Spreading MongoDB across EC2 regions

Question

I want to distribute a sharded/replicated MongoDB setup across multiple of Amazon's EC2 regions. Is this traffic already encrypted by MongoDB or can I optionally set this up? Or does Amazon offer a special VPN-like connection between its data centers?

Answer 1

I answered a similar question yesterday about Apache Cassandra: Securing Cassandra communication with TLS/SSL.

My experience has been, specifically with Amazon, if you can, set up a VPN network between your instances to guarantee that everything is secure. An interesting fact we came across when implementing our VPN network on top of EC2 is that it made response times faster ... We opted for Vyatta and have been very happy with it so far. It can be fully virtualized ... and allows us to bridge between zones, regions and data centres (amazon and not amazon)

Another option is to leverage Amazon Virtual Private Cloud:

• Create an Amazon Virtual Private Cloud on AWS's scalable infrastructure, and specify its private IP address range from any range you choose.
• Divide your VPC’s private IP address range into one or more public or private subnets to facilitate running applications and services in your VPC.
• Control inbound and outbound access to and from individual subnets using network access control lists.
• Store data in Amazon S3 and set permissions such that the data can only be accessed from within your Amazon VPC.
• Attach an Amazon Elastic IP address to any instance in your VPC so it can be reached directly from the Internet.
• Bridge your VPC and your onsite IT infrastructure with an encrypted VPN connection, extending your existing security and management policies to your VPC instances as if they were running within your infrastructure.

Vyatta has a nice graphic showing how VPC and Vyatta (or any other corporate VPN solution) can bridge together (as per the last point above):

• http://www.vyatta.com/sites/vyatta.com/files/images/Vyatta_Amazon.png

• http://www.vyatta.com/solutions/amazon

I don't work for Vyatta ... just like how well we've managed to get everything working without purchasing mega expensive cisco gear

Answer 2

According to [mongo docs] it's possible for mongo to use SSL. One would either have to compile mongo with --ssl flag or use commercial edition. With SSL-enabled mongo all communication between the DB and client, as well as communication between replica sets and arbiter is secured (see faq).

Has anyone actually tried this approach? Are there any drawbacks?

Answer 3

If you're not running on EC2, these solutions aren't really an option. There is another way and that is to set up your own IaaS provider independent VPC. vCider has a solution for this that works well with Mongo as well as Cassandra. For Cassandra securing client/DB traffic is especially painful since there is no native encryption.

Good example of how this all works here:

http://www.vcider.com/vpc-deployments/secure-saas

As far as Cassandra goes, some benchmark info here.

http://blog.vcider.com/2011/09/virtual-networks-can-run-cassandra-up-to-60-faster/

With native encryption in the kernel you can run much faster.

Answer 4

Mongo communication across replicas is not encrypted. So you are on your on. You can create Replica's across availability zones in a region