0

I wanted to share a solution that allows you to connect from an AWS Lambda function to Amazon DocumentDB without using a NAT gateway, provided that both are in the same VPC. This can be a cost-saving approach during development.

Problem: When connecting to DocumentDB directly (such as through SSH or within the same VPC), the client may not be able to read the data, despite the connection occurring. This happens because DocumentDB informs the Mongo client to connect to a specific DNS name.

Solution:

  1. Place Lambda and DocumentDB in the Same VPC
  2. Use the Direct Connection Parameter: Add the directConnection=true parameter to the MongoDB URI connection string. This forces the MongoDB driver to connect directly to the specified host, bypassing the usual DNS resolution process used for replica sets.
mongodb://username:password@hostname:27017/database?directConnection=true

OPT: Configure VPC Endpoints for Other AWS APIs: If your Lambda function needs to access other AWS APIs, configure the necessary VPC endpoints to enable this communication without a NAT gateway.

Additional Notes:

  1. Packet Capture: This connection behavior can be observed using packet capture tools like tcpdump.

  2. Production Use: While this approach works for development, it might not be suitable for production use, as it deviates from standard AWS guidance.

  3. Security Considerations: Ensure all security best practices are followed, including proper VPC setup, IAM roles, and security group configurations.

I hope this helps others looking to connect to DocumentDB without incurring additional costs for a NAT gateway while still maintaining access to other AWS services through VPC endpoints. If anyone has further insights or concerns about this approach, especially regarding production use, please share your thoughts!

Python code:

import pymongo

DOCUMENTDB_ENDPOINT = 'docdb-a.cluster-hidden.eu-central-1.docdb.amazonaws.com'
DOCUMENTDB_PORT = 27017
DOCUMENTDB_USERNAME = 'master'
DOCUMENTDB_PASSWORD = 'paasWORD123!!'
DB_NAME = 'docdb'
COLLECTION_NAME = 'collection_a'

url = f"mongodb://{DOCUMENTDB_USERNAME}:{DOCUMENTDB_PASSWORD}@{DOCUMENTDB_ENDPOINT}:{DOCUMENTDB_PORT}/?ssl=true&tlsAllowInvalidHostnames=true&tlsCAFile=ca-bundle.pem&directConnection=true&retryWrites=false"
client = pymongo.MongoClient(url)

db = client[DB_NAME]
collection = db[COLLECTION_NAME]

collection.read_any({})

client.close
Aliaksei Smirnou
  • 1
  • 1

0 Answers0