Connecting to AWS DocumentDB from outside AWS network

3 min readFeb 9, 2024

For some reasons, Amazon does not enable accessing a DocumentDB database from outside a VPC.

However there is a way of reaching from outside the VPC and over the internet and without spending too much. Although I highly recommend using it for dev or debugging purposes, since it might make it more vulnerable. The solution is: reverse tunneling.

Fast forward solution

From now on, if you want to skip any explanation, just do the following steps:

B
efore you go…

Check out what you’ll need:

A DocumentDB cluster

Create your cluster and instance
Download the certificate which is shown how to do it at your instance page in “Connectivity and Security” tab, at this moment:
wget https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem

An Amazon Linux EC2 instance

Create an EC2 instance with the minimum resource as possible, you won’t need a big instance. If you already have an instance, there is no need to create another one, only make sure that it is on the same VPC as your DocumentDB cluster
When creating EC2 instance you can create a certificate to access your EC2, or create it before creating EC2 and then associate it in the creation step, please do not forget it.
Remember to enable SSH(22) Inbound port at the EC2 associated security group

C
onnecting to DocumentDB

Basically you need to use your EC2 as a step to reach the database:

Mongo Compass

When using MongoDBCompass, you’ll need to configure a little bit more of information as usual to enable the reverse tunneling, so open up Advanced Connection Options and do the following:

General tab

Host: your documentdb cluster name, usually: <cluster-name>.<random-id>.<aws-region>.docdb.amazonaws.com

Authentication tab

Set your authentication method here, usually Username/Password.

TSL/SSL tab

SSL/TLS Connection: On
Certificate Authority (.pem): Select the global-bundle.pem that you’ve downloaded at step 2 of DocumentDB configuration

Proxy/SSH tab

SSH Tunnel/Proxy Method: SSH with Identity File
SSH Hostname: your EC2 cluster hostname, usually ec2–<host-ip>.<aws-region>.compute.amazonaws.com
SSH Port: 22
SSH Username: ec2-user (when Ubuntu, probably the user is ubuntu)
SSH Identity File: the associated certificate to EC2 which you’ve created at EC2 instance creation or associated an existing one

Hit connect and be happy!

SSH Port forwarding

Another option which will be necessary to enable your developing application to reach you database is to use ssh port forwarding. So open up powershell and write the following command:

ssh -i <path-to-ec2-pem> -L 0.0.0.0:27017:<document-db-hostname>:27017 ec2-user@<ec2-hostname>

Both hostnames are available when accessing it’s resource on AWS.

By this point you should be able to connect to your database when developing by accessing localhost:27017

Remember to apply the certificate (global-bundle.pem) at the code as well.

A bit of explanation

Basically, we use our EC2 as a gateway to reach our DocumentDB, that’s why we need them to be at the same VPC.
Once we connect to our EC2 it can forward our connection directly to DocumentDB like a tunnel.

This can be used for another purposes, for example if you have a machine that is accessible at your customer’s internal network and you want to reach another servers that use ports that are not enabled by their firewall.

A little more simple visual explanation: