This topic describes how to connect to an ApsaraDB for MongoDB instance in a virtual private cloud (VPC) by using an SSL-VPN tunnel. The SSL-VPN tunnel allows you to manage the instance from a local client with ease.
Scenarios
The public IP address of the local client dynamically changes. As a result, you must frequently update the IP address whitelist that contains the public IP address of the local client in the ApsaraDB for MongoDB console. If you do not delete expired IP addresses at your earliest opportunity, security risks may arise.
A high level of security is required when you connect to an ApsaraDB for MongoDB instance over the Internet.
You must log on to the ApsaraDB for MongoDB instance from an Elastic Compute Service (ECS) instance over the Internet. This may cause security risks. In this case, you must separate ECS management permissions from ApsaraDB for MongoDB database permissions.
Billing
You are charged fees when you create a VPN gateway. For more information, see Billing.
Prerequisites
The network type of the ApsaraDB for MongoDB instance is VPC. If the network type of the instance is classic network, switch the network type of the instance from classic network to VPC. For more information, see Switch the network type of an ApsaraDB for MongoDB instance from classic network to VPC.
The CIDR block of the local client is different from that of the ApsaraDB for MongoDB instance.
The local client can access the Internet.
Networking
Step 1: Create a VPN gateway
For more information, see Create and manage a VPN gateway.
When you create a VPN gateway, take note of the parameters described in the following table.
Parameter | Description |
Region | The region where the VPN gateway resides. Select the same region as the ApsaraDB for MongoDB instance. |
VPC | The VPC to which the VPC gateway belongs. Select the same VPC as the ApsaraDB for MongoDB instance. |
IPsec-VPN | Specifies whether to enable the IPsec-VPN feature. In this example, the local client is used to access the VPC. In this case, set the IPsec-VPN parameter to Disable. The IPsec-VPN feature provides site-to-site connections. You can create an IPsec tunnel to establish a connection between a data center and a VPC or between two VPCs. |
SSL-VPN | Specifies whether to enable the SSL-VPN feature. In this example, the local client is used to access the VPC. In this case, set the SSL-VPN parameter to Enable. The SSL-VPN feature provides site-to-site VPN connections. You can use an SSL-VPN tunnel to establish a connection between the local client and the VPN, You do not need to configure a gateway for the local client. |
Step 2: Create an SSL server
For more information, see Create and manage an SSL server.
When you create an SSL server, take note of the parameters described in the following table.
Parameter | Description |
VPN Gateway | The VPN gateway associated with the ApsaraDB for MongoDB instance. Select the VPC gateway created in Step 1. |
Local Network | The local CIDR block that the local client needs to access by using the SSL-VPN connection. The CIDR block can be the CIDR block of a VPC, a vSwitch, a data center that is connected to a VPC by using a leased line, or an Alibaba Cloud service such as ApsaraDB RDS or Object Storage Service (OSS). In this example, enter the CIDR block of the vSwitch in the VPC to which the ApsaraDB for MongoDB instance belongs: 172.16.1.0/24. Note The subnet mask of the CIDR block must be 16 to 29 bits in length. |
Client CIDR Block | The CIDR block that you want to allocate to the virtual network interface of the local client. Do not enter the CIDR block where the local client resides. When the local client is connected to the ApsaraDB for MongoDB instance by using an SSL-VPN tunnel, the VPN gateway selects an IP address from the specified CIDR block and assigns the IP address to the local client. In this example, enter 192.168.100.0/24. Note Make sure that the value of the Client CIDR Block parameter does not overlap that of the Local Network parameter. |
Step 3: Create an SSL client
For more information about how to create an SSL client, see Create and manage an SSL client certificate.
After the SSL client certificate is created, you must download the certificate and install the certificate on the client. For more information, refer to the following section and topic:
The Step 4: Configure the client section of the "Connect a client to a VPC" topic
Step 4: Establish an SSL-VPN connection
Linux client
Open the CLI.
Run the following command to install OpenVPN:
# Run the following command to install OpenVPN on CentOS: yum install -y openvpn # Run the following command to check whether the system creates the /etc/openvpn/conf/ directory. If the directory is not created, you must manually create the /etc/openvpn/conf/ directory. cd /etc/openvpn # Go to the openvpn/ directory. ls # Check whether the conf/ directory is created in the openvpn/ directory. mkdir -p /etc/openvpn/conf # If the conf/ directory does not exist in the openvpn/ directory, you must manually create the conf/ directory. # Run the following command to install OpenVPN on Ubuntu: apt-get update apt-get install -y openvpn # Run the following command to check whether the system creates the /etc/openvpn/conf/ directory. If the directory is not created, you must manually create the /etc/openvpn/conf/ directory. cd /etc/openvpn # Go to the openvpn/ directory. ls # Check whether the conf/ directory is created in the openvpn/ directory. mkdir -p /etc/openvpn/conf # If the conf/ directory does not exist in the openvpn/ directory, you must manually create the conf/ directory.
Decompress the SSL client certificate package that you download and copy the SSL client certificate to the /etc/openvpn/conf/ directory.
Go to the /etc/openvpn/conf/ directory and run the following command to establish an SSL-VPN connection:
openvpn --config /etc/openvpn/conf/config.ovpn --daemon
Windows client
Download and install the OpenVPN client for Windows.
Decompress the SSL client certificate package that you download and copy the SSL client certificate to the OpenVPN\config directory.
In this example, the certificate is copied to the C:\Program Files\OpenVPN\config directory. You must copy the certificate to the directory in which the OpenVPN client is installed.
Start the OpenVPN client and click Connect to establish a connection.
Step 5: Log on to the ApsaraDB for MongoDB instance
Add the local client CIDR block specified in Step 2 to all IP address whitelists of the ApsaraDB for MongoDB instance. In this example, add 172.16.1.0/24 to all IP address whitelists of the ApsaraDB for MongoDB instance.
Log on to the ApsaraDB for MongoDB console.
Obtain the internal endpoints of the ApsaraDB for MongoDB instance. For more information, see Connect to a replica set instance.
Use the mongo shell or other management tools to log on to the ApsaraDB for MongoDB instance. For more information about the mongo shell, see Connect to an ApsaraDB for MongoDB replica set instance by using the mongo shell.
NoteLog on to the ApsaraDB for MongoDB instance by using the internal endpoint of the instance.