Whitelist IP - Mongodb Atlas & Heroku

Question

I'm deploying a backend server (node/express) on Heroku. It's using Mongodb Atlas as database and the application is hosted on Heroku.

During development I have accepted to "allow access from anywhere" which works fine, but for production I believe this is a security risk. I can't seem to find an IP address for my Heroku server as it seems to be changing from time to time.

Any best practices which are somewhat easy to implement but also safe?

Answer 1

There is a great article here that talks about how they solved this issue and they did it by using Fixie which provides static IP addresses that solve the issue you are dealing with. I would recommend this over some other options I have provided below.

You can find all Heroku IP ranges with the following command:

HEROKU_REGION=eu; sudo apt -qqy install curl jq 2>/dev/null 1>/dev/null; heroku regions --json 2>/dev/null | jq ".[] | select(.name==\"$HEROKU_REGION\") | .provider.region" | (REGION=$(cat); curl -s https://ip-ranges.amazonaws.com/ip-ranges.json |  jq ".prefixes[] | select(.region==$REGION) | .ip_prefix")

Taken from this answer

also,

Heroku dynos use a subset of IP range of AWS EC2 instances, one can add the AWS IP ranges to the Cloud Atlas' whitelist, or get an add-on to provide a static outbound IP address, or to use a secure communication via TLS.

taken from a comment on this answer