[SERVER-85804] Ensure Connection Limits from Private Endpoints are Enforced Created: 26/Jan/24 Updated: 05/Feb/24 |
|
| Status: | Backlog |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Phuong-Thao (Sue) Nguyen | Assignee: | Backlog - Security Team |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Assigned Teams: |
Server Security
|
||||
| Participants: | |||||
| Description |
|
Summary Ensure that connection limits are enforced for all Atlas clusters that connect via Private Endpoint. This may involve using the source IP in the Proxy Protocol header (for Privatelink) for authRestrictions and MaxIncomingConnectionsOverride considerations. Motivation When using Private Endpoints (PrivateLink) to connect to Atlas, MongoDB isn't currently enforcing connection limits. Not enforcing published connections limits for Atlas has the potential to allow a customer to inadvertently bring down their cluster with poor connection management. Essentially, this behavior results in applications employing private endpoints not having any practical connection limits (as noted in HELP-51612), contrary to our documentation. There have been several notable customers severely adversely impacted by this, including Coinbase. This is especially important in the context of Optimized Connection Strings - the feature that we recommend for customers to use to prevent connection storms. As we EOL 4.4, more customers will migrate to 5.0, and thereby usage of OCS will sharply rise. Additionally - we are quickly moving into a world where all clusters will be sharded by default, and thus, all AWS clusters using PrivateLink will have run into this situation. We must ensure our architecture correctly enforces connection limits to avoid degradation due to excessive connections. |