Secure and Backup MongoDB on Google Cloud Platform

Published in

FAUN — Developer Community 🐾

9 min readAug 23, 2020

Data — a very vital aspect of your application/software and everyday data are increasing as we are shifting more towards digital devices. In 2020, there will be around 40 trillion Gigabytes of data (40 Zettabytes). Woah!!! that’s a lot. Crucial, sensitive and private data are also a part of this 40 trillion Gigs and in August Month blog I’m going to share how to secure your MongoDB database on Google Cloud Platform from getting a compromised.

I’ve seen many companies prefer to install MongoDB on instance/virtual machine (for dev, uat or staging environment) instead of using Managed Service provided by MongoDB for cost optimization and generally prefer to use Managed Service for pre-production or production.

Google Compute Engine

Google Compute Engine offers you to create and launch thousands of virtual machines easily without any upfront investment and installation. With Compute Engine, you have complete control over your infrastructure. You have the option to choose VM Family from varieties of VM configuration family. You can customize operating systems, and even run applications that rely on a mix of operating systems. You can choose preemptible compute instances if your workloads are allowed to stopped or abrupt. Preemptible machines are 80% cheaper as compared to regular machines and the rest are same.

Now you can opt confidential computing service while creating GCE VM which ensures your data to be encrypted while being processed.

Read more about Google Compute Engine

We need one Compute Engine instance where our MongoDB database would be running.

Create one Compute Engine VM via console or gcloud command or terraform script. You can choose VM family, disk size, OS, etc according to your choice.

Run gcloud command to launch VM:

gcloud beta compute --project=cloudorbit instances create mongodb-virtual-machine --zone=us-central1-a --machine-type=e2-medium --image=ubuntu-minimal-1804-bionic-v20200806 --boot-disk-size=50GB --boot-disk-type=pd-standard --boot-disk-device-name=mongodb-virtual-machine

SSH into it and let’s install MongoDB in the VM

MongoDB

MongoDB is a NoSQL cross-platform oriented database that uses JSON like documents with optional schemas. Launched by MongoDB Inc in 2009 and it’s written in C++, Go, JavaScript, Python. MongoDB supports Adhoc-queries, indexing, replication, load balancing, aggregation etc features that help companies like Adobe, SquareSpace, EA, eBay etc to manage data very easily.

If you want to explore more about MongoDB have a look at this amazing MongoDB, The Complete Guide by S7rthak.
If you want to learn MongoDB from where I’ve learnt, visit: https://university.mongodb.com/

Let’s install MongoDB in GCE instance

sudo apt-get update## To check if Ubuntu’s mongodb package is installed on the system
sudo apt list --installed | grep mongodb## Import the public key used by the package management system
wget -qO - https://www.mongodb.org/static/pgp/server-4.4.asc | sudo apt-key add -## Create the list file /etc/apt/sources.list.d/mongodb-org-4.2.list for your version of Ubuntu
echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/4.4 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.4.list## Reload local package database
sudo apt-get update## Install the MongoDB packages
sudo apt-get install -y mongodb-org## Start MongoDB
sudo service mongod start## Verify that MongoDB has started successfully
sudo cat /var/log/mongodb/mongod.log## Install and enable UFW
sudo apt install ufw
sudo ufw enable## Open port 22 and 27017
sudo ufw allow 22
sudo ufw allow 27017
sudo ufw status## Enter in Mongo Shell
mongo

We have now successfully installed the MongoDB, now we going to set a password for MongoDB so from next time if someone wants to enter in Mongo shell he/she has to give username and password arguments along with mongo command

For this demo, I’ve created one DB cloudorbit and in that, I’ve stored bikes information.

Enable password authorization on MongoDB

Now create users in Mongo

## Enter in Mongo shell
mongo## Switch to cloudorbit DB
use cloudorbit## Create Admin
db.createUser( { user: "cloudorbit-admin",
                 pwd: "Y2xvdWRvcmJpdC1hZG1pbgo=",
                 roles: [ { role: "userAdminAnyDatabase", db: "admin" } ] },
               { w: "majority" , wtimeout: 5000 } )## Create user
db.createUser( { user: "cloudorbit-user01",
                 pwd: "Y2xvdWRvcmJpdC11c2VyMDEK",
                 roles: [{ role: 'readWrite', db:'cloudorbit'}] },
               { w: "majority" , wtimeout: 5000 } )exit or [press Ctrl + C]

Open /etc/mongod.conf with your favourite code editor and update:

net:
  port: 27017
  bindIp: 127.0.0.1security:
  authorization: "disabled"

with

net:
  port: 64876
  bindIp: 127.0.0.1security:
  authorization: "enabled"

I’ve changed the port from 27017 to 64876 which means every time you or your application need to pass --port 64876 . Changing the default port would prevent automated bots and malicious users from brute-forcing to your database server, you should always consider changing the default DB port to something else for security.

There is one more thing that you’ve to be focussed on if you are using MongoDB version older than v3.6 and that’s journaling. Journaling will help you to make the snapshot to be consistent and it has to be on the same logical volume and same location where your data directory is located. You need to enable it. Without journaling, MongoDB doesn't guarantee the consistency and validity of snapshots.

Read more about Journaling

Restart your DB instance

sudo service mongod restart
sudo service mongod status

Now try to enter in Mongo with just mongo command, you’ll get an error

Now while entering in Mongo shell you have to run:

## user with admin role
mongo cloudorbit -u cloudorbit-admin -p Y2xvdWRvcmJpdC1hZG1pbgo= --port 64876## user with read-write role on cloudorbit db
mongo cloudorbit -u cloudorbit-user01 -p Y2xvdWRvcmJpdC11c2VyMDEK --port 64876

You can try to remove --port flag from command, you’ll get the same error as above one.

You have to provide same in mongo connection string then only your application or software would able to communicate with MongoDB.

SSL/TLS can also be set up in MongoDB but that is a topic for another blog.

Backing Up your MongoDB

Creating a backup is “must-do”. You should always back up your data so in case of failure or data disk crash or data loss due to any reason or cloud region experiences a disaster, your business won’t get affected.

Backing Up DB is always consider as Good Practice.

Since it’s a good practice let’s adopt it here too…

Snapshots

Snapshots create a periodic and incremental backup of your data of data disk to reduce the risk of unexpected data loss. Apart from progressive differential backups, they can also be used for migrating data across zones and regions, migrating data to a different type of disk resource, as well as transferring data from a disk of one allocated size to another disk with a larger allocated size.

You can create a new GCE instance from the snapshot and with snapshot schedule GCP backup your data on a regular schedule.

Read more about Disk Snapshots

What is the incremental backup of data?

Incremental snapshots are the process of creating successive copies of data disk or database that has been changed since the first backup.

Incremental snapshots work in the following manner:

The first snapshot will be the fully-pledged clone of the original data disk
The second snapshot will only contain data that has been modified or changed since snapshot 1 with reference to snapshot 1 for unchanged data
Similarly, the third snapshot will only contain data that has been modified or changed since snapshot 2 with reference to snapshot 2 for unchanged data

The incremental snapshot technique is more efficient than full backup since only changed files need to be saved again.

To create a snapshot, go to Snapshot subsection of Compute Engine

Create a snapshot by entering a name, description, select source disk (disk attach to your MongoDB VM) and location (multi-regional will create snapshots in more than 1 region; you’ll be charged more for this as compared to regional snapshots).

Check here for Snapshot Best Practices: https://cloud.google.com/compute/docs/disks/snapshot-best-practices

Snapshot Schedule

Now we are done with snapshot let’s create one snapshot schedule for automatic snapshotting.

From the snapshot schedule section, create one snapshot schedule

Right now, VSS is only applicable in case you are using Windows instance. It allows to create a snapshot of the disk while being in use.
Google Cloud has announced it’s support for Linux too in Google Cloud Next’20 OnAir and will be rolling out soon.

Now go to mongodb-vm disk from disk section, edit the disk and attach this snapshot schedule with data disk

Now your data disk will be getting snapshot daily between 12:00 AM and 1:00 AM UTC.

I already have one snapshot of my MongoDB VM from which I’ll be creating DB instance which will have all the bike data that I have in original DB

Run:

gcloud compute --project "cloudorbit" disks create "mongodb-vm-from-snapshot" --size "50" --zone "us-central1-a" --source-snapshot "mongodb-vm-snapshot" --type "pd-standard"gcloud beta compute --project=cloudorbit instances create mongodb-vm-from-snapshot --zone=us-central1-a --machine-type=e2-medium --disk=name=mongodb-vm-from-snapshot,device-name=mongodb-vm-from-snapshot,mode=rw,boot=yes,auto-delete=ye

First, the disk from the snapshot has been created then from this disk the VM has been created. If use UI console to create VM; GCP will perform disk creation from snapshot step, you just have to select the particular snapshot in boot disk section.

Google Machine Image

Google Machine Image (GMI) point in time image of entire instances including all configuration, metadata, permissions, and data from one or more disks required to create a virtual machine (VM) instance. GMI can create machine image from both multiple and single data disk that are attached to your VM which becomes really feasible as compared to snapshots where we have to create snapshots for each attached data disk at a time. Data disks are backed up as differential snapshots.

This service is very handy in many systems maintenance scenarios, such as for instance creation, backup and recovery, and instance cloning.

GMI can also be used as a rollback point. Before any upgrade or patch management of server or application, you can create an image of a disk, if the upgrade or patching got succeeded then you can discard this image if not then you can use it to re-setup the server.

Read more about Google Machine Images

Create GMI from Machine Images subsection of Compute Engine

Once the image is ready you can create an instance from GMI. To create an instance from GMI go to instance section, click on create and from the left navigation bar select New VM instance from Machine Image.

Bingo!!! your database hosted on GCE Instance is now secure and fault-tolerant.

That’s all for this blog.

Google Compute Engine
Disk Snapshots
Google Machine Image
MongoDB
MongoDB Best Practices

Clap and share it if you find this blog useful

Read my previous blogs…

Rohan Singh - Medium

Read writing from Rohan Singh on Medium. Cloud Engineer @ Searce Inc | Living in ☁️ since Sept 2017 |…

medium.com

Subscribe to FAUN topics and get your weekly curated email of the must-read tech stories, news, and tutorials 🗞️

Follow us on Twitter 🐦 and Facebook 👥 and Instagram 📷 and join our Facebook and Linkedin Groups 💬