How to move DocumentDB to a private subnet

0

I created a DocumentDB cluster that is now connected to a few EC2s in a ASG.

I know that for security reasons this should stay in a private subnet, is that really important? How can I check if my cluster is in a public subnet or a private one? And if it is in a public subnet, how can I move it to a private one?

thanks M

1 Answer
0

Hello,

Amazon DocumentDB clusters are deployed within an Amazon Virtual Private Cloud (Amazon VPC). They can be accessed directly by Amazon EC2 instances or other AWS services that are deployed in the same Amazon VPC. Additionally, Amazon DocumentDB can be accessed by EC2 instances or other AWS services in different VPCs in the same AWS Region or other Regions via VPC peering [1].

On the Amazon DocumentDB management console find your cluster and link on the VPC. Maybe you created one or choose at creation[2].

Securityis the top priority. To identify if your VPC is public or private lies in what it means in AWS for a subnet of a VPC to be 'public' vs. 'private'. Public subnets have a default route to an Internet Gateway; private subnets do not.

So, to determine if a given subnet is public or private, you need to describe the route table that is associated with that subnet. That will tell you the routes and you can test for a 0.0.0.0/0 route with a gateway ID of igw-xxxxxxxxxxxxxxxxx (as opposed to local), this confirms that you are looking at a public subnet [3].

References:

profile pictureAWS
answered a year ago
  • Thanks for your reply.

    I am in a situation with DocumentDB and EC2s instances in the same VPC. EC2s can access DocumentDB.

    Then I have a lambda function in the same VPC but it can't access My DocumentDB cluster.

    I know how to check if a subnet is public or private, I would like to check if documentDB is on a public one, as I can only see the link to the VPC, and my VPC has both private and public subnets.

  • If your VPC has both private and public subnets., then is a public VPC. Review the documentation for Lambda to access resources in a VPC [1]. The logs for the Lambda in the Clouwatch returns what type of result?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions