Answer
Atlas encrypts all cluster storage and snapshot volumes at rest by default. You can add another layer of security by using your cloud provider's KMS together with the MongoDB encrypted storage engine.
The Return All Control Plane IP Addresses API endpoint returns a list inbound and outbound Atlas control plane IP addresses in CIDR notation, categorized by cloud provider and region. A snippet is provided for example:
{ "inbound": { "aws": { "ap-northeast-1": [ "52.192.130.90/32", "52.193.61.21/32" ], ... "outbound": { "aws": { "ap-northeast-1": [ "35.76.187.172/32", "57.180.230.183/32", "13.112.169.243/32", "52.197.152.79/32", "54.199.195.221/32" ], ... ], "us-east-1": [ "3.212.79.116/32", "3.92.113.229/32", "34.193.91.42/32", "34.237.40.31/32", "3.215.10.168/32", "34.236.228.98/32", "3.214.203.147/32", "3.208.110.31/32", "100.26.2.217/32", "3.215.143.88/32", "52.0.74.246/32", "3.223.8.180/32" ],The inbound access is traffic coming into the Atlas control plane from your network and outbound access is traffic coming from the Atlas control plane into your network.
For the Encryption at Rest using Customer Key Management feature, you must provide network access from the Atlas control plane IP addresses to your network. Specifically, ensure that your cloud provider's KMS allows access from all outbound addresses provided by the Return All Control Plane IP Addresses API endpoint.
To use the Encryption at Rest with Customer Key Management feature, it is necessary to allow access to all Control Plane IP addresses listed in the outbound section (see the Allow Access From the Atlas Control Plane documentation for more details), not just those corresponding to your cloud provider's KMS. For example, if you are using Azure Key Vault, you must allow access to all IP addresses, including those from AWS and GCP, in the outbound section of your network, and not restrict it solely to Azure-specific IP addresses. Atlas has services that are deployed across all the cloud providers and their communication with the customer endpoints is necessary.
Alternatively, for Azure Key Vault, the "Encryption at Rest using Azure Key Vault over Private Endpoints" feature is available upon request. To enable this functionality for your Atlas deployments, contact your Account Manager.
Depending on your Key Management configuration, you may need to add the IP addresses of Atlas cluster nodes to your cloud provider’s KMS access list to ensure proper communication between the cluster and your KMS.