I am new to mongoDB trying to setup tools for my new project. Most of my infrastructure run on AWS so i prefer to use AWS documentDB. I manage to connect to documentDB from EC2 both via mongo client or NodeJS aplication. but it would be good to mange documentDB from my Windows workstation using MongoDB Compass.
As we know, we can not direct connect any mongo client from outside AWS to DocumentDB Connecting to an Amazon DocumentDB Cluster from Outside an Amazon VPC
so we need SSH tunnel through EC2. I try many options but still fail... below are most likely 2 options:
Option 1: Connect using MongoDB Compass SSH tunnel
Error: unable to get local issuer certificate
both RDS-COMBINED-CA-BUNDLE.PEM and SSH Key already supplied so which one unable to get?
as red highlight on SSH port, I also tried to open another SSHD port on server and tried to connect using second port but still failed.
Option 2: Connect using Putty SSH tunnel
Error: Hostname/IP does not match certificate's altnames...
since MongoDB Compass need to connect to locathost to get into tunnel and i still can not find the way to supply --sslAllowInvalidHostnames options.
So, what i can do to get around this ?
MongoDB Compass: 1.25.0
I am done with Compass.
successful established "robo3t" connection to AWS DocumentDB using this guild.
https://docs.aws.amazon.com/documentdb/latest/developerguide/robo3t.html
As of Jan 2022 MongoDB Compass does not support sslInvalidHostNameAllowed=true in the connection builder form, this is the parameter you are missing in order to connect to AWS DocumentDB while ssh tunneling to a machine inside the same VPC of the database itself.
I used Studio 3T and it worked perfectly. You could create the connection string yourself or try other GUI.
Edit Jan 2023:
I just gave a try to compass again and it seems they now support sslInvalidHostNameAllowed flag through the UI, you could still change manually the connection string but then any UI interaction would overwrite it.
If you edit the connection string directly in MongoDB Compass you can set options that may not be accessible in the user interface.
Below is an example with tweaked parameters to connect without using TLS:
mongodb://xxxx:yyyy#localhost:27017/?authSource=admin&connectTimeoutMS=10000&readPreference=primary&authMechanism=SCRAM-SHA-1&serverSelectionTimeoutMS=5000&appname=MongoDB%20Compass&ssl=false
For Hostname, are you using DocumentDB endpoint? In one screenshot, I see you are using localhost.
I have managed to connect with option 1.
The workaround can be by establish connection using SSH Tunnel (port forward) and so that SSH tunnel opens a port on your local system that connects through to another port at the other end of the tunnel.
Using the below command establishes a tunnel on terminal and later you can use this channel/connection to connect MongoDB using MongoDB Compass.
For example:
ssh user#aws-ec2-ip-address -L 35356:127.0.0.1:27017 -N
where -L as the Local listening side
Port 35356 is listening on localhost (that is in this case your EC2) and port forwards through to port 27017 on remote server.
Note - Add identity file in .ssh/config
Ex - On Mac
Host XXXXXXX
HostName 52.xx.xx.xx
User ubuntu
IdentityFile ./path/prod.pem
Related
I've followed the AWS DocumentDB docs for connecting outside VPC:
I created an EC2 instance in the same security group and VPC as the DocDB cluster
In the security group I opened 22 port access for my IP, and also opened port 27017 for communication inside the security so EC2 instance can SSH tunnel to the DocDB
I ran ssh -f -i "ssh-tunneling-access.pem" -L 27017:{doc-db-cluster}:27017 {ec2-instance-user}#{ec2-instance-dns} -N to open the SSH tunnel
In another terminal I tried to connect using Mongo shell with mongosh "mongodb://{credentials}!#localhost:27017/?tls=true&tlsAllowInvalidHostnames=true&tlsCAFile=rds-combined-ca-bundle.pem"
I got an error "MongoServerSelectionError: read ECONNRESET"
I'm running on Windows 11, and my terminal is Powershell Core.
Any ideas what did I miss and/or how to troubleshoot it?
First of all, make sure you can connect to DocumentDB from the EC2 instance. The security group attached to the DocumentDB cluster has to allow port 27017 with source the EC2 instance (or the security group of the EC2).
Second, is not clear from where you're initiating the tunnel. Did you execute step 3. on the Windows 11 machine? Have you installed OpenSSH on Windows?
How about using a GUI client, like Robo 3t, which has SSH tunneling support? Instructions on how to connect can be found here.
I'm new to Amazon Web Service (AWS).
I already created a PostgreSQL from AWS RDS:
Endpoint: database-1.XXX.rds.amazonaws.com
Port: 5432
Public accessibility: Yes
Availablity zone: ap-northeast-1c
After that, I will push my application that using the database to AWS (maybe deploy to EKS).
However, I want to try testing the database server from my local computer first.
I haven't tried testing from my laptop PC at home yet, but I think it will connect OK because my laptop PC is not using the HTTP proxy to connect to the network.
The problem is that I want to try testing from my company PC, which needs setup the HTTP proxy to connect to the internet. The PC spec:
Windows 10
Installed PostgreSQL 10
Firstly, I tried using psql command-line:
psql -h database-1.XXXX.rds.amazonaws.com -U postgre
> Unknown host
set http_proxy=http://user:password#my_company_proxy:3128
set https_proxy=http://user:password#my_company_proxy:3128
psql -h database-1.XXXX.rds.amazonaws.com -U postgre
> Unknown host
set http_proxy=http://my_second_company_proxy:3128
set https_proxy=http://my_second_company_proxy:3128
psql -h database-1.XXXX.rds.amazonaws.com -U postgre
> Unknown host
Then, I tried using the pgAdmin tool.
As from the internet post, it said that we can use "SSH Tunnel" for inputing proxy:
However, the error message will be shown:
So, anyone can help suggest if we can connect to the public PostgreSQL server through HTTP proxy?
I think problem is Postgres uses plain TCP/IP protocol and you are trying to use HTTP proxy. Also you're trying to create SSH tunnel against your HTTP proxy server which won't work.
So I'd suggest following solutions:
Use TCP proxy instead of HTTP proxy
Create an EC2 or any instance that has SSH access from your company network and has access to public internet. So that you can create SSH tunnel through that instance to achieve your goal.
NOTE: Make sure you PostgreSQL is accessible from public internet (although this is usually bad idea, but it's out of scope this question) sometimes security group configs prevent it to connect from public internet.
Just add all ports(5432,3128...) in the Security Group from your RDS and specify your IP. Don't forget "/32"
Let me add that "unknown host" is usually an indication that you're not resolving the DNS hostname. Also, your HTTP proxy should not interfere with connections to databases since they aren't on port 80 or 443. A couple of things you can try (assuming you're on windows) sub in your actual url:
nslookup database-1.XXXX.rds.amazonaws.com
telnet database-1.XXXX.rds.amazonaws.com 5432
You should also check the security group that is attached to your RDS and make sure you've opened up the ip address that you're originating from on port TCP/5432.
Lastly check that your VPC has DNS and Hostnames enabled. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-dns-updating
Using DBeaver, I'm trying to connect to my AWS ec2 instance where I've installed a MariaDB database.
I've created a new connection as:
Connection: AWS / Maria DB
Server Host: localhost (because I'm using ssh to connect)
Database, Username and Password: the right ones
Port: 3306
SSH tunnel on the connection:
Use SSH Tunnel: checked
Host/IP, Port and User: as suggested by the AWS documentation
Auth: Public Key
Private key: file .pem (the one I'm also using to connect via ssh from command line)
The connection works great at the beginning.
After some minutes of inactivity if I open a table the connection stucks and I need to invalidate/reconnect to fetch the data. This process sometimes is done by DBeaver, after 15 seconds of not fetching anything, but sometimes even if I wait 2 minutes it keeps running but fetching nothing.
Is there something I'm missing in my configuration? Or some configuration on the server maybe.. I don't know..
Have you ever had this problem?
Here I had the same situation. Previous versions of DBeaver used to keep the connection longer (I don't remember precisely which version), in the order of hours.
I solved this issue by using a VPN or a SSH port forwarding from my machine. So, it is the same configuration as yours with localhost, but the tunnel is done outside DBeaver.
config using pem key in shh tunel
Trying to connect to a remote MongoDB server I get: socket operation timed out.
and the firewall log also doesn't mention any attempted connection.
I have the Mongodb running on a remote Windows 2012 vm.
I used --bind_ip 0.0.0.0 and added the firewall rules from the docs.
pingĀ“ing from either client/server works and so does the vnc.
And I'm able to connect from the server using either localhost or the ip
Im new to networking and thought I slowly understand, but apparently thats not the case!
Is there anything else I did not consider?
Try this in your terminal
mongo -u <USER> -p <PASSWORD> <HOST>:<PORT>/<DB> --authenticationDatabase <AUTH_DB>
I'm trying SSH tunneling for the first time hence, I'm expecting some level of guidance (with explanation) to setup an SSH tunnel so that I from my Windows client machine can connect to things like ElasticSearch and MongoDB that are residing on AWS EC2 Windows Server.
Here is how you can make tunnel to server for MongoDB,
ssh -L 9999:127.0.0.1:27017 user#serverip -NnT
Now you are able to access your remote mongodb through tunnel on port 9999 so you can now connect to mongodb server from local like,
mongo --host 127.0.0.1 --port 9992
The same way you can also create your own tunnel for elasticsearch also by specifying Port of elastic search like below,
ssh -L 9200:127.0.0.1:9200 user#serverip -NnT
Not have more knowledge of accessing elastic through port but this might help.