Connect to DocumentDB from another region

Asked 10/1, 2019 at 7:31 Answered 7/3, 2021 at 12:40

Solved python amazon-web-services security firewall amazon-vpc

TL;DR

DocumentDB in another region <-------- ec2 instance in another region
                               access

So AWS has launched MongoDB as a service and calls it DocumentDB. Currently the supported regions are:
1. N. Virginia
2. Ohio
3. Oregon
4. Ireland

So according to their documentation, to access the documentDB:

To interact with your Amazon DocumentDB cluster, you must launch an Amazon Elastic Compute Cloud (Amazon EC2) instance into your default VPC, in the same AWS Region where you created your Amazon DocumentDB cluster.

I did this and it works as expected.

The problem is, how do I access this from another ec2 instance on another VPC, security group and another region.

I tried to access it and this was the exception:

pymongo.errors.ServerSelectionTimeoutError: .... 
[Errno 113] No route to host

Note: The above works if I launch an ec2 instance within the same region and same security group.

Is there something I can do to whitelist the ec2 instance in another region using firewall settings?

Gingergingerbread answered 10/1, 2019 at 7:31 Comment(4)

No route to host implies more things missing than just firewall settings (which should result in Connection timed out). Are the VPCs peered? – Conquer 10/1, 2019 at 13:0

You need a peering (VPC peering) connection between the VPCs and the routing table modified to route the DocumentDB request. – Capacity 11/1, 2019 at 5:24

No the VPCs aren't peered... let me try that and get back – Gingergingerbread 11/1, 2019 at 5:25

The following approach is mentioned in their docs: docs.aws.amazon.com/documentdb/latest/developerguide/… – Gingergingerbread 31/1, 2019 at 12:33

AWS documentdb troubleshooting guide here answers this exact question;

I solved the same issue with VPC Peering (as described in the article)

Critchfield answered 7/3, 2021 at 12:40 Comment(1)

curious what steps did you follow to setup VPC Peering? – Inhibition 8/3, 2021 at 21:52

Have you looked into vpc-peer-region-example documentation by AWS?

Seems like the architecture mentioned in (doc) is perfect fit for you. It shows how to use a combination of VPC peering and AWS PrivateLink to extend access to private services to consumer in different region (and different vpcs).

Moguel answered 7/7, 2019 at 3:15 Comment(0)

Since Document-DB cluster and DB-instance are configured for a specific region by default, it can only be accessed from the ec2-instances inside the VPC. or your local machine with access to PVC which is also in the same region.

Note: only if the security groups are enabled to access your machine IP.

However we can use port forward technique, aka ssh tunneling to enable any user from any region to access your DB, and it will still need an ec2-instance or bastion instance to be up and running.

Follow the document to create a proxy server using an amazon session manager https://aws.amazon.com/premiumsupport/knowledge-center/systems-manager-ssh-vpc-resources/

Create a tunnel from your machine

ssh -i  ec2-keypair-private.pem ec2-user-name@ec2-public-dns-name -N -L 27017:document-db-cluster-name:27017

Use Mongo shell to login to your machine locally

mongo --ssl --host localhost:27017 --sslCAFile rds-combined-ca-bundle.pem --username username --password password

Note: Your Document-DB cluster should allow the ec2-instance you are using to access it, we can modify it from the security groups associated with that cluster. Hope it helps!

Caines answered 24/4, 2020 at 8:43 Comment(0)

Recommended topics

Hot tags