Configure an Amazon DocumentDB database for CDC

This page describes how to configure your source Amazon DocumentDB database to work with Datastream.

Amazon DocumentDB (with MongoDB compatibility) is a fully managed database service. To connect Datastream to an Amazon DocumentDB cluster running inside an Amazon Virtual Private Cloud (VPC), you use a bastion host and configure a forward SSH tunnel.

Enable change streams

Datastream uses change streams to capture and replicate changes from your Amazon DocumentDB database.

To enable change streams for the specific databases or collections that you want to replicate, see Enabling change streams in the Amazon DocumentDB documentation.

Set up a bastion host for the SSH tunnel

To connect to your Amazon DocumentDB cluster from Datastream, set up a bastion host:

1. In AWS, launch a lightweight Amazon Elastic Compute Cloud (EC2) instance to serve as a bastion host. Configure the security group of the instance to allow SSH connections (port 22) from Datastream.

2. Allow network traffic from the Datastream public IP addresses for your region. To locate the regional IP addresses to allowlist, see IP allowlists and regions.

   Alternatively, you can find the IP addresses to allowlist on the bastion host for your region when you create the MongoDB connection profile in the Google Cloud console:

   1. Go to the Connection profiles page in the Google Cloud Console.

   Go to the Connection profiles page

   1. Start creating a MongoDB connection profile.
   2. Expand the Define connectivity method section and locate the list of Datastream public IP addresses for your region.

3. To authenticate the SSH tunnel session from Datastream, configure a user account on your EC2 instance with either a password or an SSH private key (recommended). If you use a private key, add the public key to the ~/.ssh/authorized_keys file on your bastion host. For more information, see Forward SSH tunnel.

Encrypt your connection using SSL/TLS

To establish a secure connection, Datastream requires a certificate authority (CA) certificate to verify the Amazon DocumentDB server.

1. Download the CA certificate (.pem file) for your Amazon DocumentDB cluster from AWS. For more information, see the Amazon DocumentDB documentation.
   1. When you create your connection profile in Datastream, in the Secure your connection to your source section, select Server-only as the encryption type.
2. Upload or enter the .pem certificate in the Source CA certificate section.
3. Complete the remaining steps to create your connection profile. For more information, see Create connection profiles .

What's next

• Learn more about how Datastream works with MongoDB sources.
• Learn how to create a connection profile.