MongoDB Compass is the go-to GUI for developers working with MongoDB. It's powerful, intuitive, and gives you all the tools you need—from schema exploration to index analysis and aggregation pipeline building. But what if your backend runs on Amazon DocumentDB, the managed MongoDB-compatible database from AWS? And what if your cluster lives inside a VPC, inaccessible directly from your local machine?
In this tutorial, I’ll walk you through how to securely connect MongoDB Compass to Amazon DocumentDB using an EC2 bastion host and SSH tunneling. Let's get started.
🧰 Tools We’re Using
- MongoDB Compass – Download here
- Amazon DocumentDB – AWS service page
- Amazon EC2 (Amazon Linux 2023) – for the SSH jump host
- MongoDB Shell (mongosh) – for testing the connection
🚧 Why SSH Tunneling?
Amazon DocumentDB clusters don’t expose public endpoints. They're designed to run within a Virtual Private Cloud (VPC), typically only accessible from within the same VPC or via VPC peering.
But if you need to access the cluster from your laptop (e.g., for development or analysis), the secure way is to set up an SSH tunnel via a bastion host.
🏗️ Step 1: Launch an EC2 Bastion Host
- Open your AWS console and launch a new EC2 instance (Amazon Linux 2023) in the same VPC as your DocumentDB cluster.
- Create a new key pair, e.g.,
dima-bastion-host-key-pair.pem, and download it. - Open terminal on your machine and connect:
ssh -i "dima-bastion-host-key-pair.pem" ec2-user@ec2-X-X-X-X.compute-1.amazonaws.com
🛠️ Step 2: Install mongosh on EC2 (Optional Testing Step)
Inside your EC2 instance:
Create the MongoDB repo config:
sudo vi /etc/yum.repos.d/mongodb-org-8.0.repo
Paste:
[mongodb-org-8.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/amazon/2023/mongodb-org/8.0/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-8.0.asc
Install mongosh:
sudo yum install -y mongodb-mongosh
Download the Amazon DocumentDB CA cert:
wget https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem
Connect using:
mongosh docdb-cluster.cluster-xxxxxx.us-east-1.docdb.amazonaws.com:27017 \
--tls --tlsCAFile global-bundle.pem --retryWrites=false \
--username myadmin --password <your-password>
🔐 Step 3: Create an SSH Tunnel from Your Laptop
To access DocumentDB from your laptop, forward traffic via your EC2 instance:
ssh -i "dima-bastion-host-key-pair.pem" \
-L 27017:docdb-cluster.cluster-xxxxxx.us-east-1.docdb.amazonaws.com:27017 \
ec2-user@ec2-X-X-X-X.compute-1.amazonaws.com -N
Keep this terminal window open. It acts as a tunnel from your laptop → EC2 → DocumentDB.
🧪 Step 4: Test with mongosh Locally
On your laptop (with the tunnel running), test connection:
mongosh localhost:27017 \
--tls --tlsAllowInvalidHostnames \
--tlsCAFile global-bundle.pem \
--retryWrites=false \
--username myadmin --password <your-password>
If successful, you should see:
rs0 [direct: primary] test>
🖥️ Step 5: Connect Using MongoDB Compass
Open MongoDB Compass and:
New Connection → Advanced
General:
-
Connection String Scheme:
mongodb -
Host:
localhost:27017
Authentication:
- Method: Username / Password
-
Username:
myadmin -
Password:
<your-password> - Auth Mechanism: Default
TLS/SSL:
- TLS/SSL Connection: ✅ On
-
Certificate Authority (.pem): Upload
global-bundle.pem - Allow Invalid Hostnames: ✅ Checked
SSH Tunnel / Proxy:
- Method: SSH with Identity File
- Hostname: Public DNS of your EC2 instance
-
Port:
22 -
Username:
ec2-user -
Identity File: Your
.pemfile
Advanced:
-
Replica Set Name:
rs0 -
Read Preference:
Secondary Preferred -
URI Options: Add
retryWrites=false
✅ Click "Connect"
You should now be connected to your Amazon DocumentDB cluster inside MongoDB Compass!
🎉 Wrapping Up
By combining SSH tunneling and Compass’s advanced connection settings, you can safely explore your Amazon DocumentDB data from outside the AWS cloud. This method gives you the power of MongoDB’s native GUI tooling without compromising on AWS security best practices.
🔗 Resources
Top comments (0)