Amazon DocumentDB 环境搭建 #
一、前置准备 #
1.1 AWS账户要求 #
text
账户准备:
├── 拥有AWS账户
├── 配置计费信息
├── 设置IAM用户和权限
├── 选择合适的区域
└── 了解服务配额
1.2 所需权限 #
json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"docdb:CreateDBCluster",
"docdb:CreateDBInstance",
"docdb:DescribeDBClusters",
"docdb:DescribeDBInstances",
"docdb:DeleteDBCluster",
"docdb:DeleteDBInstance"
],
"Resource": "*"
}
]
}
1.3 网络准备 #
text
VPC配置:
├── 创建或选择VPC
├── 配置子网(至少2个AZ)
├── 创建安全组
├── 配置路由表
└── 设置网络ACL
二、创建DocumentDB集群 #
2.1 使用AWS控制台 #
步骤1:进入DocumentDB控制台 #
text
操作路径:
AWS控制台 → 数据库 → Amazon DocumentDB → 创建集群
步骤2:配置集群参数 #
text
集群配置:
├── 集群标识符:my-docdb-cluster
├── 引擎版本:5.0.0(推荐)
├── 实例类:db.r6g.large
├── 实例数量:1主 + 2只读副本
├── 主用户名:admin
├── 主密码:********
└── 认证:密码认证
步骤3:网络配置 #
text
网络设置:
├── VPC:选择已创建的VPC
├── 子网组:选择或创建子网组
├── 安全组:配置安全组规则
└── 可用区:选择多个AZ
步骤4:其他配置 #
text
高级设置:
├── 集群参数组:default.docdb5.0
├── 加密:启用存储加密
├── 备份保留期:7天
├── 时间点恢复:启用
├── 删除保护:启用
└── 日志导出:审计日志、错误日志
2.2 使用AWS CLI #
创建子网组 #
bash
aws docdb create-db-subnet-group \
--db-subnet-group-name my-docdb-subnet-group \
--db-subnet-group-description "My DocumentDB subnet group" \
--subnet-ids subnet-12345678 subnet-87654321
创建集群 #
bash
aws docdb create-db-cluster \
--db-cluster-identifier my-docdb-cluster \
--engine docdb \
--engine-version 5.0.0 \
--master-username admin \
--master-user-password MySecurePassword123! \
--db-subnet-group-name my-docdb-subnet-group \
--vpc-security-group-ids sg-12345678 \
--backup-retention-period 7 \
--storage-encrypted \
--enable-cloudwatch-logs-exports '["audit","profiler"]'
创建主实例 #
bash
aws docdb create-db-instance \
--db-instance-identifier my-docdb-primary \
--db-instance-class db.r6g.large \
--engine docdb \
--db-cluster-identifier my-docdb-cluster
创建只读副本 #
bash
aws docdb create-db-instance \
--db-instance-identifier my-docdb-replica-1 \
--db-instance-class db.r6g.large \
--engine docdb \
--db-cluster-identifier my-docdb-cluster
2.3 使用CloudFormation #
yaml
AWSTemplateFormatVersion: '2010-09-09'
Description: DocumentDB Cluster
Parameters:
ClusterIdentifier:
Type: String
Default: my-docdb-cluster
MasterUsername:
Type: String
Default: admin
MasterUserPassword:
Type: String
NoEcho: true
InstanceClass:
Type: String
Default: db.r6g.large
VpcId:
Type: AWS::EC2::VPC::Id
SubnetIds:
Type: List<AWS::EC2::Subnet::Id>
Resources:
DocDBSubnetGroup:
Type: AWS::DocDB::DBSubnetGroup
Properties:
DBSubnetGroupDescription: DocumentDB Subnet Group
SubnetIds: !Ref SubnetIds
DocDBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: DocumentDB Security Group
VpcId: !Ref VpcId
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 27017
ToPort: 27017
CidrIp: 10.0.0.0/16
DocDBCluster:
Type: AWS::DocDB::DBCluster
Properties:
DBClusterIdentifier: !Ref ClusterIdentifier
Engine: docdb
EngineVersion: 5.0.0
MasterUsername: !Ref MasterUsername
