All Products
Search
Document Center

ApsaraDB for MongoDB:Connect to an ApsaraDB for MongoDB instance by using an SSL-VPN tunnel

Last Updated:Jul 03, 2024

This topic describes how to connect to an ApsaraDB for MongoDB instance in a virtual private cloud (VPC) by using an SSL-VPN tunnel. The SSL-VPN tunnel allows you to manage the instance from a local client with ease.

Scenarios

  • The public IP address of the local client dynamically changes. As a result, you must frequently update the IP address whitelist that contains the public IP address of the local client in the ApsaraDB for MongoDB console. If you do not delete expired IP addresses at your earliest opportunity, security risks may arise.

  • A high level of security is required when you connect to an ApsaraDB for MongoDB instance over the Internet.

  • You must log on to the ApsaraDB for MongoDB instance from an Elastic Compute Service (ECS) instance over the Internet. This may cause security risks. In this case, you must separate ECS management permissions from ApsaraDB for MongoDB database permissions.

Billing

You are charged fees when you create a VPN gateway. For more information, see Billing.

Prerequisites

  • The network type of the ApsaraDB for MongoDB instance is VPC. If the network type of the instance is classic network, switch the network type of the instance from classic network to VPC. For more information, see Switch the network type of an ApsaraDB for MongoDB instance from classic network to VPC.

  • The CIDR block of the local client is different from that of the ApsaraDB for MongoDB instance.

  • The local client can access the Internet.

Networking

SSL连接环境介绍

Step 1: Create a VPN gateway

For more information, see Create and manage a VPN gateway.

When you create a VPN gateway, take note of the parameters described in the following table.

Parameter

Description

Region

The region where the VPN gateway resides. Select the same region as the ApsaraDB for MongoDB instance.

VPC

The VPC to which the VPC gateway belongs. Select the same VPC as the ApsaraDB for MongoDB instance.

IPsec-VPN

Specifies whether to enable the IPsec-VPN feature.

In this example, the local client is used to access the VPC. In this case, set the IPsec-VPN parameter to Disable.

The IPsec-VPN feature provides site-to-site connections. You can create an IPsec tunnel to establish a connection between a data center and a VPC or between two VPCs.

SSL-VPN

Specifies whether to enable the SSL-VPN feature.

In this example, the local client is used to access the VPC. In this case, set the SSL-VPN parameter to Enable.

The SSL-VPN feature provides site-to-site VPN connections. You can use an SSL-VPN tunnel to establish a connection between the local client and the VPN, You do not need to configure a gateway for the local client.

Step 2: Create an SSL server

For more information, see Create and manage an SSL server.

When you create an SSL server, take note of the parameters described in the following table.

Parameter

Description

VPN Gateway

The VPN gateway associated with the ApsaraDB for MongoDB instance. Select the VPC gateway created in Step 1.

Local Network

The local CIDR block that the local client needs to access by using the SSL-VPN connection. The CIDR block can be the CIDR block of a VPC, a vSwitch, a data center that is connected to a VPC by using a leased line, or an Alibaba Cloud service such as ApsaraDB RDS or Object Storage Service (OSS).

In this example, enter the CIDR block of the vSwitch in the VPC to which the ApsaraDB for MongoDB instance belongs: 172.16.1.0/24.

Note

The subnet mask of the CIDR block must be 16 to 29 bits in length.

Client CIDR Block

The CIDR block that you want to allocate to the virtual network interface of the local client. Do not enter the CIDR block where the local client resides. When the local client is connected to the ApsaraDB for MongoDB instance by using an SSL-VPN tunnel, the VPN gateway selects an IP address from the specified CIDR block and assigns the IP address to the local client.

In this example, enter 192.168.100.0/24.

Note

Make sure that the value of the Client CIDR Block parameter does not overlap that of the Local Network parameter.

Step 3: Create an SSL client

For more information about how to create an SSL client, see Create and manage an SSL client certificate.

After the SSL client certificate is created, you must download the certificate and install the certificate on the client. For more information, refer to the following section and topic:

Step 4: Establish an SSL-VPN connection

Linux client

  1. Open the CLI.

  2. Run the following command to install OpenVPN:

    # Run the following command to install OpenVPN on CentOS:
    yum install -y openvpn
    # Run the following command to check whether the system creates the /etc/openvpn/conf/ directory. If the directory is not created, you must manually create the /etc/openvpn/conf/ directory. 
    cd /etc/openvpn # Go to the openvpn/ directory.
    ls              # Check whether the conf/ directory is created in the openvpn/ directory.
    mkdir -p /etc/openvpn/conf # If the conf/ directory does not exist in the openvpn/ directory, you must manually create the conf/ directory. 
    
    # Run the following command to install OpenVPN on Ubuntu:
    apt-get update
    apt-get install -y openvpn
    # Run the following command to check whether the system creates the /etc/openvpn/conf/ directory. If the directory is not created, you must manually create the /etc/openvpn/conf/ directory. 
    cd /etc/openvpn # Go to the openvpn/ directory.
    ls              # Check whether the conf/ directory is created in the openvpn/ directory.
    mkdir -p /etc/openvpn/conf # If the conf/ directory does not exist in the openvpn/ directory, you must manually create the conf/ directory.

  3. Decompress the SSL client certificate package that you download and copy the SSL client certificate to the /etc/openvpn/conf/ directory.

  4. Go to the /etc/openvpn/conf/ directory and run the following command to establish an SSL-VPN connection:

    openvpn --config /etc/openvpn/conf/config.ovpn --daemon

Windows client

  1. Download and install the OpenVPN client for Windows.

  2. Decompress the SSL client certificate package that you download and copy the SSL client certificate to the OpenVPN\config directory.

    In this example, the certificate is copied to the C:\Program Files\OpenVPN\config directory. You must copy the certificate to the directory in which the OpenVPN client is installed.

  3. Start the OpenVPN client and click Connect to establish a connection.

Step 5: Log on to the ApsaraDB for MongoDB instance

  1. Add the local client CIDR block specified in Step 2 to all IP address whitelists of the ApsaraDB for MongoDB instance. In this example, add 172.16.1.0/24 to all IP address whitelists of the ApsaraDB for MongoDB instance.

  2. Log on to the ApsaraDB for MongoDB console.

  3. Obtain the internal endpoints of the ApsaraDB for MongoDB instance. For more information, see Connect to a replica set instance.

  4. Use the mongo shell or other management tools to log on to the ApsaraDB for MongoDB instance. For more information about the mongo shell, see Connect to an ApsaraDB for MongoDB replica set instance by using the mongo shell.

    Note

    Log on to the ApsaraDB for MongoDB instance by using the internal endpoint of the instance.