Connect App Runner with DocumentDB

0

I'm trying to connect an App Runner service with a DocumentDB cluster that has TLS enabled. I already configured a VPC Connector to associate my service with the DocumentDB's VPC but unfortunately, I get a "timeout error". I was able to connect that DocumentDB cluster with a Lambda, but not with an App Runner. Is it possible to connect these two services?

Thanks, Mario

Mario
질문됨 10달 전589회 조회
1개 답변
2
수락된 답변

You should ensure that you are configuring your App Runner instance to run within the VPC. From inside the VPC it should be able to access protected resources like the DocumentDB instance.

You can follow this walkthrough guide to help you configure the desired architecture. https://aws.amazon.com/blogs/containers/observability-for-aws-app-runner-vpc-networking/

I hope this resolves your issues.

전문가
답변함 10달 전
  • Hi Justin, thank you for your quick reply.

    I already tried that, but still no luck. I've re-created the VPC, security groups, and everything. I continue having the following timeout error:

    A timeout occurred after 30000ms selecting a server using CompositeServerSelector.

    I tried also using a DocumentDB cluster with TLS disabled and had the same error

  • Hey Mario, can you share the App Runner code that you are using to connect to the database from within the application? Please change or redact any sensitive information such as username and/or password.

  • Hi Justin! Here is a summary of how my App Runner creates a connection to DocumentDB. It works fine when trying to connect a Lamba Function with that DocumentDB cluster (tls is enabled), but not when trying to connect the App Runner.

    private IMongoDatabase CreateConnection()
    {
    	var template = "mongodb://{0}:{1}@{2}/?tls=true&replicaSet=rs0&readpreference=secondaryPreferred";
    	var username = "<user>";
    	var password = "<password>";
    	var clusterEndpoint = "<cluster-endpoint:27017>";
    	var connectionString = string.Format(template, username, password, clusterEndpoint);
    	var databaseName = "<database-name>";
    
    	return new MongoClient(connectionString).GetDatabase(databaseName);
    }
    

    With the same code, I get the following error messages on the App Runner:

    A timeout occurred after 30000ms selecting a server using CompositeServerSelector
    The remote certificate is invalid because of errors in the certificate chain.
    

    I tried registering this certificate https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem when the app starts, but still does not work :(

    var pathToCAFile = "PATH\global-bundle.pem";
    var localTrustStore = new X509Store(StoreName.Root);
    var certificateCollection = new X509Certificate2Collection();
    certificateCollection.Import(pathToCAFile);
    
    localTrustStore.Open(OpenFlags.ReadWrite);
    localTrustStore.AddRange(certificateCollection);
    localTrustStore.Close();
    
  • I finally fixed the issue. Following some recommendations I've found in this post: https://stackoverflow.com/questions/67013408/cert-error-connecting-to-aws-documentdb-from-docker-c-sharp-app

    I've included the following lines on my dockerfile:

    # add AWS RDS CA bundle
    ADD https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem /tmp/rds-ca/aws-rds-ca-bundle.pem
    # split the bundle into individual certs (prefixed with xx)
    # see http://blog.swwomm.com/2015/02/importing-new-rds-ca-certificate-into.html
    RUN cd /tmp/rds-ca && cat aws-rds-ca-bundle.pem|awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print > "cert" n ""}' \
        && for CERT in /tmp/rds-ca/cert*; do mv $CERT /usr/local/share/ca-certificates/aws-rds-ca-$(basename $CERT).crt; done \
        && rm -rf /tmp/rds-ca \
        && update-ca-certificates
    

    I just want to thank Justin who helped me a lot with the walkthrough guide he provided me.

  • I am glad you resolved your problem! I'm always happy to help.

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