MasterUserPassword: !Ref MasterUserPassword
DBSubnetGroupName: !Ref DocDBSubnetGroup
VpcSecurityGroupIds:
- !Ref DocDBSecurityGroup
StorageEncrypted: true
BackupRetentionPeriod: 7
DocDBPrimaryInstance:
Type: AWS::DocDB::DBInstance
Properties:
DBClusterIdentifier: !Ref DocDBCluster
DBInstanceClass: !Ref InstanceClass
Engine: docdb
Outputs:
ClusterEndpoint:
Description: DocumentDB Cluster Endpoint
Value: !GetAtt DocDBCluster.Endpoint
三、配置安全组 #
3.1 入站规则 #
text
安全组入站规则:
├── 类型:自定义TCP
├── 端口:27017
├── 源:应用服务器安全组或IP
└── 描述:DocumentDB访问
3.2 使用CLI配置 #
bash
aws ec2 authorize-security-group-ingress \
--group-id sg-12345678 \
--protocol tcp \
--port 27017 \
--source-group sg-87654321
四、连接DocumentDB #
4.1 获取连接信息 #
bash
# 获取集群信息
aws docdb describe-db-clusters \
--db-cluster-identifier my-docdb-cluster
# 输出示例
{
"DBClusters": [
{
"Endpoint": "my-docdb-cluster.cluster-abc123.us-east-1.docdb.amazonaws.com",
"Port": 27017,
"MasterUsername": "admin"
}
]
}
4.2 使用Mongo Shell连接 #
安装Mongo Shell #
bash
# Ubuntu/Debian
wget -qO - https://www.mongodb.org/static/pgp/server-5.0.asc | sudo apt-key add -
echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/5.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-5.0.list
sudo apt update
sudo apt install -y mongodb-org-shell
# macOS
brew tap mongodb/brew
brew install mongodb-community-shell
连接命令 #
bash
# 基本连接
mongo --ssl \
--host my-docdb-cluster.cluster-abc123.us-east-1.docdb.amazonaws.com:27017 \
--username admin \
--password
# 连接字符串
mongo "mongodb://admin:password@my-docdb-cluster.cluster-abc123.us-east-1.docdb.amazonaws.com:27017/?ssl=true&replicaSet=rs0&readPreference=secondaryPreferred"
4.3 使用编程语言连接 #
Node.js #
javascript
const { MongoClient } = require('mongodb');
const uri = "mongodb://admin:password@my-docdb-cluster.cluster-abc123.us-east-1.docdb.amazonaws.com:27017/?ssl=true&replicaSet=rs0&readPreference=secondaryPreferred";
const client = new MongoClient(uri, {
tls: true,
tlsCAFile: './rds-combined-ca-bundle.pem'
});
async function connect() {
try {
await client.connect();
console.log('Connected to DocumentDB');
const db = client.db('mydb');
const collection = db.collection('users');
return client;
} catch (error) {
console.error('Connection error:', error);
throw error;
}
}
module.exports = { connect, client };
Python #
python
from pymongo import MongoClient
from pymongo.errors import ConnectionFailure
uri = "mongodb://admin:password@my-docdb-cluster.cluster-abc123.us-east-1.docdb.amazonaws.com:27017/?ssl=true&replicaSet=rs0&readPreference=secondaryPreferred"
client = MongoClient(
uri,
tls=True,
tlsCAFile='./rds-combined-ca-bundle.pem'
)
try:
client.admin.command('ping')
print("Connected to DocumentDB")
except ConnectionFailure:
print("Connection failed")
db = client['mydb']
collection = db['users']
