By using AWS re:Post, you agree to the Terms of Use

Connecting Programmatically to Amazon DocumentDB


Hi, I'm trying to connect to the DocumentDB cluster from code (C # /. Net).

I connect with Cloud9 and MongoDB Compass without any problems (In MongoDB Compass I added a .pem file in the connection options).

Unfortunately, I have a problem with connecting from the code level, when I try to write data to the database, I get a timeout (I received the same message in MongoDB Compass before adding the .pem file).

I did the instruction: (TLS Disabled). There is nothing in it about an SSH connection (with a .pem file).

Can you tell me how to do it or what am I doing wrong?

Thanks: D

2 Answers

There is a few troubleshooting steps I suggest to follow.

  1. Make sure that you can connect to the DocumentDB instance (establishing a TCP connection). See Testing a Connection to an Amazon DocumentDB Instance
  2. It's most likely that the TCP connection fails as you are getting a timeout error. If the Cloud9 instance is in the same VPC as the DocumentDB, make sure that the security group attached to the DocumentDB is not blocking inbound connection at the DocumentDB port (default port: 27017). See Security Group Blocks Inbound Connections.
  3. If you are connecting from another VPC or region, see the following: Cross Region Connections, Connecting from Different Amazon VPCs Again, make sure that you can make a TCP connection against the DocumentDB endpoint first. If not, check the security group of the DocumentDB cluster and VPC settings (NACL, network firewall if any). If the client is in a different network, make sure there is a peering between two VPCs to be able to connect.
answered 2 months ago

ok, following your suggestions:

  1. I did a connection test, result: Ncat: TIMEOUT.

  2. I checked my Security Group and in inbound rules is added port 27017 on all tarffic

Enter image description here

aws docdb describe-db-clusters --db-cluster-identifier test-270722 --query 'DBClusters[*].[DBClusterIdentifier,Port]'


--db-cluster-identifier test-270722 --query 'DBClusters[].[VpcSecurityGroups[],VpcSecurityGroupId]'

                "VpcSecurityGroupId": "sg-03b6d4320986c0f67",
                "Status": "active"

Maybe I don't understand something, because why is testing done to the endpoint via port 27017?

I read that to connect from outside the VPC you have to do it via proxy / SSH.

My configuration looks like this:

1.I have a DocumentDB cluster + Security Group "A" (Inbound rules: custom 27017 allowing traffic from Security Group "B") Enter image description here

  1. EC2 Instance + Security Group "B" (Inbound rules: TCP from anywhere + SSH port 22) Enter image description here

And this is how I connect to DocumentDB cluster, e.g. via MongoDB Compass, I provide both, data to connect to the cluster: host, username, password and data for SSH: SSH host, SSH port, SSH username, SSH Identity File (.pem file)

So, my questions are:

how to properly connect programmatically from the local workstation and save the data in DocumentDB. 1.what should the configuration look like in AWS (is mine correct?), Maybe I just misunderstood something in the documentation 2.Do I have to configure something on the workstation, but since I can connect via MongoDB Compass, I think everything is ok in this matter 3. In the programming manual it looks simple, connect to the cluster endpoint on port 27017, so why all the fuss with SSH, on the other hand, without SSH, I can't connect via MongoDB Compass. Somehow I don't understand it ...I'm missing something here

answered 2 months ago
  • Sorry for the late reply. Thanks for the additional info. Now it's clear that you are connecting from a local workstation instead of an EC2 instance in one of the VPCs. So, if you are connecting from your local workstation, that's a different network from the VPC the DocumentDB cluster is running. Basically, you need a network connection to the VPC to make it work. In your case, you are using a bastion host to connect to the cluster (local workstation -> bastion host -> DynamoDB cluster). So, you will need to do the same from your code if you wanna follow the same setup (establish the SSH connection to the bastion host and then run the query from there). I think this article can be of help. Take a look at the Connect from a machine outside AWS using an SSH tunnel section.

    Additionally, make sure not to expose all your TCP and SSH connection to Try to restrict it to specific IP(s) or CIDRs.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions