AWS EC2 SSH Tunnel Bastion Server - mongodb

Trying to understand how this works, documentation isn't very clear. Using AWS quickstart-mongo, I am making a VPN for 3 Mongo nodes, with a bastion server. I can log into my bastion server via SSH and my key. Then I can copy the key to bastion server and SSH into the primary replica node. This node is running mongo and shows via rs.status() that all 3 nodes are running correctly.
Once logged into bastion server, I try to do curl primary-mongo-node-ip:27017, and it seems to hang.
Local Computer -> Bastion Server -> Replica Node 1 / 2 / 3
I think I understand I need to somehow connect to Bastion server, then set up a ssh forwarding to primary-mongo-node-ip:27017, sec1-mongo-node-ip:27017, sec2-mongo-node-ip:27017, so that my mongo URI connection looks like this:
SSH into bastion-dns
mongodb://user:pass#localhost:1000,localhost:1001,localhost:1002/database
How do I do this when I cant event connect to the server on bastion servers without SSH?

Assuming that the Mongo instances allow traffic from Bastion Host (in security groups) for required ports, you can use SSH tunnelling mechanism to access the cluster/instance from your local host:
ssh -N -L <local_port_x>:<mongoDB instance ip>:<mongo_port_y> <ssh_username>#<bastion_host_ip> -i <ssh_key_path>
Local_Port_X : Port on your local machine where you want to access remote Mongo instance
MongoDB Instance IP : ip address for ec2 instance hosting MongoDB
Mongo_Port_Y : Port that MongoDB is listening on (seems 27017 from your question - please do verify that you can talk to Mongo Instance from within Bastion host on this port)
Bastion_Host_Ip : IP address on bastion host which should directly be reachable from your local machine

Related

can't connect mongodb on host from docker container

I have a mongo on my host machine, and an ubuntu container which is also running on my machine. I want that container to connect to mongo.
I set as host url, my host ip from docker network : 172.17.0.1
and in the /etc/mongod.conf file I set the bindIp to 0.0.0.0
from the container, I can ping the host,but the mongo service is not accessible, I get that error :
Connecting to: mongodb://172.17.0.1:27017/directConnection=true&appName=mongosh+1.5.0
MongoServerSelectionError: connection timed out
More over, I can connect from host to the mongo service with that command :
mongosh mongodb://172.17.0.1:27017
Do you know why I can't access mongo service from my container ?
You can use host.docker.internal as reference to your host machine from the container. So mongo host.docker.internal:27017 should work.
From docker documentation:
I want to connect from a container to a service on the host
The host has a changing IP address (or none if you have no network access). We recommend that you connect to the special DNS name host.docker.internal which resolves to the internal IP address used by the host. This is for development purpose and does not work in a production environment outside of Docker Desktop.
On your local machine that has Mongo service is running, you can access by Mongo client because you expose the service at 127.0.0.1:27017.
However, it is not true if standing from your unbuntu container, there is no Mongo service is running at 172.0.0.1:27017 of the ubuntu container.
Docker-compose is the right tool for you to make containers communication to each other.

I have AWS Postgres instance in private subnet and I don't have any VPN, How Can I access it through Local?

I have a Postgres instance under the private subnet, I don't have VPN configured to connect, even it's not allowed with my Bastion ( jump node ).
Is there any way to connect it through my local machine to testing for development?
The default port is 5432.
and I have ssh access to my application server through Bastion node.
Port Forwarding is a process where you can establish a connection from your computer (on the Internet) into the Bastion server, and then forward traffic to the database.
ssh -i key.pem ec2-user#BATION-IP -L 5432:DATABASE-DNS-NAME:5432
Then, in your SQL client, connect to the database via:
localhost:5432
When the SQL client goes to port 5432 on your local computer, the SSH connection will forward that traffic to the bastion server, which will then send it to: DATABASE-DNS-NAME:5432
(You can actually use any port number locally. For example, you could create multiple forwarding connections to different databases, each on a different port.)
As you have ssh access to your application server through Bastion.
Then you may create two-level ssh tunnel proxy. As Postgres is not allowed even though Bastion node, only allowed through the application server.
1: Create a tunnel from the Application Server to the bastion node.
ssh-add ~/.ssh/id_rsa ;ssh -oStrictHostKeyChecking=no -Att -l USER_NAME BASTION IP ssh -oStrictHostKeyChecking=no -Att -l USER_NAME APP_SERVER_IP -L 5432:AWS_POSTGRESS_END_POINT:5432
(keep open this terminal)
2: Create another tunnel from Bastion to local computer:
(open new terminal )
ssh-add ~/.ssh/id_rsa ;ssh -oStrictHostKeyChecking=no -Att -l USER_NAME BASTION_IP -L 5432:localhost:5432
(keep open this terminal)
3: use localhost or 127.0.0.1 with 5432 port in the connection string (to connect from local machine) instead of Postgress endpoint.
Note: replace correct ssh key path and your user name with boldly highlighted text. and keep open both terminal open to maintain the session.

How to ping to my local machine from AWS EC2 instance?

I have started an ubuntu instance on AWS EC2
e.g. [ec2-user#ip-XXX-XX-XX-XX ~]$
Inside this instance, I am running a socket program for sending the data to my local system.
The program is running properly, but not able to connect to my local IP.
I am trying to ping my local system also from AWS ec2 user, but it is also not working.But I am able to ping google(8.8.8.8).
e.g. [ec2-user#ip-xxx-xx-xx-xx ~]$ ping xxx.xxx.xx.xx(my local IP)
I have set all security groups(inbound), like All Trafic,All TCP and so on.
Sorry for bad English.
Thank You
Your computer (PC) cannot be pinged from an AWS hosted machine
This is probably because the VM on your computer is using NAT outbound to talk to the LAN, which goes to an Internet router, which sends the packets to AWS
The reverse route (inbound to your PC) does not exist so starting a ping echo request from a AWS machine will not work
It is possible to get around this by opening a pass through on your router but generally this is not a great idea
However if you want to make a socket connection securely there is a way
First, start a ssh session with remote port forwarding. In the Linux ssh client this is using the -R option.
For example, if your local system is running a listening service on port 80 and your remote system has the address of 54.10.10.10 then
ssh -R 8080:localhost:80 ec2-user#54.10.10.10
Will establish a circuit such that connections to the "localhost" on the remote ec2 server on port 8080 are connected to the "localhost" on port 80 of your local machine
If you are not using a ssh cli program, most ssh clients have a facility of this sort.
Note that it is necessary to keep the ssh session open to be able to use the connections

How can i connect with mongodb in SlamData for my EC2 server

I can successfully connected with mongodb on SlamData but for my localhost. Now I have a mongodb database on my EC2 server that database i want to connect in Ec2 then How can I ?
I know username and password. What should be a host and port?
If you are running Slamdata on your host and want to connect to MongoDB running on a remote EC2 host.
Then apart from the username and password, the host is the Public IP or host FQDN [ec2-xxxxxxx], port is 27017. For this check if your mongos is running and binding on 0.0.0.0. If it is binding to 127.0.0.1, you cannot connect remotely
Also check you AWS security group for EC2 and see that the port 27017 is open for your IP or in general to all [0.0.0.0] (this is NOT recommended!!!)
You can also review the FAQ on docs.slamdata.com located here.
Provides step-by-step troubleshooting for connecting to cloud-hosted MongoDB servers.
Additionally, the Path value refers to path inside of SlamData rather than the operating system path. For instance entering a value of aws1 results in a query path similar to the following, assuming you have a databased named demo and a collection named coll1:
SELECT * FROM `/aws1/demo/coll1`

AWS: How To Setup Postgres Security on EC2

I have two machines in amazon. web01 and db01. I installed PostgreSQL on db01, and added the elastic ip of web01 to the pg_hba.conf
host dbname username 64.210.245.155/32 md5
and restarted the postgresql service. Now in web01 I tried to connect to the elastic ip of db01
$ psql -h 64.210.255.222 -U user -d database
psql: could not connect to server: No route to host
Is the server running on host "64.210.255.222" and accepting
TCP/IP connections on port 5432?
I also added the elastic ip of web01 to db01's security group for inbound traffic. What am I doing wrong and how can I get web01 to connect to pg on db01?
To start with, you want to be connecting to the internal IP. You can use the DNS name if your elastic IP as it will resolve to an internal IP within AWS instead of using the elastic IP directly.
Secondly, all public IPs are assigned via NAT. If your service tries to listen to that IP address it will fail. Generally the best thing to do is listen to all IPs, unless you are using VPC and have control of the internal IP.
Lastly, you will provide access to the web security group within the db security group. Even if two instances are in the same security group, they will not be able to access each other unless the group is given access to itself.