TechQA.

Connecting MongoDB Atlas endpoint with VPN

875 views Asked by At

I have setup a MongoDB Atlas. Also, I have configured a VPC peering from MongoDB Atlas to my AWS VPC. I have allowed VPC CIDR in the IP access list on MongoDB Atlas and it's working fine.

I also have a client VPN endpoint that I am using to connect AWS VPC via secure tunnel. I have also allowed my client VPN private IP range on MongoDB Atlas IP access list but I am unable to connect to MongoDB Atlas endpoint.

I tried to dig down further and performed these steps:

  • resolve hostname from SRV record:

    nslookup -type=SRV _mongodb._tcp.clusterx.xxxxxxxxxx.mongodb.net

  • ping the hostname

    ping clusterx-shard-xx-xx.xxxxxx.mongodb.net

When trying the ping from AWS VPC, it resolves to the private IP of that hostname but when I try to ping the hostname from local, it resolves to public IP of that hostname. That was the reason I was unable to connect to MongoDB Atlas endpoint from my local.

Is there any way to make MongoDB connection work with private IP from my local?

mongodb amazon-web-services amazon-vpc mongodb-atlas aws-vpn
Original Q&A
2

There are 2 answers

0
d1sh4 On

You're most probably missing the route to the Atlas instance within your VPN connection.

AWS is aware of the destination IP address (therefore, it is resolvable), but doesn't route your traffic to it (therefore, ping fails).

To resolve, you need to add the route to the Atlas instance - or add a default route that brings all the traffic through your VPN (which I do not recommend). You can find out how to do it in more detail in AWS documentation.

0
DavidT On

You need bi-directional routing - your packets have to get from your machine to Atlas and packets from Atlas have to be able to get back to your machine. I am unsure if you can modify the routing table on the Atlas side to send the packets back.

Assuming it's not possible to modify the routing table on the Atlas side you will need to ensure that your outbound packets appear to come from an IP in the peered VPC instead of an external IP range.

The two easiest ways of doing that are:

  • If your VPN is terminated inside the target VPC you may be able to enable SNAT (Source NAT) so that the VPN masks your IP (and sends all outbound packets using its own IP).
  • If not, spin up an EC2 instance inside the target VPC and ssh to the instance and include a local port forward (-L) to forward a local port which you can then use to connect to Atlas.

Related Questions in MONGODB

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AMAZON-VPC

Related Questions in MONGODB-ATLAS

Related Questions in AWS-VPN

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions