AWS MongoDB in Private VPC Architecture

VPC with private and public subnets in two Availability Zones

This reference architecture provides a set of YAML templates for deploying the following AWS services :

  • Amazon IAM
  • Amazon Security Group
  • Amazon EC2
  • Amazon Route53

Prerequisites Notes

The Cloudformation Security Group IP address is open by default (testing purpose). You should update the Security Group Access with your own IP Address to ensure your instances security.

Before you can deploy this process, you need the following:

  • Your AWS account must have one VPC available to be created in the selected region
  • Amazon EC2 key pair
  • Installed Domain in Route 53.
  • cloudformation-vpc (Assuming you already have installed VPC )

Tested on the following Region:

  • US East (N. Virginia)

This template describes a VPC with two private and two public subnets.


MongoDB Cloud Manager Setup

Create a New Project, click “New Project” CloudManager-Setup1

Select “Cloud Manager” and Click “Next” CloudManager-Setup2

Enter Name of your project and click “Next” CloudManager-Setup3

You project will be created. CloudManager-Setup4

Goto Project “Deployment”. Under “Crytera > Timeclonedbrep”, select “Agents” and “Downloads & Settings”. Since, I’m using Debian Os, select Automation “Ubuntu (15.x, 16.x) - DEB” CloudManager-Setup5

Use mmsGroupId and mmsApiKey to setup mms agent in your cloudformation script. CloudManager-Setup6

A completed deployed mms automation agent running after completed cloudformation run. CloudManager-Setup7

Goto Deployment > Security > Edit Setting. Select “Authentication Mechanisms [X] Username/Password CloudManager-Setup8

Continue “Next” without enabling SSL. We will enable it on the process. CloudManager-Setup9

Save and Initiate first Credential will be blank password. Remember, you need re-run this credential process again to generate new password. CloudManager-Setup10

Deploy you changes. CloudManager-Setup11

Re-run the entire credential process again, only this time Agent mms-automation user will generate a password. Don’t Save and Deploy yet. CloudManager-Setup12

Login to your Mongo Replica Master and create admin user first, based on the credential you got from Cloud Manager. CloudManager-Setup13

Now, Save, Review and Deploy your changes, CloudManager-Setup14

Next, Goto Deployment > Server.
Install Monitoring Agent in Master Replica
Install Monitoring and Backup Agent in Secondary Replica CloudManager-Setup15

Confirm, Review and Deploy. CloudManager-Setup16

Goto Deployment > Processes Click “Manage Existing” CloudManager-Setup17

Add Master hostname and mongo port. Turn on “Enable Authentication”. CloudManager-Setup18

Choose, Auth Mechanism “Username/Password”. Enter Username and Password. Select “Continue”. CloudManager-Setup19

Continue but make sure you see all the processes in your deployment. CloudManager-Setup20

Check, “I understand that this require…” and click “Continue”. CloudManager-Setup21

Check, “Yes, import users and roles from this deployment item”.
Click “Continue”. CloudManager-Setup22

Proceed after “Automation Agent Successfully Verified”. CloudManager-Setup23

Proceed after “Initialing Automation for your Deployment”. CloudManager-Setup24

Save, Review and Deploy. CloudManager-Setup25

Replicaset Processes Display Completed! CloudManager-Setup26

Goto Deployment > Security > MongoDB User.
Turn on “Enforce Consistent Set”.
Confirm “Enforce Consistent Set”. CloudManager-Setup27

Save, Review and Deploy. CloudManager-Setup28

Now, Lets start the step to enable TLS/SSL setting.
Please ensure you already have certs/pem install in your servers.
Goto Deployment > Security > Authentication & TLS/SSL.
Edit Setting and proceed to “Authentication Mechanisms” and Click “Next”. CloudManager-Setup29

Enable TLS/SSL option.
Enter TLS/SSL CA File Path.
Switch “Client Certificate Mode” to “Require”. CloudManager-Setup30

Enter PEM file for Automation, Backup and Monitoring Agent.
Next Click “Save”. CloudManager-Setup31

Save, Review and Deploy. CloudManager-Setup32

Proceed, Review and Deploy. CloudManager-Setup33

Changes will shows as Enabled in TLS/SSL. CloudManager-Setup34

Next, to Ensure the TLS/SSL support enabled in the Mongo replicaset,
Goto Deployment > Processes. Select Replicaset Name and choose “Modify” setting.
Update the Following:
DB Directory Path Prefix = /data
bindIp =
sslMode = requireSSL
sslPEMKeyFile = /etc/ssl/certs/mongodb.pem
Then, click “Apply”. CloudManager-Setup35

Now continue the previous step for the rest of the servers. Mostly the update is just the following :
sslMode = requireSSL
sslPEMKeyFile = /etc/ssl/certs/mongodb.pem
You will see the icon changes in your replicaset during this process. CloudManager-Setup36

Save, Review, Confirm and Deploy. CloudManager-Setup37

Proceed to Confirm and Deploy CloudManager-Setup38

Once Deploy is completed, you can double check the SSL/TLS changes by select a host and click the connect option to see example of connection command. CloudManager-Setup39

Click “Metric” to monitor all MongoDB Traffic/Usage. CloudManager-Setup40

Refer to “Data Explorer” for overall Data list. CloudManager-Setup41

Adding a New User. Click “Add New User”. CloudManager-Setup42

Add the following.
Identitier: test (dbname)
username: user1
Roles: dbOwner
Password: xxxxxx
Click “Add User”. CloudManager-Setup43

Save, Review and Deploy. CloudManager-Setup44

Once changes take effects. You can double check your changes in your cli. CloudManager-Setup45

Troubleshoot Slow Query by Checking “Real Time” and check slowest operation. CloudManager-Setup46

Also you can set log rotate from by your preference. CloudManager-Setup47

Finaly, you can remove the replicaset if you don’t like and rebuild all over again. CloudManager-Setup48

comments powered by Disqus