- Prerequisites
- Specifying the Amazon RDS Certificate Authority Certificate File
- Using an SSH Tunnel to Connect to Amazon DocumentDB
- Driver Setup in BI Applications
If you don't already have an Amazon DocumentDB cluster, there are a number of ways to get started.
Note that DocumentDB is a Virtual Private Cloud (VPC) only service. If you will be connecting from a local machine outside the cluster's VPC, you will need to create an SSH connection to an Amazon EC2 instance. In this case, launch your cluster using the instructions in Connect with EC2. See Using an SSH Tunnel to Connect to Amazon DocumentDB for more information on SSH tunneling and when you might need it.
Depending on your BI application, you may need to ensure a 64-bit JRE or JDK installation version 8 or later is installed on your computer. You can download the Java SE Runtime Environment 8 here.
Download the DocumentDB JDBC driver here. The driver is packaged as a single JAR file
(e.g., documentdb-jdbc-1.0.0-all.jar
).
If you are connecting to a TLS-enabled cluster, you may want to specify the Amazon RDS Certificate Authority certificate on your connection string. By default, an Amazon RDS Certificate Authority root certificate has been embedded in the JDBC driver JAR file which should work when connecting to Amazon DocumentDB clusters using SSL/TLS encryption. However, if you want to provide a new Amazon RDS Certificate Authority root certificate, follow the directions below:
-
It is recommended to relocate the file to your user's home directory:
$HOME
for Windows or~
for MacOS/Linux. -
Add the
tlsCAFile
option to your JDBC connection string. For example:jdbc:documentdb://localhost:27017/<database-name>?tlsAllowInvalidHostnames=true&tlsCAFile=rds-ca-2019-root.pem
To determine whether your cluster is TLS-enabled, you can
check the value of your cluster's tls
parameter.
Amazon DocumentDB (with MongoDB compatibility) clusters are deployed within an Amazon Virtual Private Cloud (Amazon VPC). They can be accessed directly by Amazon EC2 instances or other AWS services that are deployed in the same Amazon VPC. Additionally, Amazon DocumentDB can be accessed by EC2 instances or other AWS services in different VPCs in the same AWS Region or other Regions via VPC peering.
However, suppose that your use case requires that you (or your application) access your Amazon DocumentDB resources from outside the cluster's VPC. This will be the case for most users not running their application on a VM in the same VPC as the DocumentDB cluster. When connecting from outside the VPC, you can use SSH tunneling (also known as port forwarding) to access your Amazon DocumentDB resources.
There are two options to create an SSH tunnel:
- Internally, using the SSH tunnel options (minimally,
sshUser
,sshHost
, andsshPrivateKeyFile
). - Externally, using the
ssh
application. For further information on creating an external SSH tunnel, please refer to the documentation on Connecting from Outside an Amazon VPC
To create an SSH tunnel, you need an Amazon EC2 instance running in the same Amazon VPC as your Amazon DocumentDB cluster. You can either use an existing EC2 instance in the same VPC as your cluster or create one. Connecting from outside the Amazon VPC using an SSH tunnel will have the following impact on the JDBC connection string:
- If your cluster has Transport Layer Security (TLS) enabled, you will need to add the
tlsAllowInvalidHostNames=true
option. - For external SSH, since the SSH tunnel is running on your local computer, the host name must be set to
localhost
. - For external SSH, if your local port (
-L <local-port>:<cluster-host>:<remote-port>
) configured for the SSH tunnel is not the default port (27017) for Amazon DocumentDB, ensure the connection string host setting for your SSH tunnel is properly set in the JDBC connection string. - The
replicaSet
option is not supported when using an SSH tunnel.
Start an SSH port-forwarding tunnel to the cluster with the following command:
ssh -i <ssh-key-pair-filename>.pem -N -L <local-port>:<cluster-host>:<remote-port> <ec2-username>@<public-IPv4-DNS-name>
- The
-L
flag defines the port forwarded to the remote host and remote port. Adding the-N
flag means do not execute a remote command - Ensure you have read access permission for the file
<ssh-key-pair-filename>.pem
. To enable read access permission you can run the following command:chmod 400 <ssh-key-pair-filename>.pem
.
This is a prerequisite for connecting to any BI tool running on a client outside your VPC.
Example: Given the following
-
<cluster-host>
=sample-cluster.node.us-east-1.docdb.amazonaws.com
-
<public-IPv4-DNS-name>
=ec2-34-229-221-164.compute-1.amazonaws.com
-
<local-port>
=27117
-
<remote-port>
=27017
-
<ssh-key-pair-filename>.pem
=~/.ssh/ec2Access.pem
-
<ec2-username>
=ubuntu
The SSH tunnel command would look like:
ssh -i ~/.ssh/ec2Access.pem -N -L 27117:sample-cluster.node.us-east-1.docdb.amazonaws.com:27017 [email protected]
The JDBC connection string for connecting to the TLS-enabled Amazon DocumentDB cluster with
<database-name>
=customer
would look like:jdbc:documentdb://localhost:27117/customer?tlsAllowedInvalidHostnames=true
For further information on SSH tunneling , please refer to the documentation on Connecting from Outside an Amazon VPC.
To learn how to set up the driver in various BI tools, instructions are outlined here for: