[y0ghur7_xxx]

> hide :27017 behind a firewall with only your app's DB access layer talking to it?

Because if you can do without it, why bother? Developing an access layer costs time and money. If you can leverage the DB features to do what you need, you can make you stack simpler and more maintainable.

[bpicolo]

It does not take that much time or effort to set up useful subnet/vpc security in AWS. Put the database in your VPC, say only your application vpc can talk to it. Done.

Reasonably good security practices are not that much effort, and really it's a case for respecting your users for the most part.

The security trust game is starting to blow up. Yahoo just lost $250million dollars to it.

[g0del_was_wr0ng]

I think y0ghur7_xxx was talking about a usecase where you want to talk to the backend datastore from an application running outside of your datacenter in an untrusted environment (like an iOS/Android app, or a JS web frontend).

In this case, one can make the argument that a custom proxy layer, running in your DC (that proxies between the database and your actual frontend app) should not be necessary if the database offers sufficient per-connection ACLs and is secure.

That's a big if though.

[y0ghur7_xxx]

Sorry, when I said "if you can do without it", with "it" I meant the application access layer, not the vpc.