Java #
java
import com.mongodb.client.MongoClients;
import com.mongodb.client.MongoClient;
import com.mongodb.client.MongoDatabase;
public class DocumentDBConnection {
public static void main(String[] args) {
String uri = "mongodb://admin:password@my-docdb-cluster.cluster-abc123.us-east-1.docdb.amazonaws.com:27017/?ssl=true&replicaSet=rs0&readPreference=secondaryPreferred";
try (MongoClient mongoClient = MongoClients.create(uri)) {
MongoDatabase database = mongoClient.getDatabase("mydb");
System.out.println("Connected to DocumentDB");
}
}
}
五、TLS证书配置 #
5.1 下载AWS证书 #
bash
# 下载RDS证书包
wget https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem
# 或使用curl
curl -O https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem
5.2 配置证书验证 #
javascript
// Node.js
const client = new MongoClient(uri, {
tls: true,
tlsCAFile: '/path/to/rds-combined-ca-bundle.pem',
tlsAllowInvalidCertificates: false
});
python
# Python
client = MongoClient(
uri,
tls=True,
tlsCAFile='/path/to/rds-combined-ca-bundle.pem',
tlsAllowInvalidCertificates=False
)
六、开发环境配置 #
6.1 本地开发环境 #
text
开发环境建议:
├── 使用DocumentDB本地模拟器
├── 或使用MongoDB本地实例
├── 配置环境变量
├── 使用连接池
└── 实现重试机制
6.2 环境变量配置 #
bash
# .env文件
DOCUMENTDB_URI=mongodb://admin:password@my-docdb-cluster.cluster-abc123.us-east-1.docdb.amazonaws.com:27017/?ssl=true&replicaSet=rs0
DOCUMENTDB_DATABASE=mydb
DOCUMENTDB_CA_FILE=./rds-combined-ca-bundle.pem
6.3 连接池配置 #
javascript
// Node.js连接池配置
const client = new MongoClient(uri, {
maxPoolSize: 50,
minPoolSize: 5,
maxIdleTimeMS: 30000,
waitQueueTimeoutMS: 5000,
connectTimeoutMS: 10000,
socketTimeoutMS: 0
});
七、验证连接 #
7.1 测试脚本 #
javascript
// test-connection.js
const { MongoClient } = require('mongodb');
async function testConnection() {
const client = new MongoClient(process.env.DOCUMENTDB_URI, {
tls: true,
tlsCAFile: process.env.DOCUMENTDB_CA_FILE
});
try {
await client.connect();
const result = await client.db('admin').command({ ping: 1 });
console.log('Ping result:', result);
const stats = await client.db('admin').command({ serverStatus: 1 });
console.log('Server version:', stats.version);
console.log('Connection successful!');
} catch (error) {
console.error('Connection failed:', error);
} finally {
await client.close();
}
}
testConnection();
7.2 常见连接问题 #
| 问题 | 原因 | 解决方案 |
|---|---|---|
| Connection timeout | 安全组未开放 | 检查安全组规则 |
| SSL handshake failed | 证书问题 | 配置正确的TLS证书 |
| Authentication failed | 用户名密码错误 | 检查认证信息 |
| Host unreachable | 网络不通 | 检查VPC和路由配置 |
八、总结 #
8.1 环境搭建清单 #
text
搭建步骤:
├── 1. 准备AWS账户和权限
├── 2. 配置VPC和网络
├── 3. 创建DocumentDB集群
├── 4. 配置安全组
├── 5. 下载TLS证书
├── 6. 安装客户端工具
├── 7. 测试连接
└── 8. 配置开发环境
8.2 最佳实践 #
| 实践 | 说明 |
|---|---|
| 使用参数组 | 自定义配置参数 |
| 启用加密 | 保护数据安全 |
| 配置备份 | 设置合适的保留期 |
| 监控集群 | 启用CloudWatch监控 |
| 使用连接池 | 优化连接管理 |
下一步,让我们学习核心概念!
最后更新:2026-03-27