If you manage infrastructure, you know the pain of providing access to a MongoDB instance tucked away in a private network. The typical solutions are a collection of security compromises and operational toil: shared credentials in .env files, IP allow-listing, and managing access through VPNs or SSH bastion hosts.
Every one of these methods introduces problems. Shared credentials create an accountability black hole, making audit and forensics nearly impossible. Network-level access via VPNs or bastions is a blunt instrument; once a user is on the network, they often have overly broad access, and managing this connectivity for a distributed team is a constant headache. In short, traditional MongoDB access is brittle, insecure, and opaque.
Today, we're changing that. We're excited to announce that Border0 now natively supports MongoDB as a new resource type. You can now provide secure, SSO-based, passwordless access to any MongoDB or DocumentDB cluster, no matter where it’s hosted.
The Old Way vs. The Border0 Way
Let's cut to the chase. Here’s a practical look at how Border0 transforms MongoDB access:
.png)
How It Works: A Look Under the Hood
So how do we make this happen? Border0 combines identity-aware proxies with a zero-trust overlay network, creating a unified access plane for all your services. For MongoDB, this means we’ve built a connector that speaks the MongoDB wire protocol and integrates seamlessly with your Identity Provider (IdP).
Let’s break down the key features.
1. Identity-Aware, Passwordless Authentication
With Border0, your team's corporate identity is their database identity. Say goodbye to managing static database credentials. Users connect via the Border0 client, which triggers an SSO flow with your IdP. Once authenticated, Border0 brokers a secure encrypted connection to the database.
This means you can finally disable shared service accounts. When Alice and Bob need database access, Alice logs in as alice@company.com and Bob as bob@company.com. There are no shared passwords and no ambiguity. Revoking access is as simple as removing a user from an SSO group, which immediately terminates any active sessions.
2. Seamless Discovery and Connectivity
Developers shouldn't have to hunt for connection strings or manage SSH configs. The Border0 Desktop App acts as a self-service "app store" for your internal infrastructure. Authorized users see their available MongoDB sockets and can launch a connection into their favorite client (mongosh, MongoDB Compass, TablePlus, DBeaver) with a single click.
The client handles all the networking and authentication details in the background. Whether a developer is at home or in the office, connecting to a private database is just as easy and secure, with no VPN required.
3. Fine-Grained Access Control for Admins
While users get a frictionless experience, administrators get powerful, centralized control. Border0 policies are tied directly to your IdP groups. You can easily define rules like:
• Members of the DBA Okta group have read/write access to the production MongoDB server.
• Members of the Developers group have read-only access to the staging database.
• Access for the DataScience group is only permitted during business hours from trusted devices.
This model brings the power of "Policy as Code" to user access, making it dynamic and auditable. When an engineer leaves the company, deactivating their SSO account automatically revokes all database access through Border0, immediately.
4. Complete Visibility: Session Recording and AI-Powered Insights
Now that every connection is tied to a unique identity, you get unparalleled visibility. Border0 logs every session, recording who connected, from where, and for how long. More importantly, we offer full query-level logging for MongoDB. Need to know who ran an expensive aggregation or dropped a collection? The answer is in the audit log, tied directly to a user's SSO identity. This is a game-changer for compliance (SOC 2, HIPAA) and security investigations.
To make this data even more useful, we've supercharged our session logs with AI. Instead of manually parsing logs, you can get an AI-generated summary of a session, like: “User bob@company.com connected to the customers database, ran 5 queries including a find on the users collection and an update on orders, and the session lasted 15 minutes.” It’s faster, smarter auditing.
Support for DocumentDB and Self-Hosted MongoDB
Our new service type is built for the modern data stack. This isn't just for self-hosted MongoDB instances.
A key highlight is our deep integration with Amazon DocumentDB. The Border0 connector can authenticate to DocumentDB using AWS IAM, enabling a truly passwordless workflow. This eliminates the need for database passwords entirely, offloading authentication to AWS’s robust IAM framework.
Whether your database is on an EC2 instance or an AWS DocumentDB cluster, the experience is unified: secure, SSO-based access managed from a single platform.
Conclusion: We Keep Shipping
The new MongoDB socket is another step in our mission to make secure access simple and invisible. No more operational overhead from managing VPNs and passwords. No more security gaps from shared credentials. Just fast, secure, and auditable access for the teams that need it.
If you’re tired of the old way of managing database access, it's time to make a change. Kick those shared passwords and bastion hosts to the curb.
Ready to try it? Sign up for our free community edition and secure your first MongoDB cluster in minutes. We think you'll love logging into a database the way it should be in 2025.
Ready to level up
your security?
