Update: As of Dec 2015 AWS offers the Managed EC2 NAT gateway. Hence it is no longer required to manually deploy and manage NAT’s for your private subnets. If however for some reason you need to deploy your own NAT servers then you can use the instructions below.
Amazon Virtual Private Cloud (Amazon VPC) lets you provision a private, isolated section of the Amazon Web Services (AWS) Cloud where you can launch AWS resources in a virtual network that you define. With VPC, you can define your own subnets and also control routes between your subnets. You can also decide if you want to expose your subnets to the internet. VPC “private” subnets are ideal hosts for your MongoDB servers. With a NAT configured your machines on the subnet can access the internet but nobody on the internet can reach into your servers. You can also set up a site to site VPN connection to access your mongo instances from on-premise.
ScaleGrid makes it easy to deploy and manage MongoDB hosting instances in a VPC subnet. All the existing features of MongoDB on AWS such as backups, recoveries, monitoring, alerts, etc. are fully functional in a VPC environment.
Private VPC subnets used for Mongo deployments need to have outbound access to the internet – so make sure you setup a NAT before you deploy your mongo instances. If you are deploying a replica set please create three subnets each one in a separate availability zone.
Here is a example VPC (10.20.0.0/16) that I have setup in the EU region with four subnets:
- Subnet 1 (10.20.0.0/24) – Public subnet
- Subnet 2 (10.20.1.0/24) – Private subnet mapped to availability zone eu-west-1a
- Subnet 3 (10.20.2.0/24) – Private subnet mapped to availability zone eu-west-1b
- Subnet 4 (10.20.3.0/24) – Private subnet mapped to availability zone eu-west-1c
The goal in this post is to deploy a 3 node MongoDB replica set with one replica in each of subnets 2, 3 and 4.
A NAT instance has been setup in the public subnet to allow internet access from private subnets 2, 3 and 4. I also created a securityGroup – “MongoSecurityGroup” that the MongoDB machines in subnet 2,3 & 4 will be associated with. Here are the details of the security group setup for the NAT (The tricky part of the NAT setup is to make sure that security groups allow inbound and outbound communication with the NAT).
NAT Security group
Outbound: All allowed (This is the default)
Inbound: Allow 80,443 & 5671 from the MongoSecurity group
Outbound: All allowed (This is the default)
Inbound: 27017 from the Application security group & Mongo security group, 27019 from Mongo security group (for shards)
Once you setup your security group rules please verify that everything is setup correctly. The only real way to verify whether your security groups are setup correctly is to create an instance:
- Create an instance from the AWS console and place it in one of the subnets configured.
- SSH into the instance. Check internet connectivity by running “wget cnn.com”. If this fails your outbound internet access is not setup correctly.
Verification steps when connections are not working:
- SSH into the NAT instance and verify it has connectivity to the internet by running a wget command.
- Verify that your instance on the private subnet has connectivity to the NAT instance on ports 80, 443 & 5671
Once you have verified your setup here is a detailed step by step process of how to deploy your Mongo instances in a VPC subnet.
Step 1: Create a Machine pool per VPC subnet
Navigate to the machine pools, or Cloud Profile tab and click create to connect to your AWS cloud account. Enter your Amazon API key and Secret Key
Select the region in which you have created the VPC.
Select the VPC deployment configuration and pick your VPC, Subnets and security groups. If you wish to distribute your replica set across subnets you need to create a machine pool per subnet and then in the create wizard choose the right machine pool for each instance.
Step 2: Deploy your Mongo instances into the Machine pool of the VPC subnet
Navigate to the deployments tab and click Create to create a new MongoDB cluster. In the wizard pick the Machine Pool that you just created as the deployment target. This will create your mongo instances in the particular VPC subnet that you selected.
If you have other questions/comments or feature requests we would love to hear from you. You can email us at [email protected].