ssh, privatelink

Author: jgao54

docs/integrations/data-ingestion/clickpipes/aws-privatelink.md

@@ -33,21 +33,25 @@ data source types:
 - Kafka
 - Postgres
 - MySQL
+- MongoDB
 
 ## Supported AWS PrivateLink endpoint types {#aws-privatelink-endpoint-types}
 
 ClickPipes reverse private endpoint can be configured with one of the following AWS PrivateLink approaches:
 
-- [VPC resource](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-resources.html)
-- [MSK multi-VPC connectivity for MSK ClickPipe](https://docs.aws.amazon.com/msk/latest/developerguide/aws-access-mult-vpc.html)
-- [VPC endpoint service](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-share-your-services.html)
+- [VPC resource](#vpc-resource)
+- [MSK multi-VPC connectivity for MSK ClickPipe](#msk-multi-vpc)
+- [VPC endpoint service](#vpc-endpoint-service)
 
 ### VPC resource {#vpc-resource}
 
-Your VPC resources can be accessed in ClickPipes using PrivateLink and [AWS VPC Lattice](https://docs.aws.amazon.com/vpc-lattice/latest/ug/what-is-vpc-lattice.html). This approach doesn't require setting up a load balancer in front of your data source.
+:::info
+Cross-region is not supported.
+:::
+
+Your [VPC resources](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-resources.html) can be accessed in ClickPipes using PrivateLink and [AWS VPC Lattice](https://docs.aws.amazon.com/vpc-lattice/latest/ug/what-is-vpc-lattice.html). Unlike VPC endpoint service, this approach doesn't require setting up a load balancer in front of your data source.
 
 Resource configuration can be targeted with a specific host or RDS cluster ARN.
-Cross-region is not supported.
 
 It's the preferred choice for Postgres CDC ingesting data from an RDS cluster.
 
@@ -151,8 +155,7 @@ Follow our [MSK setup guide for ClickPipes](/knowledgebase/aws-privatelink-setup
 It requires setting up a NLB (Network Load Balancer) in front of your data source
 and configuring the VPC endpoint service to use the NLB.
 
-VPC endpoint service can be [configured with a private DNS](https://docs.aws.amazon.com/vpc/latest/privatelink/manage-dns-names.html),
-that will be accessible in a ClickPipes VPC.
+VPC endpoint service can be [configured with a private DNS](https://docs.aws.amazon.com/vpc/latest/privatelink/manage-dns-names.html), that will be accessible in a ClickPipes VPC.
 
 It's a preferred choice for:
 

docs/integrations/data-ingestion/clickpipes/mongodb/faq.md

@@ -63,4 +63,19 @@ We use MongoDB's native Change Streams API to track changes in the database. Cha
 Which read preference to use depends on your specific use case. If you want to minimize the load on your primary node, we recommend using `secondaryPreferred` read preference. If you want to optimize ingestion latency, we recommend using `primaryPreferred` read preference. For more details, see [MongoDB documentation](https://www.mongodb.com/docs/manual/core/read-preference/#read-preference-modes-1).
 
 ### Does the MongoDB ClickPipe support Sharded Cluster? {#does-the-mongodb-clickpipe-support-sharded-cluster}
+
 Yes, the MongoDB ClickPipe supports both Replica Set and Sharded Cluster.
+
+### Does MongoDB ClickPipe support Amazon DocumentDB? {#documentdb-support}
+
+Yes, MongoDB ClickPipe supports Amazon DocumentDB 5.0. See [Amazon DocumentDB source setup guide](./source/docdb.md) for details.
+
+### Does MongoDB ClickPipe support PrivateLink? {#privatelink-support}
+
+We support PrivateLink for MongoDB (and DocumentDB) cluster in AWS only today. You can set up PrivateLink in two ways: (1) VPC Resource (2) VPC Endpoint Service.
+
+Note that unlike single-node relational database, MongoDB client requires succesful replica set discovery to be able to respect the configured `ReadPreference`. This implies setting up PrivateLink with all the nodes in the cluster so the MongoDB client can successfully estabalish replica set connection, as well as redirect to another node when the connected node goes down. You can bypass this by specifying `/?directConnection=true` in the connection string during ClickPipes setup, which will skip replica set discovery and directly connect to the specified instance. In this case the PrivateLink setup will be similar to a single-node relational database.
+
+For replica set connection, if you go with VPC Resource, you would need to create a `GROUP` configuration, plus a `CHILD` configuration for each node in the cluster; if you go with VPC Endpoint Service, you would need to create a separate Endpoint Service (and a separate NLB) for each node in the cluster. See [AWS PrivateLink for ClickPipes](../aws-privatelink.md) documentation for more details.
+
+Please reach out to ClickHouse support for assistance.

docs/integrations/data-ingestion/clickpipes/mongodb/index.md

@@ -15,6 +15,7 @@ import mongodb_connection_details from '@site/static/images/integrations/data-in
 import select_destination_db from '@site/static/images/integrations/data-ingestion/clickpipes/mongodb/select-destination-db.png'
 import ch_permissions from '@site/static/images/integrations/data-ingestion/clickpipes/postgres/ch-permissions.jpg'
 import Image from '@theme/IdealImage';
+import ssh_tunnel from '@site/static/images/integrations/data-ingestion/clickpipes/postgres/ssh-tunnel.jpg'
 
 # Ingesting data from MongoDB to ClickHouse (using CDC)
 
@@ -69,6 +70,22 @@ Make sure you are logged in to your ClickHouse Cloud account. If you don't have
 
    <Image img={mongodb_connection_details} alt="Fill in connection details" size="lg" border/>
 
+#### (Optional) Set up SSH Tunneling {#optional-set-up-ssh-tunneling}
+
+You can specify SSH tunneling details if your source MongoDB database is not publicly accessible.
+
+1. Enable the "Use SSH Tunnelling" toggle.
+2. Fill in the SSH connection details.
+
+   <Image img={ssh_tunnel} alt="SSH tunneling" size="lg" border/>
+
+3. To use Key-based authentication, click on "Revoke and generate key pair" to generate a new key pair and copy the generated public key to your SSH server under `~/.ssh/authorized_keys`.
+4. Click on "Verify Connection" to verify the connection.
+
+:::note
+Make sure to whitelist [ClickPipes IP addresses](../clickpipes#list-of-static-ips) in your firewall rules for the SSH bastion host so that ClickPipes can establish the SSH tunnel.
+:::
+
 Once the connection details are filled in, click `Next`.
 
 #### Configure advanced settings {#advanced-settings}