtual network. I'll show you how to do that in a little bit. So last thing to do, we want
5:07 to run this. So far we don't have MongoDB installed yet and we haven't told it where
5:12 it is publicly available or open on the network. So no big deal, there's no rush to do anything
5:18 about that. But this is the final step for configuring that firewall. Alright, so everything
5:26 looks set here, we have a limit network access. That's a really important thing. It's one
5:32 of the very, very first thing that MongoDB suggests. So we're good to go.


Talk Python's Mastodon Michael Kennedy's Mastodon