A shard contains a subset of sharded data for a sharded cluster. Together, the cluster’s shards hold the entire data set for the cluster.

Shards should be deployed as a replica set to provide redundancy and high availability.

Uesrs, clients, or applications should only directly connect to a shard to perform local administrative and maintenance operations.

Performing queries on a single shard only returns a subset of data. Connect to the mongos to perform cluster level operations, including read or write operations.


MongoDB does not guarantee that any two contiguous chunks reside on a single shard.

Primary Shard

Every database has a primary shard that holds all the un-sharded collections for a database. The primary shard has no relation to the primary in a replica set.

Diagram of a primary shard. A primary shard contains non-sharded collections as well as chunks of documents from sharded collections. Shard A is the primary shard.

To change the primary shard for a database, use the movePrimary command. The process of migrating the primary shard may take significant time to complete, and you should not access the collections associated to the database until it completes. Depending on the amount of data being migrated, the migration may affect overall cluster operations. Consider the impact to cluster operations and network load before attempting to change the primary shard.

When you deploy a new sharded cluster with shards that were previously used as replica sets, all existing databases continue to reside on their original shard. Databases created subsequently may reside on any shard in the cluster.

Shard Status

Use the sh.status() method in the mongo shell to see an overview of the cluster. This reports includes which shard is primary for the database and the chunk distribution across the shards. See sh.status() method for more details.

Sharded Cluster Security

Use Internal Authentication to enforce intra-cluster security and prevent unauthorized cluster components from accessing the cluster. You must start each mongod in the cluster with the appropriate security settings in order to enforce internal authentication.

See Deploy Sharded Cluster with Keyfile Access Control for a tutorial on deploying a secured sharded cluster.

Shard Local Users

Each shard supports Role-Based Access Control (RBAC) for restricting unauthorized access to shard data and operations. Start each mongod in the replica set with the --auth option to enforce RBAC. Alternatively, enforcing Internal Authentication for intra-cluster security also enables user access controls via RBAC.

Each shard has its own shard-local users. These users cannot be used on other shards, nor can they be used for connecting to the cluster via a mongos.

See Enable Client Access Control for a tutorial on enabling adding users to an RBAC-enabled MongoDB deployment.