I've followed the AWS DocumentDB docs for connecting outside VPC:
I created an EC2 instance in the same security group and VPC as the DocDB cluster
In the security group I opened 22 port access for my IP, and also opened port 27017 for communication inside the security so EC2 instance can SSH tunnel to the DocDB
I ran ssh -f -i "ssh-tunneling-access.pem" -L 27017:{doc-db-cluster}:27017 {ec2-instance-user}#{ec2-instance-dns} -N to open the SSH tunnel
In another terminal I tried to connect using Mongo shell with mongosh "mongodb://{credentials}!#localhost:27017/?tls=true&tlsAllowInvalidHostnames=true&tlsCAFile=rds-combined-ca-bundle.pem"
I got an error "MongoServerSelectionError: read ECONNRESET"
I'm running on Windows 11, and my terminal is Powershell Core.
Any ideas what did I miss and/or how to troubleshoot it?
First of all, make sure you can connect to DocumentDB from the EC2 instance. The security group attached to the DocumentDB cluster has to allow port 27017 with source the EC2 instance (or the security group of the EC2).
Second, is not clear from where you're initiating the tunnel. Did you execute step 3. on the Windows 11 machine? Have you installed OpenSSH on Windows?
How about using a GUI client, like Robo 3t, which has SSH tunneling support? Instructions on how to connect can be found here.
Related
I have both application and network load balancer. EC2 instance and the Neptune are in the same VPC group. I am able to access the EC2 instance by using ssh username# and can access the Gremlin server there and execute queries but how can I make a tunnel out of it so that I can use it from the local environment? Let me know if you need more detail.
It's not 100% clear if you are connecting directly to EC2 or whether there is a NLB or an ALB in between. If you are connecting from a local machine via SSH directly to EC2 to build a tunnel to Neptune, a command such as this will work.
ssh -i mycreds.pem ec2-user#ec2-xx-xx-xx-xx.compute-1.amazonaws.com -N -L 8182:my-neptune-cluster.us-east-1.neptune.amazonaws.com:818
In order to get the SSL credentials to resolve you will likely need to add a line to your hosts file along the lines of:
127.0.0.1 localhost my-neptune-cluster.us-east-1.neptune.amazonaws.com
I am new to mongoDB trying to setup tools for my new project. Most of my infrastructure run on AWS so i prefer to use AWS documentDB. I manage to connect to documentDB from EC2 both via mongo client or NodeJS aplication. but it would be good to mange documentDB from my Windows workstation using MongoDB Compass.
As we know, we can not direct connect any mongo client from outside AWS to DocumentDB Connecting to an Amazon DocumentDB Cluster from Outside an Amazon VPC
so we need SSH tunnel through EC2. I try many options but still fail... below are most likely 2 options:
Option 1: Connect using MongoDB Compass SSH tunnel
Error: unable to get local issuer certificate
both RDS-COMBINED-CA-BUNDLE.PEM and SSH Key already supplied so which one unable to get?
as red highlight on SSH port, I also tried to open another SSHD port on server and tried to connect using second port but still failed.
Option 2: Connect using Putty SSH tunnel
Error: Hostname/IP does not match certificate's altnames...
since MongoDB Compass need to connect to locathost to get into tunnel and i still can not find the way to supply --sslAllowInvalidHostnames options.
So, what i can do to get around this ?
MongoDB Compass: 1.25.0
I am done with Compass.
successful established "robo3t" connection to AWS DocumentDB using this guild.
https://docs.aws.amazon.com/documentdb/latest/developerguide/robo3t.html
As of Jan 2022 MongoDB Compass does not support sslInvalidHostNameAllowed=true in the connection builder form, this is the parameter you are missing in order to connect to AWS DocumentDB while ssh tunneling to a machine inside the same VPC of the database itself.
I used Studio 3T and it worked perfectly. You could create the connection string yourself or try other GUI.
Edit Jan 2023:
I just gave a try to compass again and it seems they now support sslInvalidHostNameAllowed flag through the UI, you could still change manually the connection string but then any UI interaction would overwrite it.
If you edit the connection string directly in MongoDB Compass you can set options that may not be accessible in the user interface.
Below is an example with tweaked parameters to connect without using TLS:
mongodb://xxxx:yyyy#localhost:27017/?authSource=admin&connectTimeoutMS=10000&readPreference=primary&authMechanism=SCRAM-SHA-1&serverSelectionTimeoutMS=5000&appname=MongoDB%20Compass&ssl=false
For Hostname, are you using DocumentDB endpoint? In one screenshot, I see you are using localhost.
I have managed to connect with option 1.
The workaround can be by establish connection using SSH Tunnel (port forward) and so that SSH tunnel opens a port on your local system that connects through to another port at the other end of the tunnel.
Using the below command establishes a tunnel on terminal and later you can use this channel/connection to connect MongoDB using MongoDB Compass.
For example:
ssh user#aws-ec2-ip-address -L 35356:127.0.0.1:27017 -N
where -L as the Local listening side
Port 35356 is listening on localhost (that is in this case your EC2) and port forwards through to port 27017 on remote server.
Note - Add identity file in .ssh/config
Ex - On Mac
Host XXXXXXX
HostName 52.xx.xx.xx
User ubuntu
IdentityFile ./path/prod.pem
I'm trying SSH tunneling for the first time hence, I'm expecting some level of guidance (with explanation) to setup an SSH tunnel so that I from my Windows client machine can connect to things like ElasticSearch and MongoDB that are residing on AWS EC2 Windows Server.
Here is how you can make tunnel to server for MongoDB,
ssh -L 9999:127.0.0.1:27017 user#serverip -NnT
Now you are able to access your remote mongodb through tunnel on port 9999 so you can now connect to mongodb server from local like,
mongo --host 127.0.0.1 --port 9992
The same way you can also create your own tunnel for elasticsearch also by specifying Port of elastic search like below,
ssh -L 9200:127.0.0.1:9200 user#serverip -NnT
Not have more knowledge of accessing elastic through port but this might help.
I launched a new AWS EC2 Ubuntu Server t2.micro instance via the AWS console. I was able to successfully connect to the instance a single time using ssh on macOS Sierra 10.12.3:
$ ssh -i ./ubuntu-server-2-17-2017.pem ubuntu#ec2-55-555-555-555.compute-1.amazonaws.com
However, when I try to connect a second time, I get a time out error:
$ ssh -i ./ubuntu-server-2-17-2017.pem ubuntu#ec2-55-555-555-555.compute-1.amazonaws.com
ssh: connect to host ec2-55-555-555-555.compute-1.amazonaws.com port 22: Operation timed out
How can I resolve this issue?
The first thing to check is that the IP address associated with the instance is still the same.
The other thing to look at, then, is the security group to see if your IP address (which maybe changed) is still allowed.
Connecting to Ubuntu 14.04 server at AWS gx2.2 instance(Huge GPU one), from an Ubuntu 14.04 system with the following command:
ssh -i ~/.ssh/key.pem ubuntu#12.121.12.321
Normally it would just connect, but now it times out with this error:
ssh: connect to host 54.171.53.164 port 22: Connection timed out
I can Ctrl+C out of the freeze though.
I have tried to restart.
I have tried to sudo apt-get update.
Recheck your AWS parameters...
1) Check Public Ip associated with the Amazon ec2 instance, check whether it is the same as ip address 12.121.12.321 you are using to make connection.
2) Check the inbound rule of the security group associated with the Amazon ec2 instance. Ensure that the inbound rule has ssh access to the ip address of the machine from which you are trying to connect the Amazon ec2 instance.
3) Ensure that the pem file you file you are using is appropriate.
Hope it helps...