By using AWS re:Post, you agree to the Terms of Use

Connect Amazon DocumentDB Cluster from Outside Amazon VPC

0

Connect Amazon DocumentDB Cluster from Outside Amazon VPC

Amazon DocumentDB (with MongoDB compatibility) clusters are deployed within an Amazon Virtual Private Cloud (Amazon VPC). They can be accessed directly by Amazon EC2 instances or other AWS services that are deployed in the same Amazon VPC I setup an EC2 (same VPC as DocumentDB) with security permissions for port 22 SSH and can do this command below successfully to the EC2

 $ ssh -i "AWSshkeyForEC2.pem" ubuntu@xxxx.compute-1.amazonaws.com

No problem.

I then try to setup a tunneling (for the DocumentDB at port 27017) issuing this command line

$ ssh -i "AWSshkeyForEC2.pem"  -L 27017:docdbwhatever.us-east-1.docdb.amazonaws.com:27017   ubuntu@xxxx.compute-1.amazonaws.com  -N 

and says Warning: Permanently added 'xxxx.compute-1.amazonaws.com,yyyyy' (ECDSA) to the list of known hosts. and just hangs there?

I am on a OSX machine.

Overall I rather create the DocumentDB without the VPC for a DBaaS. There is a reasons for this the live hardware is on site at the factory for data and then the data should be stored at the Mongo Database in the cloud. Other Apps run in the cloud and can reference the DocumentDB. We are not going to have an App in the cloud to access hardware outside of the cloud due to security.

So maybe the solution is to somehow create the DocumentDB without the VPC. I saw I could have deleted the default(VPC) and maybe I should have. The address is the magic 27017 of course for Mongo to the DocumentDB.

2 Answers
0

Firstly, Amazon DocumentDB is a VPC only service, hence it is not possible to create outside a VPC. If you delete the default VPC, you will need to create a new VPC, subnets, security group, DB subnet group, etc. before setting up a new DocumentDB cluster.

Secondly, since the command hangs, I would recommend you to check the connectivity setup with subnets and security group. Is the Security Group being used by the DocumentDB cluster allowing access on port 271017 from the private IP of the EC2, or the CIDR range if in same VPC?

To test connectivity, you can SSH to the EC2, and try a telnet to DocumentDB endpoint to confirm the connection and port are accessible.

answered 8 months ago
0

Hi! Good question. DocumentDB in this case will require a VPC configuration.

To your point, what you are doing is setting up an EC2 instance in the same VPC to forward connections to the DocumentDB as described here: https://docs.aws.amazon.com/documentdb/latest/developerguide/connect-from-outside-a-vpc.html. Do you have TLS enabled on the DocumentDB Cluster? If so, you will need to download the public key. This could also be an issue with the network connectivity of the EC2 instance or the connection between the EC2 and the DocumentDB cluster (Security Groups, other network config).

If you want to use a DB Service that does not require a VPC configuration, check out DynamoDB: https://aws.amazon.com/dynamodb/. AWS calls this a "a fully managed, serverless, key-value NoSQL database."

answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions