Last week, one of my customers asked for architecture recommendations to securely deploy production MongoDB instances on Amazon EC2 AWS. This got me thinking about the topic and this blog post is the result. Far too many companies expose their production MongoDB databases on the internet when there are better options. Rule #1 of security is to restrict physical access to your database servers. Even if your credentials are compromised, it greatly reduces the impact if the attacker cannot access your servers.
Before we dive into the details, let’s step back a little and remember how IT staff used to deploy databases in the pre-Amazon AWS world. I can remember a couple of different configurations:
1. Dual Firewall DMZ (Demilitarized zone) Configuration
In this configuration, the front-tier and mid-tier servers are deployed in a DMZ and the database servers are behind the second firewall. The front firewall allows connections on the web ports and the back firewall only allows connections on the database ports.
2. VLAN – Less Popular than Dual Firewall DMZ
The database servers and the front-end servers are on separate VLAN’s. Only the database ports are allowed in the trunk interconnect between the two VLAN’s.
Technically, nothing much as changed since. However, the techniques are now different. No longer do you talk about DMZ’s and firewalls, but you talk in terms of VPC’s and Security Groups. If you are a larger enterprise with an IT staff, I would definitely look into Amazon VPC. It gives you a lot of control over the layer 3 network and you can put your databases into a private subnet and not expose them to the internet. It, however, is a much longer topic for another blog post. If you have already setup VPC and want to setup MongoDB in the VPC, here is my blog post to walk you through the steps – Deploying MongoDB on Amazon VPC.
In the rest of this post, I will concentrate on EC2-classic.
3 Steps to Configure Dual Firewall DMZ in AWS
1. Create a Security Group for your MongoDB Servers
A Security Group can span an entire region – so even if you have a replica set you can distribute your replica’s across availability zones in the region and still have then in the same Security Group. Create a Security Group for your MongoDB Servers and add all your mongo servers only to this Security Group.
2. Create a Security Group for your Mid/Front Tier Servers
Create an additional Security Group for your mid and/or front tier MongoDB servers.
3. Configure your MongoDB Security Group Access
Configure your MongoDB Security Group to allow access to the front tier servers only on the MongoDB ports. Configure your front end Security Group to open the web ports to the internet.
Configure Dual Firewall DMZ in AWS Through ScaleGrid
1. Create a Security Group in AWS
Log into your Amazon console and create a Security Group for your mid/front-tier servers. Let’s call the Security Group ‘AppServerSG’. Configure this Security Group to open the http/https port as necessary. Place you mid-tier and front-tier servers in this Security Group.
2. Create a ScaleGrid AWS Cloud Profile
Log into the ScaleGrid console and click on the Machine Pool tab. Create your own custom Machine pool so that you can deploy and manage mongo instances in your own AWS account. In the Machine pool tab click on the create button. Enter you Amazon API key and secret key and press Next:
3. Select Your AWS Region for MongoDB
Select the AWS region of your choice for deploying MongoDB:
4. Configure Your Access Policy
This is the main step for the security configuration. Select the option to only allow machines in a particular Security Group to access your MongoDB servers. Then select the Security Groups to which you would like to provide access. Enter a name for your machine pool and then click next:
5. Create Your MongoDB Cluster
Navigate back to your MongoDB deployments page in the main console. Click ‘Create’ to create a new MongoDB cluster. In the Machine Pool selection, select the machine pool that you just created and create the cluster.
This is just one of the techniques to secure your MongoDB deployment on AWS. If you have any other suggestions please use the comments sections to provide your feedback. For more detailed security practices refer to the 10gen security practices. As always if you have any questions you email us at firstname.lastname@example.org.