Amazon DocumentDB
Developer Guide

Connecting to an Amazon DocumentDB Cluster from Outside an Amazon VPC

By design, you access Amazon DocumentDB (with MongoDB compatibility) resources from an Amazon EC2 instance within the same Amazon VPC as the Amazon DocumentDB resources. However, suppose that your use case requires that you or your application access your Amazon DocumentDB resources from outside the cluster's Amazon VPC. In that case, you can use SSH tunneling (also known as "port forwarding") to access your Amazon DocumentDB resources.

It is beyond the scope of this topic to discuss SSH tunneling in depth. For more information about SSH tunneling, see the following:

To create an SSH tunnel, you need an Amazon EC2 instance running in the same Amazon VPC as your Amazon DocumentDB cluster. You can either use an existing Amazon EC2 instance in the same Amazon VPC as your cluster or create one. For more information, see the topic that is appropriate for your operating system:

You might typically connect to an Amazon EC2 instance with the following command:

> ssh -i "ec2Access.pem"

If so, you can set up an SSH tunnel to the Amazon DocumentDB cluster by running the following command on your local computer. The -L flag is used for forwarding a local port.

> ssh -i "ec2Access.pem" -L -N

After the SSH tunnel is created, any commands you issue to localhost:27017 are forwarded to the Amazon DocumentDB cluster sample-cluster running in the Amazon VPC. If Transport Layer Security (TLS) is enabled on your Amazon DocumentDB cluster, you need to download the public key for Amazon DocumentDB from The following operation downloads a file named rds-combined-ca-bundle.pem:

> wget


TLS is enabled by default for new Amazon DocumentDB clusters; however, you can disable it. For more information, see Managing Amazon DocumentDB Cluster TLS Settings.

To connect to your Amazon DocumentDB cluster from outside the Amazon VPC:

> mongo --sslAllowInvalidHostnames --ssl --sslCAFile rds-combined-ca-bundle.pem --username <yourUsername> --password <yourPassword>