Hi,
We want to connect to a Mongo Atlas cluster via Boundary but because the cluster endpoint is using a SRV record, Boundary can’t resolve it.
An endpoint for example:
mongodb+srv://:@<mongo_url>/test
How can we use that protocol?
Thanks
Hi,
Can someone help here?
This is not currently supported, sorry.
Can this be added to the product roadmap to support? My organization has adopted MongoDB Atlas and has hundreds of users that we want to gain access to their clusters via Boundary instead of opening a direct network path (which is not allowed from network security policies, all databases are in air gap).
Tyler
Do you have any reference for the format of Mongo names? Looking at https://www.mongodb.com/docs/atlas/reference/faq/networking/ I see hostnames but no mention of SRV records, just some references to the cluster name and how it can be translated to an IP address, which is via a normal DNS resolution.
On the other hand at https://www.mongodb.com/docs/manual/reference/connection-string/ there are some examples of mongodb+srv strings. Supporting that would require mongo-specific code which is a bigger lift, especially from a testing and support standpoint. It’d be much easier and more compatible to support standard RFC 2782 lookups, which could easily be enabled for any endpoint needing a SRV lookup.
If you have any insight as to how you could transform a Mongo connection string into a normal SRV lookup that would really help. If you are okay with it, send me some info about a cluster (e.g. a connection string, without username/password) and I can poke around into the DNS a bit and see if I can figure anything out. You can send the info to jeff (at) the-company-i-work-for (dot) com.
Best,
Jeff
Actually scrolling down that second page a bit it looks like you should be able to take the hostname and turn it into a SRV query via _mongodb._tcp.server.example.com. where server.example.com is the cluster-specific hostname. If you can validate that, then it means there is probably an easy path to simply supporting RFC-compliant syntax for hosts within Boundary by detecting this style of address and using a SRV lookup.
Hi,
As Jeff mentioned, MongoDB client software load-balances connecting clients by choosing one of the 3 DNS endpoints, corresponding to the 3 instances MongoDB Atlas give you. Official MongoDB Atlas client software picks up the writer instance (the primary instance) and connects to it. Here’s an example from Learn About Private Endpoints in Atlas - MongoDB Atlas
$ nslookup -type=SRV _mongodb._tcp.cluster0-pl-0-k45tj.mongodb.net
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
_mongodb._tcp.cluster0-pl-0-k45tj.mongodb.net service = 0 0 1026 pl-0-us-east-1-k45tj.mongodb.net.
_mongodb._tcp.cluster0-pl-0-k45tj.mongodb.net service = 0 0 1024 pl-0-us-east-1-k45tj.mongodb.net.
_mongodb._tcp.cluster0-pl-0-k45tj.mongodb.net service = 0 0 1025 pl-0-us-east-1-k45tj.mongodb.net.
You have limited options for connecting to MongoDB Atlas through Boundary:
- Boundary Target connect directly to one of the endpoints above: hard-code the host and port and Boundary will happily connect as they are fixed for your MongoDB Atlas account. You need to instruct your users to use
directConnection=trueparameter in their connection string. The caveat ? Atlas interchanges the primary (writer) and secondary (reader) instances frequently; your users will eventually be unable to write data - Use another proxy that talks MongoDB wire protocol, and connect to that proxy through a Boundary Target
I have been using 1) in my org since v0.13.0. I would be happy to have mongodb+srv scheme be supported in Boundary though. Let me know if you want more insights.