bind_ip in ec2 auto scaling environment
Chris Zieba
Markus Thielsch
Hi Chris,
When using bindIP within a replica set please consider the following:
Within AWS EC2 instances can have multiple IPs (private and public). Each mongod generally only needs to listen to its own private IP/hostname. The output of rs.conf() run on any member of your replica set can give you more information as to which IP/hostname you need to specify.
Have a look at this example of rs.conf(). You would be wanting to use the "host": entry of each member:
replset:PRIMARY> rs.conf()
{
"_id" : "replset",
"version" : 1,
"members" : [
{
"_id" : 0,
"host" : "punisher1:27017",
"arbiterOnly" : false,
"buildIndexes" : true,
"hidden" : false,
"priority" : 1,
"tags" : {
},
"slaveDelay" : 0,
"votes" : 1
},
{
"_id" : 1,
"host" : "punisher2:27017",
"arbiterOnly" : false,
"buildIndexes" : true,
"hidden" : false,
"priority" : 1,
"tags" : {
},
"slaveDelay" : 0,
"votes" : 1
},
{
"_id" : 2,
"host" : "punisher3:27017",
"arbiterOnly" : false,
"buildIndexes" : true,
"hidden" : false,
"priority" : 1,
"tags" : {
},
"slaveDelay" : 0,
"votes" : 1
}
],
"settings" : {
"chainingAllowed" : true,
"heartbeatTimeoutSecs" : 10,
"getLastErrorModes" : {
},
"getLastErrorDefaults" : {
"w" : 1,
"wtimeout" : 0
}
}
}
If we take above replica set as an example your bindIP would need to look like this:
- on member[0]:
bindIp: punisher1 - on member[1]:
bindIp: punisher2 - on member[2]:
bindIp: punisher3
As a general consideration if your database servers don’t need to be public another approach would be to use VPCs and private IPs exclusively for your EC2 deployment.
Please also have a look at our MongoDB Security Checklist.
Regards,
Markus