MongoDB Atlas — Setup Guide
Application: MOC & PCR Management System
Database: MongoDB Atlas (M10 dedicated cluster)
Audience: IT Administrator / System Owner
Overview
The MOC-PCR system uses MongoDB Atlas as its managed cloud database. Atlas handles automated backups, scaling, and high availability — no database server management is required.
This guide covers:
- Creating a production-grade M10 cluster
- Setting up a Private Endpoint so the application connects to the database over a private network (no traffic over the public internet)
- Adding the connection string to your environment variables
Recommended Cluster Tier — M10
| Specification | Value |
|---|---|
| Cluster tier | M10 (dedicated) |
| RAM | 2 GB |
| Storage | 10 GB (auto-expandable) |
| vCPUs | 2 |
| High Availability | 3-node replica set |
| Backups | Daily automated snapshots |
| Private Endpoint | ✔ Supported (M10 and above only) |
Estimated Monthly Cost
| Item | Estimated Cost (USD/month) |
|---|---|
| M10 cluster (3-node replica set) | ~$57 |
| Storage (10 GB, auto-expand) | Included in M10 |
| Backup storage (7-day retention) | ~$2–5 |
| Private Endpoint (Azure) | ~$7–10 (Azure side charge) |
| Total estimate | ~$65–75 / month |
Costs vary by region and cloud provider. The estimates above are for Azure — West Europe as of early 2026. Check the MongoDB Atlas pricing calculator for your exact region.
⚠️ Do not use M0 / M2 / M5 (shared clusters) for production. They do not support private endpoints, have no SLA, and share resources with other tenants.
Part 1 — Create the Atlas Cluster
Step 1 — Create an Atlas Account and Project
- Go to https://cloud.mongodb.com and sign in (or create an account).
- Click New Project → enter a name (e.g.,
MOC-PCR Production) → Create Project.
Step 2 — Create the M10 Cluster
- Inside your project, click Create → Create a cluster.
- Choose Dedicated (required for M10).
- Configure the cluster:
| Setting | Recommended Value |
|---|---|
| Cloud Provider | Microsoft Azure |
| Region | Same region as your application |
| Cluster Tier | M10 |
| Cluster Name | mocpcr-prod (or your preference) |
- Click Create Cluster. Provisioning takes 3–5 minutes.
Step 3 — Create a Database User
- In the left sidebar, go to Security → Database Access → Add New Database User.
- Choose Password as the authentication method.
- Set:
- Username:
mocpcr-app(or any name) - Password: Generate a strong random password and save it securely
- Role:
readWriteAnyDatabase(or restrict to your specific database name for tighter security)
- Username:
- Click Add User.
Step 4 — Configure your Database Name
When the application connects, it will use the database name specified in the connection string. Use a clear name such as mocpcr or production.
Part 2 — Private Endpoint Setup (Azure Private Link)
A Private Endpoint routes traffic between your Azure-hosted application and MongoDB Atlas through Microsoft's private backbone — the database is never reachable from the public internet.
⚠️ This requires M10 or above. Shared clusters (M0, M2, M5) do not support private endpoints.
Step 1 — Enable Private Endpoint in Atlas
- In Atlas, go to Security → Network Access → Private Endpoint tab.
- Click Add Private Endpoint.
- Select Azure as the cloud provider.
- Select the Azure region that matches your application deployment.
- Click Next. Atlas will display a set of Azure CLI commands — keep this page open.
Step 2 — Create the Private Endpoint in Azure
Run the following Azure CLI commands (provided by Atlas in the previous step). Replace the placeholder values with the ones Atlas showed you:
# Login to Azure
az login
# Set your subscription
az account set --subscription "<your-subscription-id>"
# Create the private endpoint
az network private-endpoint create \
--resource-group <your-resource-group> \
--name "mongodb-atlas-pe" \
--vnet-name <your-vnet-name> \
--subnet <your-subnet-name> \
--private-connection-resource-id "<atlas-resource-id>" \
--group-id "<atlas-group-id>" \
--connection-name "atlas-connection" \
--location "<your-azure-region>"
If you are running on Azure Container Apps, make sure your Container Apps environment is deployed inside a VNet. If it is not, you will need to configure VNet integration before private endpoints will work.
