This topic describes how to connect a local client to an ApsaraDB for MongoDB instance through an SSL VPN tunnel, which provides a secure connection between the local client and the VPC housing the ApsaraDB for MongoDB instance. With this tunnel, you can manage the ApsaraDB for MongoDB instance from the local client with ease. SSL is short for Secure Sockets Layer, VPN for virtual private network, and VPC for Virtual Private Cloud.

Scenarios

  • The public IP address of the local client changes dynamically. As a result, you must frequently update the whitelist that contains the public IP address of the local client on the ApsaraDB for MongoDB console. If you do not delete expired IP addresses at the earliest opportunity, security risks may arise.
  • A higher level of security is required when you connect to an ApsaraDB for MongoDB instance over the Internet.
  • You need to log on to the ApsaraDB for MongoDB instance from an ECS instance over the Internet. This may cause security risks. Therefore, you must separate ECS management permissions from ApsaraDB for MongoDB database permissions.

Billing

You are charged to create a VPN gateway. For more information, see Billing.

Prerequisites

  • VPC is the network type of the ApsaraDB for MongoDB instance. For more information about how to switch the network type from Classic Network to VPC, see Switch from Classic Network to VPC.
  • The Classless Inter-Domain Routing (CIDR) block of the local client is different from that of the ApsaraDB for MongoDB instance.
  • The local client can access the Internet.

Networking

SSL VPN tunnel between a local client and an ApsaraDB for MongoDB instance

Step 1 Create a VPN gateway

See Create a VPN Gateway.

Step 2 Create an SSL server

See Create an SSL Server.

Step 3 Create an SSL client

See Create an SSL client certificate.

Log on to the ApsaraDB for MongoDB instance from the client through the SSL VPN tunnel

This section uses Windows as an example. For more information about other operating systems, see Remote access from a Linux client and Remote access from a Mac client.

  1. Log on to the VPC console.
  2. In the upper-left corner of the page, select a region.
  3. In the left-side navigation pane, choose VPN > SSL Clients.
  4. On the right of the SSL client you have created, click Download to download the generated client certificate package.
  5. Download the OpenVPN software package and install OpenVPN on the client you want to connect through the SSL VPN tunnel.
  6. Decompress the client certificate package that you downloaded and copy the client certificate file to the config folder of the OpenVPN installation directory.
  7. Click Connect.Initiate an SSL connection.
  8. Add the CIDR block of the VPC to which the ApsaraDB for MongoDB instance belongs to a whitelist of this instance. For this example, add the IP address 172.16.1.0/24 to the whitelist.
  9. Log on to the ApsaraDB for MongoDB console.
  10. Obtain the internal endpoints of the ApsaraDB for MongoDB instance. For more information, see Connect to a replica set instance through the mongo shell.VPC of an ApsaraDB for MongoDB instance
  11. Use the mongo shell or other management tools to log on to the ApsaraDB for MongoDB instance.
    Note Log on using an internal endpoint of the ApsaraDB for MongoDB instance.