Worker unable to connect to Mongodb Atlas (IP Whitelist)
I'm trying to connect to my MongoDB Atlas cluster from a Cloudflare Worker. The cluster has IP whitelisting enabled. I added all the published Cloudflare IP ranges to the whitelist, but the Worker still can't connect.
If I remove the IP restriction in Atlas, the connection works — so it seems the Worker isn’t using the IPs listed in Cloudflare’s docs.
I even pinged the Worker and saw an IP that's within the whitelisted range, and I tried manually adding that exact IP to Atlas — still no luck.
So my question is:
How can I find out what IPs Workers use for outbound requests to whitelist in MongoDB Atlas?
Or what's the right solution to make this setup work securely?
14 Replies
What are you using to connect to MongoDB Atlas?
Within Workers, Fetch is either one of the Proxy IPs or
2a06:98c0:3600::103 if connecting to another Cloudflare site.
If you are using TCP Sockets/Connect, it uses WARP (Cloudflare's "VPN") IP Ranges (not documented)we are using the mongodb driver which i believe uses TCP Sockets
where do i find the ips for this "WARP (Cloudflare's "VPN") IP Ranges" ?
they're not documented, plus anyone using WARP itself could use them
ok i see. so if i connect the worker to a subdomain on my zone, would that change anything with regards to the ip at all?
what can i do to be able to make the worker connect to mongodb atlas via a whitelisted ip range? is there another way of doing this somehow?
no
Connecting via a proxy? or Mongodb wise, at one point they had the Atlas Data API or whatever but I think they're getting rid of that now?
For within Cloudflare, Cloudflare has an Enterprise product - Aegis for providing dedicated egress IPs, I'm not sure if it works with tcp sockets though and Enterprise is a few thousand/min/mo
yea the atlas data api is being removed. thank you for your help. i'm just trying to confirm this "If you are using TCP Sockets/Connect, it uses WARP (Cloudflare's "VPN") IP Ranges (not documented)" -- i can't find anywhere in their docs mentioning this. where did you find this part?
The docs directly say
https://developers.cloudflare.com/workers/runtime-apis/tcp-sockets/
<TCP Workers outbound connections are sourced from a prefix that is not part of list of IP ranges ↗.>
thank you very much. it also says this "Outbound TCP sockets to Cloudflare IP ranges ↗ are temporarily blocked, but will be re-enabled shortly"
I forget how we were told it was warp ranges, might have been an employee, but eitherway not documented ip lists
yea that doesn't apply to you and also has been there for like 2 years now lol
sorry but why wouldn't it apply to us? isn't conencting to mongodb using the driver is an outbound tcp socket?
That says
Outbound TCP Sockets to Cloudflare IP Ranges, to Cloudflare IPs, like 1.1.1.1
You aren't connecting to a Cloudflare IP
ah yes, good point, thank you
ok so there is no way around it other than using a proxy then as their enterprise is questionable it would work and also very expensive
the other option is allowing access from all ips obv but also insecure
A proxy of some sort. If it's a limited use case you could even just setup your own http/rest api that your Worker talks to, and it in turn connects to mongodb
yep i see. thank you for your help.