Step 3 — Approve the Connection in Atlas
After creating the endpoint in Azure:
- Go back to Atlas → Network Access → Private Endpoint.
- The new endpoint will appear with status Pending. Click Validate (Atlas checks that Azure has created its side of the connection).
- Once confirmed, the status changes to Available.
Step 4 — Get the Private Connection String
- In Atlas, go to your cluster → Connect.
- Choose Drivers → Node.js.
- Toggle to Private endpoint (if available, this option appears after setup is complete).
- Copy the connection string. It will look like:
mongodb+srv://<username>:<password>@<cluster-name>-private.mongodb.net/<database-name>?retryWrites=true&w=majority
The
-privatesuffix in the hostname is what routes traffic through the private endpoint.
Step 5 — Add IP Access (Failsafe)
Even with a private endpoint, Atlas still has a network access list. For private endpoint traffic, you do not need to add any IPs — but as a safest configuration:
- Go to Security → Network Access → IP Access List.
- If only using private endpoints, the list can remain empty (Atlas blocks all public access). If you need to query Atlas from a developer laptop during setup, temporarily add your IP here and remove it after.
Part 3 — Environment Variables
Add the following variable to your deployment environment:
# ── MongoDB Atlas ────────────────────────────────────────────────────────────
REMOTE_URL=mongodb+srv://<username>:<password>@<cluster-name>.mongodb.net/<database-name>?retryWrites=true&w=majority&appName=mocpcr
Replace:
<username>— the database user created in Part 1, Step 3<password>— the password for that user (URL-encode any special characters)<cluster-name>— your Atlas cluster hostname (from the connection string)<database-name>— your database name (e.g.,mocpcr)
Verification Checklist
| Item | How to verify |
|---|---|
| Cluster tier is M10 or above | Atlas → Clusters → tier column |
Database user exists with readWrite role | Atlas → Security → Database Access |
| Private endpoint status is Available | Atlas → Security → Network Access → Private Endpoint tab |
| Connection string uses private hostname | Look for -private in the hostname, or confirm via Atlas UI |
REMOTE_URL env var is set on the application | Check container env or Key Vault |
| Application connects successfully on startup | Application logs show no MongoNetworkError or similar errors |
Part 4 — Password and Special Characters
If your database password contains special characters (e.g., @, :, /, #), you must URL-encode them in the connection string. Common encodings:
| Character | Encoded |
|---|---|
@ | %40 |
: | %3A |
/ | %2F |
# | %23 |
! | %21 |
Example — password P@ss#word! becomes P%40ss%23word%21 in the connection string.
Recommendation: When creating the database user password, use only alphanumeric characters and hyphens to avoid URL-encoding issues entirely.
Part 5 — Backup and Retention
M10 clusters include automated daily backups. Configure retention in Atlas:
- Go to the cluster → Backup tab.
- The default retention is 2 days for M10. Increase to 7 days (recommended for production):
- Click Edit Backup Policy.
- Set daily snapshots to retain for 7 days.
- Point-in-time recovery is available on M10 but billed separately — optional for this deployment.
Part 6 — Secret Rotation
To rotate the database user password:
- In Atlas → Security → Database Access, click Edit next to the user.
- Set a new password.
- Update
REMOTE_URLin your environment variables with the new password (URL-encoded if necessary). - Restart the application.
- Confirm the application is connecting successfully before removing the old password from any backups.
Troubleshooting
| Symptom | Likely cause | Resolution |
|---|---|---|
MongoNetworkError: connection refused | Private endpoint not set up or status not Available | Follow Part 2 steps; check endpoint status in Atlas |
MongoServerError: Authentication failed | Wrong username or password in connection string | Verify credentials in Atlas → Database Access; check URL-encoding |
ENOTFOUND <cluster>.mongodb.net | DNS resolution failing — VNet/DNS not configured for PE | Ensure your Azure VNet has private DNS zone linked for Atlas private endpoint |
MongoNetworkTimeoutError | Application host not in the same VNet as the endpoint | Enable VNet integration on Azure Container Apps / your app host |
Error: Database connection failed on startup | REMOTE_URL env var missing or malformed | Check env var is set and the connection string format is correct |
Next Steps
With MongoDB Atlas configured and the REMOTE_URL connection string in hand, proceed to:
Azure SSO Authentication Setup →
Last updated: March 2026